Security

Last Updated: November 1, 2025

Pre-Launch Status: Enscribe is currently in development. This page outlines our planned security practices for when our service launches in Q2 2026. Security is a foundational priority in our architecture and operations.

1. Our Security Commitment

Security is not an afterthought at Enscribe—it's built into every layer of our architecture. We are building a platform that handles sensitive data for regulated industries, and we take that responsibility seriously.

2. Data Encryption

2.1 Encryption in Transit

TLS 1.3+ for all data transmission
HSTS (HTTP Strict Transport Security) enforced
Certificate pinning for critical communications
No support for weak ciphers or deprecated protocols

2.2 Encryption at Rest

AES-256 encryption for all stored data
Encrypted backups with separate key management
Database-level encryption for sensitive fields
Encrypted vector storage for embeddings

3. Authentication and Access Control

3.1 User Authentication

Strong password requirements (entropy-based, not just rules)
Bcrypt/Argon2 password hashing with high work factors
Multi-factor authentication (MFA) support
Session management with secure, HttpOnly cookies
Automatic session expiration

3.2 API Authentication

API keys with fine-grained permissions
Short-lived access tokens (JWT) with refresh mechanism
Rate limiting per API key
IP allowlisting for sensitive operations

3.3 Enterprise Features

Single Sign-On (SSO) via SAML 2.0 and OAuth 2.0
SCIM for user provisioning
Role-based access control (RBAC)
Audit logs for all access and changes

4. Infrastructure Security

4.1 Cloud Infrastructure

AWS-based infrastructure with SOC 2 Type II compliance
Virtual Private Cloud (VPC) isolation
Private subnets for data storage
Network segmentation and firewall rules
DDoS protection via AWS Shield

4.2 Application Security

Written in Rust for memory safety
Regular dependency scanning and updates
Static analysis and linting in CI/CD
Web Application Firewall (WAF) protection
CSRF, XSS, and injection attack prevention

5. Data Isolation and Multi-Tenancy

Strict tenant isolation: Your data is never mixed with other customers' data
Row-level security: Database queries enforce tenant boundaries
Separate encryption keys: Per-customer key isolation
Dedicated resources: Enterprise customers can request dedicated infrastructure

6. Monitoring and Incident Response

6.1 Security Monitoring

24/7 automated threat detection
Intrusion detection and prevention systems (IDS/IPS)
Anomaly detection for unusual access patterns
Centralized logging and SIEM integration

6.2 Incident Response

Documented incident response plan
Security incident notification within 72 hours (GDPR compliant)
Regular security drills and tabletop exercises
Post-incident reviews and remediation tracking

7. Compliance and Certifications

7.1 Planned Certifications (Roadmap)

SOC 2 Type II (Q4 2026 target)
ISO 27001 (2027 target for enterprise customers)
HIPAA compliance (for healthcare customers, 2027)

7.2 Current Compliance Efforts

GDPR: Privacy by design, data minimization, right to deletion
CCPA: Transparency and user control over data
Security best practices: OWASP Top 10, NIST framework alignment

8. Secure Development Lifecycle

Security requirements in design phase
Threat modeling for new features
Peer code review with security focus
Automated security testing in CI/CD
Pre-deployment security checklist
Regular penetration testing (planned quarterly)

9. Third-Party Security

9.1 Vendor Security

We carefully vet all third-party services:

AWS (infrastructure): SOC 2, ISO 27001, extensive compliance
Stripe (payments): PCI DSS Level 1 certified
Minimal third-party dependencies to reduce attack surface

9.2 No Data Sharing

We do not share your data with analytics companies
We do not use your content to train models
We do not sell or lease your data

10. Employee Access and Training

Background checks for employees with data access
Least-privilege access principle
Regular security awareness training
Secure development training for engineers
Access reviews and revocation procedures

11. Business Continuity

11.1 Backups

Automated daily backups with encryption
Geo-redundant backup storage
Regular backup restoration testing
Point-in-time recovery capability

11.2 Disaster Recovery

Multi-region architecture (future)
Documented disaster recovery procedures
RTO and RPO targets defined per tier
Regular DR drills

12. Responsible Disclosure

We welcome security researchers and have a responsible disclosure program:

Report a Security Vulnerability

If you discover a security issue, please report it to:

Email: security@enscribe.io (will be active upon launch)

Pre-launch inquiries: inquire@enscribe.io (active now)

We commit to:

Acknowledge receipt within 24 hours
Provide initial assessment within 72 hours
Keep you informed of remediation progress
Credit researchers (if desired) upon fix deployment

Please do not:

Publicly disclose the vulnerability before we've had a chance to fix it
Access or modify data that doesn't belong to you
Perform any attacks that could harm our service or users

13. Security Roadmap

Q2 2026: Launch with baseline security controls, MFA, audit logging
Q3 2026: SOC 2 Type I audit, penetration testing, bug bounty program
Q4 2026: SOC 2 Type II, advanced threat detection, security dashboards
2027: ISO 27001, HIPAA compliance, dedicated security team

14. Questions?

For security-related questions or to report a vulnerability:

Pre-launch inquiries: inquire@enscribe.io (active now)
Security issues: security@enscribe.io (will be active upon launch)
General questions: See our Privacy Policy

Location: God's Green Earth

Transparency Commitment: We believe security through transparency. As we build Enscribe, we will publish detailed security documentation, architecture diagrams, and compliance reports. Security is a journey, not a destination, and we're committed to continuous improvement.