Our security commitment
Security is built into every layer of Enscribe's architecture. We handle embedding data for
AI-powered applications and we take that responsibility seriously. Memory-safe backend services,
zero garbage collection pauses, and compile-time safety guarantees from the ground up.
Data protection
- Credential encryption: API keys and provider credentials encrypted with AES-256-GCM
- Database connections: PostgreSQL connections secured with SSL (Neon.tech managed)
- Password hashing: Bcrypt/Argon2 with high work factors
- Secrets management: Enscribe Secrets Manager (ESM) — no external secrets services
Authentication & access control
- Strong password requirements (entropy-based validation)
- OIDC-based Single Sign-On via Keycloak
- API keys with tenant scoping and environment binding
- HMAC-SHA256 service-to-service authentication
- Per-tenant, per-category rate limiting
- Role-based access control (RBAC) with 5 defined roles
- Session management with secure, HttpOnly cookies
Infrastructure
- Memory safety: All backend services are memory-safe with zero garbage collection overhead
- Hosting: AWS (SOC 2 Type II, ISO 27001 certified infrastructure)
- SQL injection prevention: Parameterized queries throughout
- Internal transport: gRPC with binary protobuf between services (no REST internally)
- Automated backups: Daily with tenant isolation and geo-redundant storage
Service architecture
Only one service is exposed to the internet. All internal communication happens over gRPC
in private subnets with no public accessibility.
Internet (HTTPS/443)
→ enscribe-developer (public subnet, port 3000)
→ enscribe-observe (private subnet, gRPC 9090)
→ enscribe-embed (private subnet, gRPC 50052)
→ Qdrant (localhost on embed instance)
Tenant isolation
- Tenant ID validation: Every API request validated against tenant boundaries
- Application-level filtering: All database queries filter by tenant_id
- Environment scoping: API keys bound to a single environment — dev keys cannot access production data
- Backup isolation: S3 paths validated to prevent cross-tenant access
Multi-region deployment
| Region | Location | AWS Region |
| US | Ohio | us-east-2 |
| EU | Frankfurt | eu-central-1 |
| Asia-Pacific | Singapore | ap-southeast-1 |
Data residency controls available per deployment. Region pinning and private networking available for enterprise.
Monitoring & incident response
- Full request logging with observability gateway (enscribe-observe)
- Rate limit monitoring and abuse detection
- Request logging with SHA256-hashed identifiers
- Error tracking and latency monitoring
- Security incident notification: 72 hours (GDPR Article 33 aligned)
No data sharing
Your data stays yours. We do not share your data with analytics companies.
We do not use your content to train models. We do not sell or lease your data.
Compliance roadmap
- GDPR alignment: Privacy by design, data minimization, deletion workflows
- CCPA alignment: Transparency and user control principles
- SOC 2 Type II: On roadmap for enterprise customers
- ISO 27001: On roadmap
- OWASP Top 10: Building toward full compliance
Secure development
- Security requirements in design phase
- Threat modeling for new features
- Peer code review with security focus
- Comprehensive unit and integration test coverage
- End-to-end Playwright test suite
- Automated security testing in CI/CD
Responsible disclosure
We welcome security researchers. If you discover a security issue, please report it to
security@enscribe.io.
We commit to:
- Acknowledge receipt within 24 hours
- Provide initial assessment within 72 hours
- Keep you informed of remediation progress
- Credit researchers (if desired) upon fix deployment
Please do not publicly disclose vulnerabilities before we have had a chance to address them,
and do not access or modify data belonging to other users.
Contact