# Security in Omlet

Omlet is a product developed and provided by Zeplin, Inc. which has SOC 2 Type II attestation. For Omlet, we implement the same security controls as the rest of the Zeplin ecosystem. When we refer to Zeplin, the same controls are in place for Omlet as well.

## **Data collection for Omlet**

Omlet CLI collects only the metadata, **your code is never collected, stored or uploaded**. The scanning process is always done *locally* and you have full control over what Omlet will scan by choosing which repository/directory it should scan.

You can learn more about the data collection for Omlet here:

* [Data collection for Omlet](https://docs.omlet.dev/security/data-collection)

## Company

You can access the vendor details for Zeplin, Inc. from:&#x20;

* [Vendor details for Zeplin](https://support.zeplin.io/en/articles/1750260-vendor-details-for-zeplin)

## Terms and Privacy

The existing terms and privacy policy of Zeplin apply to Omlet too. You can access them from:

* [Terms of Service](https://zeplin.io/terms/)
* [Privacy Policy](https://zeplin.io/privacy/)

## Security Whitepaper

We understand how important security and compliance are, and we’ve worked hard to make sure that our products are secure. The security and protection of our customers’ data is definitely a top priority.&#x20;

We outline our approach to security & compliance, and the details of the technical controls that keep your data safe in this whitepaper:

* [Security Whitepaper](https://support.zeplin.io/en/articles/2472293-security-whitepaper)

In summary, we implement strict security controls, ensuring secure integrations with communication tools and adherence to regulatory standards like SOC 2. Our comprehensive approach includes rigorous hiring practices, physical and network security measures, regular penetration tests, and a commitment to privacy and confidentiality for user data.

### Subprocessors

Zeplin, Inc. may engage data processors, subcontractors or content delivery networks to support the delivery of the services. You can access the information about the identity, location, and role of each subprocessor here:

* [Zeplin Subprocessors](https://zeplin.io/subprocessors)

### Penetration Testing

We use specialist security consulting firms to complete penetration tests on our infrastructure. You can read more and see the results here:

* [Zeplin Security Penetration Test](https://support.zeplin.io/en/articles/3991799-zeplin-security-penetration-test)

### Regulatory Compliance <a href="#regulatory-compliance" id="regulatory-compliance"></a>

Zeplin, Inc. maintains a comprehensive set of IT controls to ensure it meets various compliance obligations and aligns with SOC 2. You can read more about our regulatory compliance here:

* [Regulatory Compliance](https://support.zeplin.io/en/articles/4113683-regulatory-compliance)

{% hint style="info" %}
AICPA rules do not permit public dissemination of SOC 2 reports. Please ping us at "<support@omlet.dev>" to request a copy of our attestation under NDA.
{% endhint %}

### Responsible Disclosure

We appreciate responsible disclosure and will acknowledge security researchers who have reported an issue that is proven and of sufficient severity:

* [Responsible Disclosure](https://support.zeplin.io/en/articles/2632495-responsible-disclosure)

## Data Processing Addendum, or DPA

Zeplin, Inc. provides a GDPR compliant DPA adapted to our services, which you can sign automatically following the steps [here](https://zpl.io/dpa).

The signing process will start once you enter your name and email address. Then, you’ll be able to review the document, fill out the fields, sign, and download if you need.

{% hint style="info" %}
**Have more questions?**

If you have further security questions, please [contact us](mailto:support@omlet.dev).
{% endhint %}