Zero Trust explained: learn how Entropia elevates data room security beyond compliance frameworks.
Would you leave your front door unlocked simply because your neighbourhood has a low crime rate?
Many companies, even by meeting compliance standards, implicitly do just that.
Entropia has validated the SOC2 Type II level controls, which corresponds to proving that the neighbourhood is under constant surveillance and demonstrably safe.
But we have chosen to go further and raise the bar with a Zero Trust model.
For decades, corporate networks were built like castles, or fortresses : high walls, a deep moat, and the assumption that anyone allowed inside was trustworthy.
Unfortunately, modern attackers might still steal a key or tunnel under the moat. If they ever manage to get inside, they can wander freely.
Zero Trust rejects the castle. Instead, it assumes that no user, device, or network packet is trustworthy by default. Each request to access resources, whether from an employee, contractor, or application, is treated as if it comes from an untrusted network until it has been inspected, authenticated, and verified. Access is granted only for the minimum necessary purpose and only for as long as needed.
This model is implemented by leading companies such as Google where our CTO, Pierre, spent six years as a Solutions Engineer, gaining firsthand experience of how it works in practice. Google frames the model around three core principles:
These principles, first articulated by Forrester and formalised by the U.S. National Institute of Standards and Technology (NIST), form the foundation of our own approach.
Customers increasingly demand evidence that their providers handle data responsibly. SOC2, created by the American Institute of CPAs, has become one of the most widely recognised audit frameworks.
The standard evaluates an organisation’s controls across five “Trust Services Criteria”: security, availability, processing integrity, confidentiality, and privacy.
A Type I report describes how controls are designed at a single point in time.
A Type II report, which we have achieved, goes further: it validates that those controls operate effectively over months, not merely on paper.
But as robust as it is, SOC 2 is still a framework of proof, not an architecture of defence. It tells customers that the right doors are locked and checked regularly. It does not redesign the building itself.
That is why we describe SOC 2 Type II as our floor, not our ceiling.
Zero Trust pushes security beyond compliance checklists into systemic resilience. To illustrate the contrast in concrete terms, here are a few key examples where Zero Trust provides stronger protection than SOC 2 expectations. The list is not exhaustive, but it highlights the most important areas where the difference is most tangible.
And there is more to it: these examples illustrate some of the obvious contrasts, but Zero Trust also changes the way systems are conceived and built, embedding security into the architecture itself rather than treating it as a compliance exercise.
For dataroom customers, the implications are crucial. SOC2 compliance means your data is handled responsibly, Zero Trust means it is defended relentlessly. Breaches that would spill across a legacy dataroom provider’s environment stop cold within ours.
Building on Zero Trust is more demanding for application developers, because security must be engineered directly into the architecture rather than bolted on later. Zero Trust requires grappling with identity-driven policies (deciding who can access which resources and under what conditions), network segmentation (designing the system so that even if one part is compromised, attackers cannot easily move to another), and continuous telemetry (collecting and analysing data about activity in real time to detect and prevent anomalies).
Together, the two frameworks signal Entropia’s ambition to raise the bar for dataroom customers: SOC2 Type II proves we meet one of the toughest industry standards, while Zero Trust shows we aim beyond yesterday’s definitions of secure.