NIST Security FAQ
Last updated
Was this helpful?
Last updated
Was this helpful?
Our security posture constantly changes as we improve our products, so please get in touch with us for the latest information. These answers apply to our Zentitle2 platform.
Does Zentitle support federated identity integration (e.g., SAML, OAuth2, Microsoft Entra ID, or Active Directory) for the Local License Server and administrative portal access?
Yes
Not at this time
Can role-based access be configured to enforce the principle of least privilege, e.g., restricting access by product, customer group, or API scope?
Yes
NA
Is MFA (multi-factor authentication) supported and enforceable for all administrative, developer, and user accounts across the Local License Server, SaaS portal, and API?
Yes
Not at this time
Audit and Accountability (NIST 3.3.x)
What audit logs are available for administrative access, API calls (e.g., license issuance/modification), and entitlement use / client-side activation?
Partial (customer and entitlement modifications), rest is planned
Not at this time
Can these logs be exported to external SIEM or logging systems, or made available via API?
Manually when requested
Not at this time
Are audit logs tamper-resistant, and is retention configurable?
Not at this time
Not at this time
Configuration Management (NIST 3.4.x)
Is there support for tracking and auditing configuration changes (e.g., license models, user roles, entitlement edits)?
Yes (for entitlements)
Not at this time
Are there versioning or rollback mechanisms for configuration changes?
Versioning
Not at this time
Can change control processes (e.g., multi-user approvals or alerts) be enforced for high-risk operations?
Not at this time
Not at this time
Identification and Authentication (NIST 3.5.x)
How is authentication managed for the Local License Server? Are credentials hashed securely and changeable?
NA
Managed through environment variables
Does the Local License Server or the cloud portal support scoped API tokens, expiry, and revocation?
Scoped no Expiry: yes Revocation: no
Not at this time
Is there a method for rotating credentials or tokens used for developer and admin access?
Yes
Yes
Security Assessment / Incident Response (NIST 3.6, 3.12)
Can historical logs or entitlement usage data be provided to support forensic investigation in case of a suspected compromise?
Yes
Yes
Does Zentitle offer incident response support, including defined contacts and response SLAs for reported vulnerabilities?
In Enterprise agreements
In Enterprise agreements
Media and Data Protection (NIST 3.8, 3.13)
Are entitlement tokens and communications encrypted at rest and in transit using strong, standards-based cryptography?
Yes
Yes
Are FIPS 140-2 validated modules used for cryptographic operations (especially in the Local Daemon License Server)?
No, industry standard protocols
LLS database is provided and managed by the customer
Can you confirm where customer-related data is stored and processed? Is U.S. data residency or SaaS region isolation available?
Multi-tenant is US based, Single tenant can be located anywhere and isolated
LLS database is provided and managed by the customer
System and Communications Protection (NIST 3.13.x)
Does Zentitle enforce HTTPS-only access to all interfaces and APIs?
Yes
Managed by customer
Can we enforce TLS 1.2+ or configure allowed cipher suites?
Yes
Managed by customer
Are there configurable session timeouts, lockouts, or IP-based restrictions for administrative access?
Multi-tenant no; Single tenant can be flexibly configured
In Enterprise agreements
Has Zentitle been assessed under SOC 2 Type II, ISO 27001, or similar?
In progress (SOC2)
Are you actively pursuing or considering FedRAMP, NIST 800-171, or CMMC alignment?
Not at this time, but we will consider for large client contracts
Can you provide a data flow or architecture diagram for the Local Daemon License Server and cloud services, showing where licensing, activation, and usage data is processed or stored?
See our documentation