You're letting us inside your infrastructure. Here's exactly how that works.
Every Zumidian engagement runs through customer-approved access paths, scoped permissions and auditable procedures. You keep security, oversight and control; we operate within boundaries you define and can revoke. This page sets out the access model in full, because it's the first thing your CTO will ask and it shouldn't take a sales call to answer.
Access is approved, named and revocable.
We connect through the access workflows you define: VPN, bastion hosts, SSO and MFA on every account. Every Zumidian engineer operates under a named account; there are no shared credentials and no anonymous service accounts performing operational actions. You grant access, you see who holds it, and you can revoke it at any time without negotiation.
Permissions follow least privilege.
Access is scoped to the systems, environments and operational actions covered by the engagement, nothing more. Production access is limited to what runbooks require, and runbooks themselves define the approved actions for each procedure. If an action isn't approved, it doesn't happen; it escalates to your team through the paths you've defined.
Every action is logged and reviewable.
Operational activity, incident actions and runbook execution are logged and available for your review. Combined with the shared PagerDuty view described on our How We Measure page, this means you can audit not just what we did, but how fast and to what standard. Auditable operations aren't an add-on; they're how the service runs.
Player data stays yours.
Sensitive player data remains within customer-controlled systems wherever possible. We operate on operational telemetry: metrics, logs, alerts, service health and player-impact signals. We practise data minimisation as a default, and what we can see is defined by the access you grant, not by what we'd find convenient.
Governance is continuous, not annual.
Access reviews, revocation procedures, escalation rules, environment separation and segregation of duties run throughout the engagement. Offboarding is part of the model from day one: when an engagement ends or scope changes, access is revoked through the same defined workflows it was granted through, and you can verify the revocation yourself.
Compliance status
Zumidian is not SOC 2 certified, and we won't imply otherwise. What we do: we align our controls to SOC 2 principles, including access control, logging, change management and segregation of duties, and we support customer security reviews, questionnaires and vendor risk assessments as a standard part of evaluation and onboarding. Your security team is welcome to examine the access model on this page in as much depth as they like, against your own requirements rather than a certificate's.
We also work within your compliance context: we support customer security questionnaires, vendor risk assessments and contractual security requirements as a standard part of onboarding.
FAQ
Frequently asked questions.
How does Zumidian access customer environments?
Through customer-approved access paths only: VPN, bastion hosts, SSO and MFA, with named individual accounts and least-privilege permissions scoped to the engagement. Customers grant, review and can revoke access at any time.
Can we see what Zumidian engineers do in our environment?
Yes. Operational activity, incident actions and runbook execution are logged and reviewable, and incident metrics are visible in the shared tracking system described on the How We Measure page.
Does Zumidian handle player personal data?
Zumidian operates on operational telemetry such as metrics, logs and service-health signals. Sensitive player data remains within customer-controlled systems wherever possible, under a data-minimisation default.
What happens to access when an engagement ends?
Access is revoked through the same customer-defined workflows it was granted through, with verification available to the customer. Offboarding procedures are agreed during onboarding, not improvised at the end.
Is Zumidian SOC 2 certified?
No. Zumidian aligns its controls to SOC 2 principles and supports customer security reviews, questionnaires and vendor risk assessments as a standard part of evaluation, but does not currently hold or have a pending SOC 2 certification.
Ask us the hard questions.
Bring your security team to a Game Operations Review. The access model is part of the conversation, not an exhibit we send afterwards.