Pilot program

Six-week guided deployment of Zoza Vault alongside your existing tokenization stack. Fixed scope. Explicit exit criteria. Auditor-friendly deliverables.

What's in scope

The pilot is deliberately narrow. We pick one form (or a small cluster of fields in one product) and migrate it end-to-end, not a whole architecture. That keeps the timeline honest and the deliverables testable.

In scope

• One form, one customer origin. Typical examples: a patient-intake form, a payment checkout, a KYC capture flow, a bank-transfer authorisation.
• Up to 8 encrypted fields per form. More than 8 rarely justifies the pre-TLS primitive — the attack surface is usually concentrated on a few PII-heavy inputs.
• Integration with your existing stack. Vault runs alongside whatever tokenization vendor you already have — we do not demand you rip them out.
• All three v0.3 primitives: iframe isolation on by default, optional zero-knowledge mode, published benchmarks run from your region.
• One audit deliverable. Pick one: threat-model document, SOC 2 / HIPAA / PCI evidence package, or a ProVerif run report for your audit committee.
• Direct support channel. Private Slack / Signal / email thread with the Zoza security team, monitored during your timezone's business hours.

Explicitly out of scope

• Multi-tenant architecture changes. If your product has tenant isolation problems, that's a different engagement.
• HSM procurement. We help you wire an HSM you already own (SoftHSM / CloudHSM / YubiHSM / Azure HSM). We don't sell or resell hardware.
• Competitor migration. We won't rewrite your tokenization logic off Basis Theory / Skyflow / VGS; we run alongside them.
• Custom cryptography. The protocol is documented in the ProVerif model — we won't fork it for one customer.
• Legal / contractual advisory. We provide a standard DPA; BAAs and custom MSAs require your counsel and our executive sponsor.

Six-week timeline

Week	Deliverable	Your time
0	Pre-pilot scoping call (60 min). Pick the form, pick the fields, pick the audit deliverable. Sign the DPA.	1h
1	Sandbox integration. Vault API key issued. Iframe SDK wired into a staging copy of your form. Round-trip smoke test.	4h eng
2	Framework-native wrapper swap (React / Vue / Svelte) or vanilla JS bridge, depending on your stack. Load-test from your production region.	4h eng
3	Server-side decrypt path wired into your existing backend. Key-rotation run-through. Zero-knowledge mode evaluation if in scope.	4h eng
4	Competitor benchmark run from your region (our harness, your API keys) — numbers published in your private pilot doc.	2h eng + 1h review
5	Audit deliverable. Threat model / evidence package / ProVerif report. Our security team co-authors; your audit committee reviews.	4h review
6	Go/no-go decision. Production cutover plan OR clean exit (keys revoked, data deleted, account closed).	2h

Total customer engineering time: ~20-25 hours over 6 weeks. We've kept it small because the pilot's success criterion is that your existing team can run Vault in production, not that we can.

Exit criteria

The pilot ends in one of three states. Every state is documented in writing; no soft outcomes.

• Go — production rollout. The pilot form passes your acceptance checklist (latency, throughput, audit evidence). We move to a standard Enterprise contract; the pilot API key converts to production.
• No-go — not a fit. Vault covers a threat model your stack doesn't need, or the integration cost exceeds the risk reduction. We write up the honest reason, revoke your pilot API key, delete your pilot data (7 business days), and part as friends.
• Extension. You want another 4 weeks to run the pilot in production shadow-mode before committing. We extend at cost (no new invoice). One extension max; after that it's go or no-go.

Pricing

What Zoza commits to during the pilot

• 72-hour response SLA on issues you file into the shared channel, business hours your timezone.
• No silent shipping of protocol changes. If the wire format or the iframe surface changes, we notify you 14 days ahead; nothing ships during a pilot that would break your integration.
• Data deletion on no-go within 7 business days — ciphertext, app metadata, application queue entries, access logs older than 30 days. Warrant-canary audit log entries persist (they're append-only by design); they reference your app_id only, not PII.
• Benchmark reproducibility. Every latency number we quote to you is reproducible with the harness in products/zoza-vault/benchmarks-vs-competitors/ — we'll run it for you from your region, you can re-run it any time.
• No surprise upsells. The pricing above is what you pay; no setup fees, no per-field surcharges, no per-region multipliers.

How to start

Email hello@zoza.world with:

1. Your company name + industry.
2. The one form / field cluster you'd pilot. 1-2 sentences.
3. Your current tokenization stack (if any).
4. The threat model that has you looking. MageCart? CDN-layer breach? HIPAA BAA? SOC 2 evidence? PCI scope reduction?
5. Preferred plan tier from the pricing section above.

We respond within one business day with either a pre-pilot scoping call booking or a pass note (we don't pilot with teams where the fit isn't obvious, to keep the pilot queue short).

Alternative path: submit the full apply-for-key form with volume_tier = 10k-100k or higher and "Pilot program interest" in the use_case_details; our admin team routes it automatically.

FAQ

Why is the pilot free? What's the catch?

No catch. We are trading short-term pilot revenue for the right to talk about your deployment when pitching the next customer (under the case-study terms agreed in advance, with your approval on every published word). What you get during the 6-week window is the same access a paid pilot would have had — dedicated security engineer, benchmark from your region, threat-model doc, HIPAA / PCI evidence package depending on tier. Long-term pricing will be negotiated later, based on what your real usage turns out to look like, and only if you tell us the product is worth paying for.

Can we run the pilot in parallel with our existing vendor?

Yes, and we recommend it. Dual-write (sealed payload + existing tokenized payload) for the pilot window gives you a clean A/B comparison and a zero-risk rollback if you choose no-go. The iframe SDK coexists peacefully with Stripe Elements / Basis Theory Elements / VGS Collect.

Do you offer shorter pilots for small teams?

We've tried three-week pilots and they collapse into the second week because benchmarking + audit deliverables can't compress. Six weeks is the floor that still delivers a real outcome.

What if we need HSM-backed keys in the pilot?

Regulated tier includes wiring walkthrough for SoftHSM (dev / staging) or one production HSM you already own (AWS CloudHSM, YubiHSM, Azure HSM). Hardware procurement is not included; see keystore README for the supported provider matrix.

Can we request a security audit of Vault itself during the pilot?

You can run the ProVerif model (products/zoza-vault/formal-model/vault.pv), the Go test suite, the competitor benchmark harness, and your own pentest inside the pilot scope as explicit engagement. The bug bounty at vault-bounty remains in force for anything in-scope.

What happens to our data after no-go?

See the data retention policy. 7 business days for production data; audit-chain entries referencing your app_id persist indefinitely (they contain no PII).

Start a pilot Apply via self-serve form Back to Vault

Last updated 2026-04-17. © 2026 Zoza. Source code copyright LD-16949/2026-CO.