Zscaler-focused services partner, not a replacement cloud security platform.
Enterprise compliance FAQ
Clear answers for security reviews before the questionnaire gets stuck.
SecureDynamics supports Zscaler-focused distribution, deployment, training, managed services, health checks, and lifecycle adoption. We are not the Zscaler cloud platform, and we do not generally host or process customer traffic as a SaaS data processor. When buyers ask for SOC 2, FIPS, ISO, HIPAA, PCI, or similar artifacts, the formal platform evidence typically belongs with Zscaler.
Limited service, project, support, and business contact information by scope.
Zscaler owns formal platform certifications and product audit artifacts.
We help route the right request to the right owner so diligence keeps moving.
The short answer
Most enterprise compliance questions are really asking who owns the risk.
For a standard Zscaler services engagement, SecureDynamics helps customers and partners deploy, operate, review, and adopt Zscaler. We do not generally provide the cloud enforcement platform, run the Zscaler data centers, or process customer traffic as the system of record.
That means product certifications such as SOC 2 Type 2, ISO/IEC 27001, FIPS, PCI DSS, HIPAA, and privacy framework artifacts should usually be reviewed through Zscaler's Compliance Center or the customer's Zscaler account team. SecureDynamics can still answer questions about our services role, access practices, project materials, privacy policy, confidentiality, support process, and how we coordinate with Zscaler-owned evidence.
For healthcare customers, SecureDynamics will sign the customer's Business Associate Agreement when their review process requires one for the engagement. We also sign mutual NDAs, generally using the customer-provided mutual NDA. This is true even though our ordinary model does not store, process, or collect data from customer applications; SecureDynamics generally handles business contact information as described in our privacy policy and limited project or support context provided by the customer.
Evidence map
Send each request to the owner that can answer it cleanly.
Bigger companies often ask the same questions in different words. This map keeps the answer factual and reduces the back-and-forth.
SecureDynamics answers
- Service scope and delivery model
- Limited data we may receive during a project
- Access expectations, least-privilege coordination, and customer approval gates
- Business contact data and website privacy questions
- Confidentiality, project handling, escalation, and support process
- Mutual NDAs and healthcare BAAs for the engagement
Zscaler answers
- SOC 2 Type 2 and SOC 3 reports
- ISO/IEC 27001, 27017, 27018, 27701, and ISO 22301 evidence
- FIPS, HIPAA, PCI DSS, GDPR, C5, IRAP, HITRUST, and regional programs where applicable
- DPA, subprocessors, vulnerability scans, pentest report request process, and product security reports
- BC/DR, SIG Lite, pooled audits, and third-party assessments
Customer answers
- Who can grant tenant access
- Which logs, screenshots, or configuration exports can be shared
- Change windows and approval workflows
- Internal data classification rules
- Whether a DPA, NDA, MSA, PO, or security addendum is required for the specific scope
Common enterprise requests
What larger companies are usually looking for
Use these answers as the starting point for vendor risk, security, legal, privacy, and procurement conversations.
SOC 2 and ISO evidence
Zscaler's platform evidence is the relevant source for Zscaler cloud services. SecureDynamics can explain our services scope and whether we handle any customer-provided materials outside Zscaler.
FIPS, FedRAMP, and public sector language
If the question is about cryptographic modules, government authorization, or platform requirements, route the request to Zscaler evidence and the Zscaler account team for the applicable product and tenant.
HIPAA, PCI DSS, GDPR, and privacy
Determine whether SecureDynamics will receive personal data, regulated data, or only business/project context. For healthcare customers, SecureDynamics will sign the customer's BAA when required for the engagement. Zscaler's DPA and privacy materials apply to Zscaler services; SecureDynamics scope should be handled in the project agreement.
Pentest and vulnerability reports
Product-level pentest, vulnerability, and security reports should be requested through Zscaler's documented process. SecureDynamics can support the customer conversation but should not substitute informal artifacts.
BC/DR and service availability
Zscaler owns the platform continuity, disaster recovery, and service-level evidence for Zscaler products. SecureDynamics can discuss how we schedule support, escalation, and customer communication for services work.
Subprocessors and data transfers
For Zscaler customer data, use Zscaler's subprocessors and DPA materials. For SecureDynamics business operations, use the applicable contract, mutual NDA, privacy policy, and scoped service discussion.
Security questionnaire or SIG Lite
When the questionnaire asks about the platform, reference Zscaler's SIG Lite and compliance artifacts. When it asks about SecureDynamics operations, answer only for our service role and the specific engagement.
Access control and admin permissions
Customer teams control tenant access. SecureDynamics should receive only the access required for the work, for the needed time, with customer approval and revocation handled by the customer.
Data boundary
What SecureDynamics typically does and does not touch
This is the practical distinction that security teams need before they decide which artifacts are relevant.
- Business contact details and meeting context
- Project plans, workshop notes, and implementation decisions
- Customer-approved screenshots, exports, logs, or configuration details when needed for support
- Training rosters, attendance, course coordination, and support tickets
- Health-check findings, remediation notes, and adoption planning documents
- Customer-provided mutual NDAs and healthcare BAAs when required for the engagement
- Hosting Zscaler enforcement infrastructure
- Processing end-user traffic as the Zscaler cloud service
- Maintaining Zscaler product SOC 2, ISO, FIPS, or PCI evidence
- Storing, processing, or collecting data from customer applications as part of our ordinary service model
- Owning the customer's tenant access policies or internal approvals
- Replacing Zscaler's official product security, privacy, legal, or compliance artifacts
Questionnaire-ready language
Suggested answers when the form asks a yes-or-no question that needs nuance.
These are starting points. Final wording should match the contract, service scope, and customer-specific facts.
SecureDynamics provides Zscaler-focused services and support. We do not generally operate the Zscaler cloud platform or process customer traffic as a SaaS provider. For Zscaler product and cloud service SOC 2 evidence, please use Zscaler's Compliance Center or request access through the Zscaler account team. SecureDynamics can answer service-scope and data-handling questions for the specific engagement.
For standard deployment, support, training, and lifecycle work, SecureDynamics generally handles business contact information and customer-provided project or support context. We do not store, process, or collect data from customer applications as part of our ordinary service model, and we do not need unnecessary regulated data, secrets, passwords, private keys, or end-user traffic data. If a project requires customer-provided logs, screenshots, or configuration exports, the customer should approve the sharing method and scope.
Those requirements usually apply to the Zscaler product, cloud service, tenant, or customer use case rather than SecureDynamics as a services partner. SecureDynamics can help route the request to Zscaler-owned evidence and clarify what our team will or will not access during the engagement.
Yes. SecureDynamics maintains a public website privacy policy for business contact, website, inquiry, and related B2B information. For Zscaler service data processing terms, use Zscaler's DPA and privacy documentation.
Yes. SecureDynamics will sign mutual NDAs, generally on the customer's mutual NDA form. For healthcare customers, SecureDynamics will sign the customer's Business Associate Agreement when their review process requires one for the engagement.
Review path
How we keep enterprise diligence moving
-
01
Confirm the engagement
Identify whether SecureDynamics is supporting distribution, deployment, training, managed services, health checks, ZBoost, AI-assisted analysis, or another scoped service.
-
02
Separate platform from services
Determine whether the question is about the Zscaler cloud platform, SecureDynamics services, customer tenant administration, or procurement paperwork.
-
03
Route evidence to the right owner
Use Zscaler-owned compliance evidence for product/platform questions and SecureDynamics answers for service process, access, privacy, and delivery questions.
-
04
Document scope and assumptions
Keep the answer tied to the actual work, the data being shared, and the contractual route. This prevents overbroad promises and accelerates approval.
FAQ
Questions security, privacy, legal, and procurement teams ask most often
Is SecureDynamics SOC 2 certified?
SecureDynamics does not generally need to present a Zscaler-platform SOC 2 report for standard services work because SecureDynamics is not the Zscaler cloud platform. Zscaler's Compliance Center lists SOC 2 Type 2 and related certifications for Zscaler services. SecureDynamics can answer service-specific process, access, and data-handling questions.
Does SecureDynamics touch customer traffic or regulated data?
Not as part of the normal Zscaler platform data path. SecureDynamics does not store, process, or collect data from customer applications as part of our ordinary service model. In a services engagement, customers may choose to share limited logs, screenshots, exports, or configuration context so SecureDynamics can help troubleshoot or advise. Customers should avoid sharing passwords, private keys, unnecessary regulated data, or sensitive materials outside an approved channel.
Where should we get Zscaler compliance documents?
Start with Zscaler's Compliance Center. Some materials are public, while sensitive reports may require access approval, NDA coverage, or coordination through the Zscaler account team.
Do we need a DPA with SecureDynamics?
It depends on scope. If SecureDynamics will process personal data beyond ordinary B2B contact or project information, the agreement should address that scope. For Zscaler cloud services, customers should review Zscaler's DPA and privacy documentation.
Will SecureDynamics sign a mutual NDA or healthcare BAA?
Yes. SecureDynamics will sign mutual NDAs, generally using the customer-provided mutual NDA. For healthcare customers, SecureDynamics will sign the customer's BAA when the customer's review process requires it for the engagement.
Can SecureDynamics complete a security questionnaire?
Yes, when the questionnaire is scoped correctly. We can answer for SecureDynamics service operations and point platform questions to Zscaler-owned evidence. We should avoid answering Zscaler product control questions as if SecureDynamics owns the platform.
Who controls tenant access?
The customer controls tenant access. SecureDynamics should only receive the permissions needed to perform the agreed work, for the required time, with the customer handling approval, monitoring, and revocation.
Can this page be used as a formal security attestation?
No. This page is a practical FAQ and routing guide. Formal commitments should come from the applicable contract, statement of work, NDA, DPA, security addendum, Zscaler documentation, or customer-approved questionnaire response.
Need context for a review?
SecureDynamics can help route the question before the process slows down.
Send the questionnaire or diligence topic with the deal, customer, service scope, and Zscaler context. We can help separate SecureDynamics service answers from Zscaler-owned platform evidence.
Email: salesops@securedynamics.net
Useful links: Zscaler Compliance Center and SecureDynamics Privacy Policy