Built for enterprise security reviews

Assignment groups, catalog items, HR services, routing rules, custom table schemas, and system properties. Table API + Aggregate API only.

Ticket content, user PII, attachment data, service catalog request data, or any personally identifiable record fields.

Zero. Zaptik is read-only. The OAuth client credentials grant does not include write scopes.

itil_reader or equivalent read-only role. Full role list in the integration guide.

AES-256-GCM. Each credential encrypted with a per-deployment key before storage. Keys stored separately from encrypted values.

Railway-managed PostgreSQL with encryption at rest. Credentials never written to logs or returned in API responses.

TLS 1.2+ for all connections. OAuth tokens cached in memory with a 60-second expiry buffer — never persisted to disk.

Row-Level Security (RLS) enforced in PostgreSQL. The application role cannot query another tenant's rows without explicitly setting the tenant context.

Each customer's graph data lives in a dedicated PostgreSQL schema (tenant_{instance}). Cross-tenant queries are architecturally impossible.

App connects as zaptik_app — no superuser privileges, no BYPASSRLS. RLS is always enforced, even in internal operations.

Every API action written to a durable append-only audit_events table in PostgreSQL and to Railway log retention. No deletions or updates to audit rows.

In progress. Expected Q4 2026. Controls cover Security trust service criteria.

Audit events: 2 years. Graph revisions: 1 year. Customer data deleted within 30 days of offboarding on written request.