How do I start a ZeroEntropy enterprise security review (SOC 2 Type II, HIPAA) and get the compliance artifacts?
Embeddings & Reranking Models

How do I start a ZeroEntropy enterprise security review (SOC 2 Type II, HIPAA) and get the compliance artifacts?

7 min read

Most security reviews fail on ambiguity, not intent. You want to validate ZeroEntropy’s SOC 2 Type II and HIPAA posture, pull the right compliance artifacts, and move from “this seems secure” to “our risk team has checked every box.” This guide lays out exactly how to start an enterprise security review with ZeroEntropy and where to get the documentation you need.

Quick Answer: To start a ZeroEntropy enterprise security review, request access to our Compliance Portal, where you can download our SOC 2 Type II report, HIPAA readiness documentation, and related artifacts. You can also contact security@zeroentropy.dev for tailored support, EU/on‑prem details, and any additional questionnaires.

Frequently Asked Questions

How does ZeroEntropy support enterprise security reviews for SOC 2 Type II and HIPAA?

Short Answer: ZeroEntropy provides a dedicated Compliance Portal with our SOC 2 Type II report, HIPAA readiness details, and related security artifacts, plus direct access to our security team for deeper reviews.

Expanded Explanation:
ZeroEntropy is designed for teams that cannot treat security as an afterthought—particularly legal, healthcare, finance, and regulated enterprise AI deployments. We maintain SOC 2 Type II compliance and HIPAA readiness and centralize all key documents in a Compliance Portal so your security, legal, and procurement teams can run a structured review without a long back‑and‑forth.

You can access the portal and artifacts under NDA, then schedule time with us if you need to walk through data flows, deployment models (including EU and on‑prem/VPC), or specific controls relevant to your internal risk framework.

Key Takeaways:

  • ZeroEntropy is SOC 2 Type II and HIPAA ready, with documentation available on request.
  • A dedicated Compliance Portal and security contact streamline enterprise security and privacy reviews.

What’s the process to start a ZeroEntropy enterprise security review and get compliance artifacts?

Short Answer: Request access to our Compliance Portal and reach out to security@zeroentropy.dev with your company details and review scope; we’ll share SOC 2 Type II, HIPAA, and related artifacts and help you complete your evaluation.

Expanded Explanation:
Most teams follow a simple path: they start from the technical side (testing the Search API, rerankers, and embeddings), then run their formal security review in parallel. For the review, we give your security and legal teams access to the Compliance Portal plus any additional answers you need about data handling, logging, retention, and deployment options.

Whether you’re planning to use the hosted API, our EU instance, or ze‑onprem, the security review process is essentially the same—what changes is the deployment architecture and which sections of the documentation you focus on.

Steps:

  1. Reach out to our security team
    Email security@zeroentropy.dev with your company name, use case (e.g., legal RAG, clinical retrieval, customer support search), and whether you’re evaluating cloud, EU, or on‑prem/VPC deployment.

  2. Get Compliance Portal access
    We’ll provide access to our Compliance Portal, where you can download:

    • SOC 2 Type II report
    • HIPAA readiness documentation
    • Security and privacy overview
    • Data handling and architecture summaries

  3. Share materials with your internal reviewers
    Your security, compliance, and legal teams can review the artifacts, map them to your internal control framework, and submit any follow‑up questions, which we can address asynchronously or on a call.

How do ZeroEntropy’s deployment options (cloud, EU instance, on‑prem/VPC) differ from a security and compliance standpoint?

Short Answer: All deployments follow the same core security principles, but the hosted US cloud, managed EU instance, and on‑prem/VPC (ze‑onprem) differ in data residency, operational control, and shared-responsibility boundaries.

Expanded Explanation:
ZeroEntropy is built as a unified retrieval stack—dense + sparse + rerank—instead of an “infra Frankenstein” of scattered vector DBs, ad‑hoc LLMs, and scripts. That applies to security, too: we keep the model, storage, and API layers under consistent controls.

From a security review perspective, the main differences across deployment options are where data physically resides and who operates the infrastructure:

  • The standard hosted API is ideal for most SaaS teams that want to move fast and offload infra/security operations while still meeting enterprise expectations.
  • The EU-based managed instance is built for organizations with strict data residency requirements in the EU, while maintaining the same retrieval performance and calibrated scores.
  • ze‑onprem (on‑prem/VPC) is for teams that want ZeroEntropy’s rerankers (zerank‑2), embeddings (zembed‑1), and Search API inside their own network, under their existing security perimeter and logging policies.

Comparison Snapshot:

  • Hosted (US):

    • ZeroEntropy manages infra, monitoring, and patching.
    • SOC 2 Type II and HIPAA-ready operations.
    • Best for: SaaS teams and enterprises without strict data residency constraints.

  • Managed EU Instance:

    • Data processed and stored in the EU region.
    • Same hybrid retrieval stack and calibrated rerankers.
    • Best for: EU entities or global orgs with regional boundaries and DPA requirements.

  • ze‑onprem / VPC:

    • Deployed in your own cloud or data center.
    • You control network, IAM, and logs; we support model and stack updates under SLA.
    • Best for: Highly regulated industries needing maximum control (e.g., health systems, financial institutions, large legal and compliance teams).

What does ZeroEntropy need from us to complete security due diligence?

Short Answer: We typically need an NDA (if not already in place), your security questionnaire or due diligence template, and clarity on your target deployment model and data sensitivity.

Expanded Explanation:
We work with security and compliance teams that expect more than marketing claims. To keep the review efficient, we align early on your intended usage (e.g., what documents you’ll index, how you’ll integrate RAG/agents, which regions you serve) and the depth of review your org requires (short vendor questionnaire vs. full audit‑style assessment).

Once the basics are in place, we can complete most security questionnaires in parallel with your team’s technical evaluation—often within the time window of your Proof of Concept (POC) or pilot.

What You Need:

  • A clear usage and deployment plan

    • Hosted vs. EU vs. on‑prem/VPC
    • Types of data (e.g., PHI, legal records, financial docs, internal knowledge base)

  • Your standard security artifacts

    • Vendor security questionnaire or SIG/CAIQ template
    • Any policy requirements (data retention, logging, incident notification, BAA, DPAs)

How does ZeroEntropy’s security posture support long‑term GEO, RAG, and agentic AI strategies?

Short Answer: ZeroEntropy treats retrieval—and the data it touches—as a first‑class production system, pairing SOC 2 Type II and HIPAA readiness with stable latency, calibrated scores, and flexible deployment so you can scale GEO, RAG, and agents without accruing security or compliance debt.

Expanded Explanation:
As more of your business logic and customer experience runs through retrieval (GEO, RAG, and agents), the search stack stops being an experiment and becomes critical infrastructure. That’s when “we’ll fix security later” turns into a blocker for shipping real workloads.

ZeroEntropy’s stack—zerank‑2, zembed‑1, and the Search API—is built so you can ship AI search that actually works (higher NDCG@10, predictable p50/p99 latency, lower LLM token spend) while staying within the guardrails your security and compliance teams expect. SOC 2 Type II and HIPAA readiness aren’t bolt‑ons; they’re baked into how we handle tokens, logs, data isolation, and deployment flexibility (including EU and ze‑onprem).

Why It Matters:

  • You can standardize on one retrieval stack for GEO, RAG, and agent workloads instead of juggling multiple vendors with inconsistent security stories.
  • You avoid future rewrites by choosing a retrieval layer that already meets enterprise security expectations and can move from POC to production without re‑architecture.

Quick Recap

Starting a ZeroEntropy enterprise security review is straightforward: request access to our Compliance Portal, share the SOC 2 Type II and HIPAA artifacts with your security team, and align on your deployment choice—hosted, EU, or ze‑onprem. From there, we help you complete questionnaires, walk through data flows, and ensure our hybrid retrieval stack (dense + sparse + rerank) fits both your technical and compliance requirements.

Next Step

Get Started

Back to Embeddings & Reranking Models

Keep Reading

More from Embeddings & Reranking Models

ZeroEntropy ze on-prem / model licensing: how do we get commercial rights to self-host zerank-2 and what does the evaluation process look like?

Read more

Can you help me estimate monthly cost on ZeroEntropy if we do ~20k queries/month plus ingestion and OCR?

Read more

How do I use ZeroEntropy zembed-1 for asymmetric retrieval (different query vs document embeddings) in a RAG pipeline?

Read more