Security & isolation
Isolation is enforced by infrastructure boundaries, not application logic — so a cross-tenant leak is structurally impossible.
Per-tenant isolation
Each customer runs in its own Firecracker microVM (AWS Fargate) — separate kernel, memory, filesystem, and IAM role. A tenant can never reach another tenant's data.
Your own Claude subscription
You connect your own Claude account inside your container. Your token and conversations are stored only within your isolated boundary — never shared, never used for another customer.
Encryption
Secrets and configuration are encrypted at rest with per-tenant keys; all transit is TLS. Conversation memory lives on an encrypted, per-tenant volume.
Least privilege
Each tenant's IAM role is scoped to only its own secret and storage. The control plane is tokenless for customer credentials.
Approval gates
Destructive tool calls require explicit human approval in Slack. Reads are auto-approved; sends and writes pause.
Responsible disclosure
Found something? Email security@openzaina.com. We publish a security.txt and respond promptly.
SOC 2 Type II is on our roadmap. For a current security overview or a DPA, contact our team.