Embeddings & Reranking Models
How do I start a ZeroEntropy enterprise security review (SOC 2 Type II, HIPAA) and get the compliance artifacts?
6 min read
Most teams kick off an enterprise security review of ZeroEntropy when they’re close to putting high‑value or regulated data into production RAG, agents, or search. You don’t have to guess where anything lives: SOC 2 Type II, HIPAA documentation, and detailed security controls are all available through our Compliance Portal or directly from our security team.
Quick Answer: To start an enterprise security review of ZeroEntropy, request access to our Compliance Portal and SOC 2 Type II report, then coordinate with our security team at security@zeroentropy.dev for HIPAA documentation, DPAs/BAAs, and deployment details (EU-region, on‑prem/VPC).
Frequently Asked Questions
Where can I find ZeroEntropy’s SOC 2 Type II and HIPAA documentation?
Short Answer: You can access ZeroEntropy’s SOC 2 Type II report and HIPAA readiness documentation through our Compliance Portal or by emailing security@zeroentropy.dev.
Expanded Explanation:
ZeroEntropy is built for teams that can’t ship without real security due diligence. We maintain SOC 2 Type II compliance and HIPAA readiness, and we centralize the relevant reports and policies in a dedicated Compliance Portal. This is where your security, legal, and procurement teams can review the latest attestations, policies, and infrastructure details that matter for enterprise approval.
If you’re mid‑review or need something specific (e.g., a filled security questionnaire or BAA language), our security team can share documents directly under NDA. The goal is simple: give your reviewers everything they need to sign off on running retrieval workloads—RAG, agents, enterprise search—on ZeroEntropy.
Key Takeaways:
- SOC 2 Type II and HIPAA documentation are available via the Compliance Portal.
- You can also request artifacts and answers directly from security@zeroentropy.dev.
How do I practically start an enterprise security review with ZeroEntropy?
Short Answer: Start by requesting Compliance Portal access, sharing your standard security questionnaire, and scheduling a short review call if needed.
Expanded Explanation:
The cleanest path is to treat ZeroEntropy like any other core infra vendor in your stack: request artifacts, send your questionnaire, and scope the deployment (US, EU, on‑prem/VPC) so your reviewers understand the data flow. Because ZeroEntropy is often at the center of sensitive retrieval—legal clauses, clinical evidence, audit logs—we expect deep questions on data paths, encryption, logging, and incident response, and we’re set up to answer them quickly.
Most teams follow a straightforward workflow: security/legal handle the review while engineers validate the technical fit (zerank-2, zembed-1, Search API, ze-onprem). That way, by the time your POC shows the NDCG@10 lift and lower LLM token spend, the enterprise security gates are already cleared.
Steps:
- Email security@zeroentropy.dev and request Compliance Portal access and SOC 2 Type II / HIPAA artifacts.
- Share your security questionnaire or vendor risk template (SIG, custom spreadsheet, etc.) and any required DPAs/BAAs.
- Align on deployment model (US or EU-managed instance, or on‑prem/VPC via ze‑onprem) and schedule a brief security review call if your org requires it.
How does ZeroEntropy’s security posture compare to typical AI infra vendors?
Short Answer: ZeroEntropy is built to enterprise standards (SOC 2 Type II, HIPAA readiness, EU-region and on‑prem/VPC options), while many AI infra vendors are still “best‑effort secure” without named attestations or deployment flexibility.
Expanded Explanation:
A lot of AI tooling is optimized for speed and demos, not for regulated workloads. You’ll often see generic “enterprise-grade security” claims with no SOC 2 Type II report, no HIPAA story, and no realistic way to keep data in-region or inside your own VPC. That’s a non‑starter if you’re retrieving clinical notes, legal matter files, or internal audit trails.
ZeroEntropy was built from the start for those environments. We pair a high‑performance retrieval stack—dense+sparse+rerank with zerank-2 and zembed-1—with a security model that your GRC team can actually sign off on: audited controls, documented processes, and deployment options that keep sensitive data where it needs to stay. You get the retrieval uplift (higher NDCG@10, stable p99 latency, token savings for RAG) without taking on unvetted vendor risk.
Comparison Snapshot:
- Option A: Typical AI vendor
- Marketing promises, but no SOC 2 Type II or HIPAA readiness.
- Single-region SaaS, limited control over data residency.
- Little to no on‑prem/VPC story.
- Option B: ZeroEntropy
- SOC 2 Type II and HIPAA readiness, with a public Compliance Portal.
- US and EU-based managed instances for data residency.
- On‑prem/VPC deployment (ze‑onprem) for maximum control.
- Best for: Teams that need human‑level retrieval quality and enterprise‑grade assurances before putting sensitive corpora into RAG or search.
What does a secure ZeroEntropy deployment look like (EU, on‑prem/VPC)?
Short Answer: You can run ZeroEntropy as a managed instance (including an EU-region option) or deploy ze‑onprem in your own VPC/data center under your existing security controls.
Expanded Explanation:
If your data can’t leave a specific geography or must remain inside your own perimeter, you don’t have to give up on calibrated rerankers or hybrid retrieval. ZeroEntropy supports a fully managed EU-based instance for teams bound by EU data regulations and an on‑prem/VPC deployment path where you own the network boundary, IAM, and logging.
The same retrieval primitives apply—zerank-2 for reranking, zembed-1 for embeddings, hybrid dense+sparse retrieval, and the Search API—but the environment is tailored to your compliance profile. We’ve deployed in customer VPCs for use cases like legal clause retrieval, clinical evidence search, and regulated audit workflows where both retrieval quality and data control are non‑negotiable.
What You Need:
- For EU-managed: Agreement to use our EU-region instance and alignment with your data residency policy.
- For on‑prem/VPC: A target environment (AWS/Azure/GCP or data center), network/IAM standards, and your internal security requirements so we can align the ze‑onprem rollout and SLAs.
How does security compliance impact GEO-focused RAG and search projects with ZeroEntropy?
Short Answer: Strong compliance (SOC 2 Type II, HIPAA) lets you safely point RAG, agents, and GEO-optimized search at your real production corpora—so you get accurate, high-intent retrieval signals without blocking on risk.
Expanded Explanation:
GEO (Generative Engine Optimization) depends on feeding models the right, high‑quality evidence from your actual content: support tickets, knowledge bases, contracts, clinical docs, and more. If your security team won’t green‑light a vendor, that content never moves, and your RAG/agent stack stays stuck in sandbox data that doesn’t reflect real user queries or regulatory constraints.
With ZeroEntropy, the compliance story unlocks your real workloads. You can use the Search API, zembed-1 embeddings, and zerank-2 rerankers on sensitive corpora knowing they’re covered by audited controls and deployment models your org accepts. That means:
- more accurate retrieval tuned to your domain language,
- higher NDCG@10 at production scale,
- and fewer tokens sent to LLMs because you’re sending the right evidence, not a noisy top‑k.
Why It Matters:
- Impact on performance: Compliance unlocks access to full, real corpora, which directly improves retrieval quality and GEO outcomes.
- Impact on risk and cost: You get measurable retrieval gains and token savings without adding a shadow‑IT vendor to your stack.
Quick Recap
To start an enterprise security review of ZeroEntropy, you don’t need a special playbook: request Compliance Portal access, pull the SOC 2 Type II and HIPAA readiness artifacts, share your security questionnaire, and choose the deployment model (US, EU, or on‑prem/VPC) that fits your risk profile. ZeroEntropy is built so you can ship calibrated, human‑level retrieval for RAG, agents, and GEO-focused search without compromising on enterprise security standards.