Contact
Security

Security-first by architecture.

Enscrive is built with memory-safe systems, defense-in-depth isolation between tenants, and encryption at every layer. Security is not bolted on — it is the foundation.

Our security commitment

Security is built into every layer of Enscrive's architecture. We handle embedding data for AI-powered applications and we take that responsibility seriously. Memory-safe backend services, zero garbage collection pauses, and compile-time safety guarantees from the ground up.

Data protection

  • Credential encryption: API keys and provider credentials encrypted with AES-256-GCM
  • Database connections: PostgreSQL connections secured with SSL (Neon.tech managed)
  • Password hashing: Bcrypt/Argon2 with high work factors
  • Secrets management: Enscrive Secrets Manager (ESM) — no external secrets services

Authentication & access control

  • Strong password requirements (entropy-based validation)
  • OIDC-based Single Sign-On via Keycloak
  • API keys with tenant scoping and environment binding
  • HMAC-SHA256 service-to-service authentication
  • Per-tenant, per-category rate limiting
  • Role-based access control (RBAC) with 5 defined roles
  • Session management with secure, HttpOnly cookies

Infrastructure

  • Memory safety: All backend services are memory-safe with zero garbage collection overhead
  • Hosting: AWS — our infrastructure is architected and operated to SOC 2 and ISO 27001-aligned security standards (see Compliance roadmap below)
  • SQL injection prevention: Parameterized queries throughout
  • Internal transport: gRPC with binary protobuf between services (no REST internally)
  • Automated backups: Daily, with tenant isolation, stored durably in S3 within the deployment region

Service architecture

Only one service is exposed to the internet. All internal communication happens over gRPC in private subnets with no public accessibility.

Internet (HTTPS)
  → Public API tier (public subnet)
    → Internal service tier (private subnet, gRPC only)
      → Vector store (private, never internet-exposed)

Tenant isolation

  • Tenant ID validation: Every API request validated against tenant boundaries
  • Application-level filtering: All database queries filter by tenant_id
  • Environment scoping: API keys bound to a single environment — dev keys cannot access production data
  • Backup isolation: S3 paths validated to prevent cross-tenant access

Region & data residency

Region Location AWS Region Status
US Ohio us-east-2 Live today

Every tenant — including Enterprise — is pinned to this single region by default. A dedicated Enterprise instance in a different region is available by arrangement, with your explicit sign-off on the cross-regional data-residency terms; it is never a silent default or an automatic multi-region deployment.

Monitoring & incident response

  • Full request logging with observability gateway (enscrive-observe)
  • Rate limit monitoring and abuse detection
  • Request logging with SHA256-hashed identifiers
  • Error tracking and latency monitoring
  • Security incident notification: 72 hours (GDPR Article 33 aligned)

No data sharing

Your data stays yours. We do not share your data with analytics companies. We do not use your content to train models. We do not sell or lease your data.

Compliance roadmap

We design and develop to SOC 2 and other industry security standards today. We have not yet undergone the formal third-party audit for any certification — the items below describe controls we build to, not credentials we hold.

  • GDPR alignment: Privacy by design, data minimization, deletion workflows
  • CCPA alignment: Transparency and user control principles
  • SOC 2 Type II: Designed and developed to SOC2-aligned controls; formal audit on roadmap for enterprise customers
  • ISO 27001: Designed and developed to ISO 27001-aligned controls; formal audit on roadmap
  • OWASP Top 10: Building toward full alignment

Secure development

  • Security requirements in design phase
  • Threat modeling for new features
  • Peer code review with security focus
  • Comprehensive unit and integration test coverage
  • End-to-end Playwright test suite
  • Automated security testing in CI/CD

Responsible disclosure

We welcome security researchers. If you discover a security issue, please report it to support@enscrive.io.

We commit to:

  • Acknowledge receipt within 24 hours
  • Provide initial assessment within 72 hours
  • Keep you informed of remediation progress
  • Credit researchers (if desired) upon fix deployment

Please do not publicly disclose vulnerabilities before we have had a chance to address them, and do not access or modify data belonging to other users.