Skip to content
  • Blog >
  • Our Zero Trust security architecture

Our Zero Trust security architecture

Zero Trust explained: learn how Entropia elevates data room security beyond compliance frameworks.

 


 

Would you leave your front door unlocked simply because your neighbourhood has a low crime rate?

Many companies, even by meeting compliance standards, implicitly do just that. 

 

Entropia has validated the SOC2 Type II level controls, which corresponds to proving that the neighbourhood is under constant surveillance and demonstrably safe.

 

But we have chosen to go further and raise the bar with a Zero Trust model.

 

 

What Zero Trust means

For decades, corporate networks were built like castles, or fortresses : high walls, a deep moat, and the assumption that anyone allowed inside was trustworthy.

 

Unfortunately, modern attackers might still steal a key or tunnel under the moat. If they ever manage to get inside, they can wander freely.

 

Zero Trust rejects the castle. Instead, it assumes that no user, device, or network packet is trustworthy by default. Each request to access resources, whether from an employee, contractor, or application, is treated as if it comes from an untrusted network until it has been inspected, authenticated, and verified. Access is granted only for the minimum necessary purpose and only for as long as needed.

 

This model is implemented by leading companies such as Google where our CTO, Pierre, spent six years as a Solutions Engineer, gaining firsthand experience of how it works in practice. Google frames the model around three core principles:

  • Assume all network traffic is a potential threat at all times. Every user, device, and flow is subject to ongoing authentication, authorisation, and validation, with any request lacking explicit permission automatically denied.

  • Enforce least-privileged access. Each entity is granted only the minimum rights needed to complete a task, limiting the ability of attackers to move laterally if compromise occurs.

  • Always monitor. Continuous oversight analyses and manages activity in real time, identifying potential threats, incidents, and anomalies to investigate.

These principles, first articulated by Forrester and formalised by the U.S. National Institute of Standards and Technology (NIST), form the foundation of our own approach.

 

How Zero Trust raises the bar above SOC 2

What is SOC 2

Customers increasingly demand evidence that their providers handle data responsibly. SOC2, created by the American Institute of CPAs, has become one of the most widely recognised audit frameworks.

 

The standard evaluates an organisation’s controls across five “Trust Services Criteria”: security, availability, processing integrity, confidentiality, and privacy.

 

A Type I report describes how controls are designed at a single point in time.

A Type II report, which we have achieved, goes further: it validates that those controls operate effectively over months, not merely on paper.

 

 

But as robust as it is, SOC 2 is still a framework of proof, not an architecture of defence. It tells customers that the right doors are locked and checked regularly. It does not redesign the building itself.

That is why we describe SOC 2 Type II as our floor, not our ceiling.

 

 

Where Zero Trust goes further

Zero Trust pushes security beyond compliance checklists into systemic resilience. To illustrate the contrast in concrete terms, here are a few key examples where Zero Trust provides stronger protection than SOC 2 expectations.  The list is not exhaustive, but it highlights the most important areas where the difference is most tangible.

  • 🔑 Stolen credentials cannot enable long-term access
    • SOC2: Restrict access to authorised users (often with MFA and roles)
    • Zero Trust: Continuous verification of user identity, device health, and behaviour at every request (that is, every attempt by a user, device, or application to access a resource)

  • 🛡️ Containing breaches, not only detecting them
    • SOC2: Monitor systems for anomalies and respond to incidents
    • Zero Trust: Real-time enforcement that blocks risky actions before they escalate

  • 📤 Stopping data exfiltration at the source
    • SOC2: Encrypt data in storage and transit
    • Zero Trust: Add context-aware rules (e.g., downloads blocked from non-compliant devices)

  • 🤝 Eliminating lingering third-party access
    • SOC2: Assess vendor risk and restrict external access
    • Zero Trust: Just-in-time, least-privilege access for third parties

  • 💥 Limiting the blast radius of incidents
    • SOC2: Demonstrate risk assessments and mitigations
    • Zero Trust: Architect systems to minimise blast radius by design

  • ⚙️ Maintaining service resilience
    • SOC2: Ensure system availability with continuity plans
    • Zero Trust: Design resilient architectures that isolate failures and keep services running

  • 🔒 Protecting confidentiality dynamically
    • SOC2: Document confidentiality and privacy policies
    • Zero Trust: Enforce context-aware restrictions and encryption by design

  • 👤 Reducing insider risk
    • SOC2: Apply HR and access review policies
    • Zero Trust: Limit insider risk with least-privilege and continuous monitoring

And there is more to it: these examples illustrate some of the obvious contrasts, but Zero Trust also changes the way systems are conceived and built, embedding security into the architecture itself rather than treating it as a compliance exercise.


Why should our customers care ?

For dataroom customers, the implications are crucial. SOC2 compliance means your data is handled responsibly, Zero Trust means it is defended relentlessly. Breaches that would spill across a legacy dataroom provider’s environment stop cold within ours.

Building on Zero Trust is more demanding for application developers, because security must be engineered directly into the architecture rather than bolted on later. Zero Trust requires grappling with identity-driven policies (deciding who can access which resources and under what conditions), network segmentation (designing the system so that even if one part is compromised, attackers cannot easily move to another), and continuous telemetry (collecting and analysing data about activity in real time to detect and prevent anomalies).

 

Together, the two frameworks signal Entropia’s ambition to raise the bar for dataroom customers: SOC2 Type II proves we meet one of the toughest industry standards, while Zero Trust shows we aim beyond yesterday’s definitions of secure.