Skip to content

Enterprise compliance FAQ

Clear answers for security reviews before the questionnaire gets stuck.

SecureDynamics supports Zscaler-focused distribution, deployment, training, managed services, health checks, and lifecycle adoption. We are not the Zscaler cloud platform, and we do not generally host or process customer traffic as a SaaS data processor. When buyers ask for SOC 2, FIPS, ISO, HIPAA, PCI, or similar artifacts, the formal platform evidence typically belongs with Zscaler.

Role

Zscaler-focused services partner, not a replacement cloud security platform.

Data

Limited service, project, support, and business contact information by scope.

Evidence

Zscaler owns formal platform certifications and product audit artifacts.

Review

We help route the right request to the right owner so diligence keeps moving.

The short answer

Most enterprise compliance questions are really asking who owns the risk.

For a standard Zscaler services engagement, SecureDynamics helps customers and partners deploy, operate, review, and adopt Zscaler. We do not generally provide the cloud enforcement platform, run the Zscaler data centers, or process customer traffic as the system of record.

That means product certifications such as SOC 2 Type 2, ISO/IEC 27001, FIPS, PCI DSS, HIPAA, and privacy framework artifacts should usually be reviewed through Zscaler's Compliance Center or the customer's Zscaler account team. SecureDynamics can still answer questions about our services role, access practices, project materials, privacy policy, confidentiality, support process, and how we coordinate with Zscaler-owned evidence.

For healthcare customers, SecureDynamics will sign the customer's Business Associate Agreement when their review process requires one for the engagement. We also sign mutual NDAs, generally using the customer-provided mutual NDA. This is true even though our ordinary model does not store, process, or collect data from customer applications; SecureDynamics generally handles business contact information as described in our privacy policy and limited project or support context provided by the customer.

Evidence map

Send each request to the owner that can answer it cleanly.

Bigger companies often ask the same questions in different words. This map keeps the answer factual and reduces the back-and-forth.

SecureDynamics answers

  • Service scope and delivery model
  • Limited data we may receive during a project
  • Access expectations, least-privilege coordination, and customer approval gates
  • Business contact data and website privacy questions
  • Confidentiality, project handling, escalation, and support process
  • Mutual NDAs and healthcare BAAs for the engagement

Zscaler answers

  • SOC 2 Type 2 and SOC 3 reports
  • ISO/IEC 27001, 27017, 27018, 27701, and ISO 22301 evidence
  • FIPS, HIPAA, PCI DSS, GDPR, C5, IRAP, HITRUST, and regional programs where applicable
  • DPA, subprocessors, vulnerability scans, pentest report request process, and product security reports
  • BC/DR, SIG Lite, pooled audits, and third-party assessments

Customer answers

  • Who can grant tenant access
  • Which logs, screenshots, or configuration exports can be shared
  • Change windows and approval workflows
  • Internal data classification rules
  • Whether a DPA, NDA, MSA, PO, or security addendum is required for the specific scope

Common enterprise requests

What larger companies are usually looking for

Use these answers as the starting point for vendor risk, security, legal, privacy, and procurement conversations.

SOC 2 and ISO evidence

Zscaler's platform evidence is the relevant source for Zscaler cloud services. SecureDynamics can explain our services scope and whether we handle any customer-provided materials outside Zscaler.

FIPS, FedRAMP, and public sector language

If the question is about cryptographic modules, government authorization, or platform requirements, route the request to Zscaler evidence and the Zscaler account team for the applicable product and tenant.

HIPAA, PCI DSS, GDPR, and privacy

Determine whether SecureDynamics will receive personal data, regulated data, or only business/project context. For healthcare customers, SecureDynamics will sign the customer's BAA when required for the engagement. Zscaler's DPA and privacy materials apply to Zscaler services; SecureDynamics scope should be handled in the project agreement.

Pentest and vulnerability reports

Product-level pentest, vulnerability, and security reports should be requested through Zscaler's documented process. SecureDynamics can support the customer conversation but should not substitute informal artifacts.

BC/DR and service availability

Zscaler owns the platform continuity, disaster recovery, and service-level evidence for Zscaler products. SecureDynamics can discuss how we schedule support, escalation, and customer communication for services work.

Subprocessors and data transfers

For Zscaler customer data, use Zscaler's subprocessors and DPA materials. For SecureDynamics business operations, use the applicable contract, mutual NDA, privacy policy, and scoped service discussion.

Security questionnaire or SIG Lite

When the questionnaire asks about the platform, reference Zscaler's SIG Lite and compliance artifacts. When it asks about SecureDynamics operations, answer only for our service role and the specific engagement.

Access control and admin permissions

Customer teams control tenant access. SecureDynamics should receive only the access required for the work, for the needed time, with customer approval and revocation handled by the customer.

Data boundary

What SecureDynamics typically does and does not touch

This is the practical distinction that security teams need before they decide which artifacts are relevant.

Usually in scope
  • Business contact details and meeting context
  • Project plans, workshop notes, and implementation decisions
  • Customer-approved screenshots, exports, logs, or configuration details when needed for support
  • Training rosters, attendance, course coordination, and support tickets
  • Health-check findings, remediation notes, and adoption planning documents
  • Customer-provided mutual NDAs and healthcare BAAs when required for the engagement
Usually out of scope
  • Hosting Zscaler enforcement infrastructure
  • Processing end-user traffic as the Zscaler cloud service
  • Maintaining Zscaler product SOC 2, ISO, FIPS, or PCI evidence
  • Storing, processing, or collecting data from customer applications as part of our ordinary service model
  • Owning the customer's tenant access policies or internal approvals
  • Replacing Zscaler's official product security, privacy, legal, or compliance artifacts

Questionnaire-ready language

Suggested answers when the form asks a yes-or-no question that needs nuance.

These are starting points. Final wording should match the contract, service scope, and customer-specific facts.

Question Suggested response
Do you have SOC 2?

SecureDynamics provides Zscaler-focused services and support. We do not generally operate the Zscaler cloud platform or process customer traffic as a SaaS provider. For Zscaler product and cloud service SOC 2 evidence, please use Zscaler's Compliance Center or request access through the Zscaler account team. SecureDynamics can answer service-scope and data-handling questions for the specific engagement.

Will you process customer data?

For standard deployment, support, training, and lifecycle work, SecureDynamics generally handles business contact information and customer-provided project or support context. We do not store, process, or collect data from customer applications as part of our ordinary service model, and we do not need unnecessary regulated data, secrets, passwords, private keys, or end-user traffic data. If a project requires customer-provided logs, screenshots, or configuration exports, the customer should approve the sharing method and scope.

Do you have FIPS, FedRAMP, HIPAA, or PCI artifacts?

Those requirements usually apply to the Zscaler product, cloud service, tenant, or customer use case rather than SecureDynamics as a services partner. SecureDynamics can help route the request to Zscaler-owned evidence and clarify what our team will or will not access during the engagement.

Can we review your privacy policy?

Yes. SecureDynamics maintains a public website privacy policy for business contact, website, inquiry, and related B2B information. For Zscaler service data processing terms, use Zscaler's DPA and privacy documentation.

Will you sign our NDA or BAA?

Yes. SecureDynamics will sign mutual NDAs, generally on the customer's mutual NDA form. For healthcare customers, SecureDynamics will sign the customer's Business Associate Agreement when their review process requires one for the engagement.

Review path

How we keep enterprise diligence moving

  1. 01

    Confirm the engagement

    Identify whether SecureDynamics is supporting distribution, deployment, training, managed services, health checks, ZBoost, AI-assisted analysis, or another scoped service.

  2. 02

    Separate platform from services

    Determine whether the question is about the Zscaler cloud platform, SecureDynamics services, customer tenant administration, or procurement paperwork.

  3. 03

    Route evidence to the right owner

    Use Zscaler-owned compliance evidence for product/platform questions and SecureDynamics answers for service process, access, privacy, and delivery questions.

  4. 04

    Document scope and assumptions

    Keep the answer tied to the actual work, the data being shared, and the contractual route. This prevents overbroad promises and accelerates approval.

FAQ

Questions security, privacy, legal, and procurement teams ask most often

Is SecureDynamics SOC 2 certified?

SecureDynamics does not generally need to present a Zscaler-platform SOC 2 report for standard services work because SecureDynamics is not the Zscaler cloud platform. Zscaler's Compliance Center lists SOC 2 Type 2 and related certifications for Zscaler services. SecureDynamics can answer service-specific process, access, and data-handling questions.

Does SecureDynamics touch customer traffic or regulated data?

Not as part of the normal Zscaler platform data path. SecureDynamics does not store, process, or collect data from customer applications as part of our ordinary service model. In a services engagement, customers may choose to share limited logs, screenshots, exports, or configuration context so SecureDynamics can help troubleshoot or advise. Customers should avoid sharing passwords, private keys, unnecessary regulated data, or sensitive materials outside an approved channel.

Where should we get Zscaler compliance documents?

Start with Zscaler's Compliance Center. Some materials are public, while sensitive reports may require access approval, NDA coverage, or coordination through the Zscaler account team.

Do we need a DPA with SecureDynamics?

It depends on scope. If SecureDynamics will process personal data beyond ordinary B2B contact or project information, the agreement should address that scope. For Zscaler cloud services, customers should review Zscaler's DPA and privacy documentation.

Will SecureDynamics sign a mutual NDA or healthcare BAA?

Yes. SecureDynamics will sign mutual NDAs, generally using the customer-provided mutual NDA. For healthcare customers, SecureDynamics will sign the customer's BAA when the customer's review process requires it for the engagement.

Can SecureDynamics complete a security questionnaire?

Yes, when the questionnaire is scoped correctly. We can answer for SecureDynamics service operations and point platform questions to Zscaler-owned evidence. We should avoid answering Zscaler product control questions as if SecureDynamics owns the platform.

Who controls tenant access?

The customer controls tenant access. SecureDynamics should only receive the permissions needed to perform the agreed work, for the required time, with the customer handling approval, monitoring, and revocation.

Can this page be used as a formal security attestation?

No. This page is a practical FAQ and routing guide. Formal commitments should come from the applicable contract, statement of work, NDA, DPA, security addendum, Zscaler documentation, or customer-approved questionnaire response.

Need context for a review?

SecureDynamics can help route the question before the process slows down.

Send the questionnaire or diligence topic with the deal, customer, service scope, and Zscaler context. We can help separate SecureDynamics service answers from Zscaler-owned platform evidence.

Email: salesops@securedynamics.net

Useful links: Zscaler Compliance Center and SecureDynamics Privacy Policy

Request Compliance Review Context

Topics involved

This page is a practical orientation guide, not a certification, legal opinion, or substitute for contract terms. Zscaler trademarks, product names, and compliance artifacts belong to Zscaler. Zscaler certification applicability varies by product, service, customer environment, geography, and requested document access. SecureDynamics answers should be tied to the specific scope of work and applicable agreement.