How Encor is secured.

• App. AWS Amplify Hosting in us-east-2 (Ohio). Server-side rendering on AWS Lambda. No long-running app servers; per-request execution only.
• Database + auth + storage. Supabase project in us-east-1 (N. Virginia). PostgreSQL 15 with row-level security; auth via GoTrue; file storage via Supabase Storage. EU customers should ask: data residency in eu-west-* is on the roadmap but not yet provisioned.
• Tenant isolation. Every workspace table has an org_id column with an RLS policy gating select/insert/update/delete to members of that org. Cross-tenant reads and writes are impossible at the database layer even if the application layer leaks a query path.
• Activity log. All register mutations (create / update / delete) are recorded in an append-only activity_log table, org-scoped, written via the service-role admin client so the log cannot be silently bypassed by application code.

• Email + password. Supabase Auth manages accounts. Passwords are bcrypt-hashed with per-user salts; raw passwords never leave the browser-to-Supabase TLS channel.
• Sessions. Short-lived JWTs (~1 hour) with rotating refresh tokens, set as HttpOnly cookies. Sessions invalidated on sign-out.
• SSO / SAML. Not yet supported. Enterprise procurement orgs that require SSO should contact us before signing.
• MFA. Not yet supported. Roadmap: TOTP-based 2FA via Supabase Auth, then WebAuthn.

• In transit. TLS 1.2+ to the app (CloudFront/AWS), to Supabase, and to the LLM provider. HSTS enforced on the marketing domain.
• At rest. AES-256 on Supabase Postgres and Supabase Storage (managed by Supabase / their cloud provider). The activity log, every register, and every uploaded file are encrypted at rest as a side effect of standard Supabase encryption.
• Field-level encryption. Not yet implemented. If your AIMS captures field-level sensitive data (e.g. names of subjects in incident descriptions), you should redact before entering.

AI features (draft AI policy, draft risks, generate Stage 2 playbook, draft SoA justifications, explain questions, suggest jurisdictions) call OpenRouter, which proxies to Anthropic Claude Haiku 4.5 by default. Privacy-relevant points:

• Your assessment data and onboarding inputs are sent to the LLM as prompt context for these features.
• OpenRouter and Anthropic do not retain prompts for model training under their default API tier (per Anthropic's API terms as of writing).
• LLM features are gated behind your authenticated workspace; no anonymous calls are possible.
• AI features are opt-in — every Encor flow can be completed manually. If you don't want LLM calls, don't click the "Draft with AI" buttons.

• Automated backups. Supabase performs daily backups of the Postgres database, retained 7-30 days depending on plan tier. Point-in-time recovery available on paid Supabase tiers.
• Disaster recovery. Documented but not yet tested at the org level. We commit to annual DR test cadence as we scale.
• Data export. Use the audit-kit download from /documents to export your AIMS artifacts. Per-record print is available on every Stage 2 register row. SQL-level export on request via support@encorsys.com.

Encor is a young product. Here's the honest state of certifications:

• SOC 2. Not yet started. On the roadmap once we cross initial paid-customer threshold.
• ISO 27001. Not yet started.
• GDPR. The product is built to be GDPR-friendly: tenant isolation, data export, documented retention, no third-party tracking on the marketing site. We are not yet a registered data controller in the EU; EU customers should contact us before signing.
• HIPAA / FedRAMP / IL-x. No. Encor is not appropriate for healthcare PHI or US federal workloads.

• Reporting. Email security@encorsys.com. PGP key available on request.
• Severity triage. We aim to acknowledge within 1 business day, scope within 5 business days, and disclose within 90 days of fix.
• Customer notification. If a security incident affects your data, we will notify you by email within 72 hours of confirming impact, with scope, mitigation, and required actions.
• Bug bounty. No formal program yet. Coordinated disclosure welcome via the email above.

In the spirit of evaluating tools the way you evaluate AI systems with this product:

• SOC 2 Type I / Type II.
• SAML / SSO / SCIM provisioning.
• MFA on user accounts.
• Customer-managed keys (BYOK).
• Field-level encryption for sensitive columns.
• Formal SLA / uptime guarantees.
• EU data residency.
• External penetration test.
• Bug bounty program.
• Dedicated tenant deployment.

These items are tracked publicly. If any of them is blocking for your org, tell us — we will not BS you about timelines.

• Security: security@encorsys.com
• Privacy: privacy@encorsys.com
• General: hello@encorsys.com