Security at Enrevia Connect
Built for teams that take security seriously. Encryption, identity, isolation, backups, disclosure — what we actually do, written plainly.
Last reviewed · 2026-05-27
Standards & attestations
SOC 2 Type II
Audit in progress
GDPR
Ready
CCPA
Ready
PCI-DSS
via Stripe (Level 1)
HIPAA
Not in scope
Honest snapshot. We mark in-progress work as such — no theater.
Eight things your security team will ask about.
We answered them up front so the call is shorter. Need a SIG Lite or CAIQ-Lite filled in? security@enrevia-connect.com.
Encryption in transit + at rest
TLS 1.3 everywhere. AES-256-GCM at rest via per-record encryption keys. Disk-level EBS encryption layered on top. Passwords hashed with bcrypt (cost 12).
TLS 1.3 · AES-256-GCM
SSO / SAML 2.0
Bring your own IdP — Okta, Azure AD, Google Workspace, OneLogin. SCIM 2.0 provisioning means user lifecycle stays in your directory.
Okta · Azure AD · Google · OneLogin
Audit logs
Every meaningful event captured — sign-ins, role changes, integrations connected, exports, billing actions — and exportable as CSV. 90-day retention by default.
CSV export · 90-day retention
Multi-tenant isolation
Row-level isolation via agencyId on every query, enforced at the ORM layer — not just the UI. Cross-tenant access is mathematically impossible, not just policy-impossible.
Row-level · ORM-enforced
Backups + DR
Daily encrypted Postgres snapshots to S3, retained 30 days with object versioning. Recovery targets: RPO 24h, RTO 4h. Quarterly restore-drill program rolls out alongside our SOC 2 prep.
RPO 24h · RTO 4h target
Penetration testing
Annual third-party pentest is on the roadmap as part of our SOC 2 work. Once the first engagement completes, the executive summary will be available on request under NDA.
Planned 2026
Sub-processors
A short, deliberate list — AWS for hosting, Stripe for payments, Anthropic for AI generation, AWS SES for email delivery. 30-day notice before adding new ones.
AWS · Stripe · Anthropic · SES
Responsible disclosure
security@enrevia-connect.com is monitored by the engineering team. 90-day disclosure window. Acknowledged-reporters hall of fame for researchers who share with us first.
90-day window
A short, deliberate list.
We add sub-processors reluctantly. Each one is on the critical path for a specific capability — and we tell you 30 days before adding one.
| Vendor | Purpose | Region | Attestations |
|---|---|---|---|
| Amazon Web Services | Hosting, Postgres, S3, email (SES) | United States (us-east-1) | SOC 2 · ISO 27001 |
| Stripe, Inc. | Payment processing | United States | PCI-DSS Level 1 |
| Anthropic, PBC | AI content generation (Claude) | United States | SOC 2 |
| AWS SES | Transactional + marketing email delivery | United States | Sub-component of AWS |
Reflected in our Data Processing Agreement. Subscribe to change notifications.
Found a vulnerability?
Email security@enrevia-connect.com with details and a proof of concept. We acknowledge inside 2 business days, fix in good faith, and credit researchers publicly with their permission. 90-day disclosure window.
Encrypted-mail support rolling out with our SOC 2 prep
Documents your legal team will ask for.
Talk to us.
We answer fast.
Send your SIG Lite, CAIQ, or open questions. We respond within 1 business day with the right documents attached.