Encrypted in transit
Every request to 99zebras is served over TLS. Nothing is accepted over plain HTTP.
TLSSecurity
99zebras holds legal evidence on your behalf. Here is how it is encrypted, isolated, and kept tamper-evident — and who we rely on to run it.
Controls
The same properties that make a record stand up in a dispute are the ones that protect it day to day.
Every request to 99zebras is served over TLS. Nothing is accepted over plain HTTP.
TLSPersonal data is encrypted with authenticated encryption under envelope keys, held separately from the evidence itself.
AES-256-GCMEach acceptance is hashed and signed on our servers the moment it lands, so a tampered client cannot forge a valid record.
SHA-256 · Ed25519A third-party timestamp authority co-signs the moment of acceptance, so the time does not rest on our clock or yours.
RFC 3161Every record is scoped to your account at the database layer, not only in application code.
Row-level securityRecords are written once and never edited in place; sealed bundles sit in immutable, object-locked storage.
Object LockPersonal data can be cryptographically erased on request without destroying the record that an acceptance happened.
Access and changes are recorded in an immutable audit log, and legal holds preserve specific records when required.
If your team needs to assess 99zebras before you adopt it, we are glad to help — security questionnaires, a walk-through of the controls above, our current sub-processor list, and the documentation your review requires.
Contact usFound a security issue? Email security@99zebras.com. We will acknowledge your report and keep you updated on the fix. Please give us a reasonable window to resolve it before disclosing publicly.
99zebras
The strongest security control is that the record does not depend on us. Every acceptance is independently verifiable, by anyone, without an account.