NewSecurity Posture is GA: a score your board can readRead the post
Trust

Enterprise Security with Browser Simplicity

ZHERO processes everything locally in your browser. Your Zscaler configuration never leaves your environment, and we never store your sensitive data.

Privacy-first by architecture

ZHERO is a Chrome extension that operates entirely within your browser. This is not a policy choice we ask you to trust: it is how the product is built. There are no backend servers processing your configuration, no cloud pipeline, no copy of your policies sitting in someone else's database.

Local processing only
Everything happens in your browser

ZHERO is a Chrome extension that operates entirely within your browser environment:

  • No backend processing: ZHERO has no servers that receive or process your configuration
  • No data storage: your policies and settings are never saved on ZHERO systems
  • Local analysis: scoring, reports and security findings are computed client-side
  • Direct communication: the extension talks to your Zscaler tenant through the authenticated session you already established, over the same secure HTTPS connection
  • Browser sandbox: Chrome’s security model isolates the extension from the rest of your system
Data transmission policy
What we never transmit

ZHERO never sends any of the following to its servers:

  • Configuration data or policy details
  • URL lists or categories
  • User information
  • IP addresses or locations
  • Traffic data or logs
  • Security settings
  • Any Zscaler configuration content, of any kind1
Data transmission policy
What we do transmit

The only data sent to ZHERO servers is what license validation requires:

  • Customer name
  • Cloud name (for example "zscaler.net")
  • Primary domain (for example "acme.org")
  • User count, for license sizing
  • License expiration date
  • Administrator name and email

This minimal data is:

  • Transmitted over an encrypted HTTPS connection
  • Sent only during license checks, on page load
  • Stored securely with encryption at rest
  • Never shared with third parties
  • Deletable upon request, in line with GDPR

For regulated and security-conscious organizations, this architecture removes the hardest question in every vendor review: your sensitive data never leaves your control, so there is nothing for a third party to protect on your behalf.

Third-party services we use

ZHERO relies on a minimal set of operational services, and none of them ever receives configuration data:

LaunchDarkly

Feature flag management and controlled rollouts. It receives only the administrator email and customer name, used for segmentation.

Sentry.io

Error logs and crash reports that help us improve stability. Reports contain stack traces and browser information; any sensitive Zscaler configuration data is explicitly redacted.

These services receive only the minimal information necessary for their function. All sensitive configuration data remains excluded from any error reports or service communications.

Future features with optional server communication

As ZHERO evolves, some optional capabilities may involve communication with our servers to enable their functionality. Any such capability will always be:

  • Opt-in by default: you must explicitly enable it
  • Completely blockable: it can be disabled at any time
  • Transparently documented: any data transmission is clearly disclosed
  • Privacy-preserving: minimal data sharing, only when necessary

Each capability that requires server communication will be clearly marked, and you will always keep complete control over your data privacy preferences.

Extension permissions

ZHERO requests only the browser permissions it needs to read the Zscaler admin console you are already authenticated to. It does not ask for access to your other tabs, your history, or anything beyond its job. The extension uses your existing authenticated Zscaler session: no additional credentials to create, store, or protect.

Responsible disclosure

We take the security of ZHERO itself seriously. If you believe you have found a weakness in the product, report it to security@zhero.ai. We acknowledge reports within two business days.

Two engineers reviewing network activity on their laptops in a dark office

Want an independent verification? You're in control.

You do not have to take our word for any of this. Because ZHERO is a browser extension, its entire network activity can be audited with the developer tools you already have.

Trust, but verify:

Monitor all network requests made by ZHERO
Inspect request payloads and responses in real time
Confirm that your Zscaler configuration stays local
Validate that only minimal license data is transmitted

Ready to see for yourself?

Our security team will personally walk you through the verification process, showing you exactly how to audit ZHERO's network activity and confirm every claim on this page.

Schedule a Verification Session

Frequently Asked Questions

Questions

Security & Privacy

Can ZHERO employees see my policies?
No, with one narrow exception. For everything ZHERO analyzes, your configuration never leaves your browser, so it is technically impossible for anyone at ZHERO to see it: this is a property of the architecture, not a promise. The exception is a change you actively share through Shared Pending Changes: to reach your teammates, that specific configuration is synchronized through ZHERO servers, isolated per tenant, only while it stays shared. It is opt-in, limited to what you choose to share, and no longer stored once the change is applied or removed.
Is the connection to Zscaler secure?
Yes. ZHERO uses your existing authenticated session with Zscaler. All communications use the same secure HTTPS connection you already established; ZHERO adds no new attack surface between you and your tenant.
What if I uninstall ZHERO?
All local data is immediately removed. Nothing is stored on our servers except your license information, which you can ask us to delete.

Technical Implementation

Can ZHERO modify my Zscaler configuration?
Only with your explicit approval, and only for a focused set of supported change types. Every change goes through the Pending Changes queue, where you review and confirm before anything is applied to your tenant.
Does ZHERO use AI or machine learning?
ZHERO’s analysis is powered by rule-based templates that run locally in your browser. All analysis stays on your machine.
How does ZHERO analyze my configuration without sending data anywhere?
ZHERO downloads analysis templates to your browser. These templates run locally against your configuration, similar to how a spell-checker works: the rules come to your data, your data never goes to the rules.
Where are pending changes stored?
Personal pending changes are stored in your browser’s local storage: they are never transmitted anywhere and are cleared if you clear your browser data. Shared Pending Changes are the exception: when you promote a change to the team queue, that configuration is synchronized through ZHERO servers, isolated per tenant, only while it stays shared, so your teammates can see it. Once the change is applied or removed from the shared queue, it is no longer stored there.

Licensing & Data

Can I audit what data ZHERO transmits?
Yes. Open Chrome DevTools and select the Network tab to see every request the extension makes. You will only see license checks to license.zhero.ai.
Do you sell or share customer data?
Never. We do not sell, share, or monetize any customer data. Our revenue comes exclusively from software licenses.
Why do you need my tenant name?
To validate that your license is used on the correct Zscaler tenant and to prevent unauthorized sharing. It is part of the minimal licensing data described above.
What happens to license data if I cancel?
You can request complete deletion of your license data. We retain it for 30 days for accounting purposes, then permanently delete it.

Enterprise Concerns

Can we review ZHERO’s source code?
Enterprise customers can request a source code review under NDA. Contact sales@zhero.ai to start the security review process.
How do you handle multi-tenant partners and MSSPs?
Each tenant requires its own license. Partners managing multiple customer tenants can contact us to set up multi-tenant licensing.
What about regulated industries such as healthcare or finance?
ZHERO’s architecture is well suited to regulated industries precisely because no sensitive data leaves your control: there is no vendor-side data processing to assess, document, or audit.

Ready to transform your Zscaler experience?

Talk to Our Team!