Information Security
Information Security
Last Updated: February 1, 2025
1. Security Overview
Z Natural Foods (“ZNF”), a corporation organized and operating under the laws of the State of Florida and located in Palm Beach, Florida, is committed to maintaining a robust security program designed to protect its digital assets, customer information, and operational integrity. In furtherance of this commitment, ZNF adheres to and incorporates, where applicable, security standards and guidelines promulgated by governmental agencies and recognized industry bodies—including, but not limited to, the United States Department of Agriculture (USDA), the Food and Drug Administration (FDA), the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), the National Institutes of Health (NIH), and the World Health Organization (WHO). Additional information regarding our security program and supporting compliance artifacts is available on our Security Status Page, which forms an integral part of this policy by reference.
2. Reporting Security Issues
a. Scope and Submission Process
If you believe you have identified a vulnerability or have experienced a security incident affecting any ZNF product or service, you are required to promptly report the matter by contacting ZNF at security@znaturalfoods.com. By submitting a report, you acknowledge and agree to be bound by the terms of this policy, which constitute a legally binding agreement between you and ZNF.
b. Permissible Activities and Restrictions
In the course of identifying, verifying, or replicating a potential vulnerability, you shall limit your activities solely to those actions necessary to document the vulnerability and enable ZNF to replicate the issue under controlled conditions. You are expressly prohibited from:
-
Exceeding Minimal Testing: Engaging in any actions that compromise user accounts, download, copy, or exfiltrate data, or induce any form of service disruption (including denial-of-service conditions) or other destructive outcomes.
-
Targeting Out-of-Scope Areas: Investigating or exploiting vulnerabilities that are expressly designated as out of scope. This includes, without limitation, activities related to social engineering, clickjacking, or deficiencies in the implementation of industry-standard protocols or configurations (such as TLS enforcement, Content Security Policy (CSP), Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting, and Conformance (DMARC), DomainKeys Identified Mail (DKIM), etc.). Furthermore, any examination of ZNF’s JavaScript code or its integrations on third-party systems is strictly prohibited unless such activities are governed by and conducted in accordance with the applicable responsible disclosure program of the third party.
c. Confidentiality and Communication
Upon receipt of your vulnerability report, ZNF will request that you maintain strict confidentiality regarding any communications or information related to the vulnerability until such time as ZNF authorizes public disclosure. ZNF reserves the right to seek additional details or clarifications to facilitate a thorough investigation and resolution of the reported issue.
d. Investigation, Remediation, and Notification
Following the submission of a vulnerability report, ZNF will:
-
Investigate and Verify: Conduct a prompt and comprehensive investigation to replicate and verify the reported vulnerability, using the information provided by the reporter.
-
Remediate the Vulnerability: Take appropriate remedial measures, which may include patching software, modifying system configurations, or implementing compensatory controls to mitigate risk.
-
Communicate Outcomes: Endeavor to keep the reporter reasonably informed of the progress and outcome of the investigation. Prior to any public disclosure of details regarding the vulnerability, ZNF will obtain the reporter’s explicit consent, provided such disclosure does not conflict with legal or regulatory obligations.
3. Dispute Resolution and Legal Considerations
Any disputes, claims, or controversies arising out of or relating to these security policies, including but not limited to issues regarding vulnerability reporting, shall be resolved exclusively by binding arbitration. The arbitration process, as well as any waiver of the right to pursue litigation, is governed by the arbitration provisions set forth in ZNF’s Terms of Use Policy (TOU). By participating in the vulnerability disclosure process, you expressly waive any right to seek or obtain any remedy through litigation in any forum.
4. General Provisions
a. Acknowledgment and Cooperation
ZNF gratefully acknowledges the efforts of security researchers and other responsible parties who report vulnerabilities in good faith. Your cooperation not only enhances the security of ZNF’s products and services but also contributes to the broader goal of protecting consumers. Please note that ZNF reserves the right to modify this policy at its sole discretion and without prior notice, provided that any material changes will be communicated in a timely manner.
b. Governing Law
These policies shall be governed by and construed in accordance with the laws of the State of Florida, without regard to its conflict-of-law provisions. Any legal action or proceeding arising out of or relating to these policies shall be subject to the exclusive jurisdiction of the state and federal courts located in Palm Beach, Florida, except as otherwise provided herein.
By reporting vulnerabilities or engaging with ZNF’s security program, you acknowledge that you have read, understood, and agreed to the terms and conditions set forth in this policy.
When you use our Site, Service, Service Providers, place an order, or contact us, you are acknowledging that you have read, understand, and agree to be bound by all of our Policies referenced and/or published on this site, collectively referred to as TOU, which includes our Terms of Use Policy, Privacy Policy, Legal Notice Disclaimer, Return Policy, Accessibility Statement, California Prop 65 Notice, Subscriptions, Shipping Policy, Cookie Policy, DMCA Compliance Statement, Mobile Terms of Service, Content Policy, Advertising & Analytics Policy, Information & Security Policy, Product Reviews Policy, Bot & Crawler Policy, GDPR Statement, CCPA Opt-out. Any disagreements must be settled with binding arbitration.