Data Security

1. Our Security Commitment

At EnrichlyAI, security is not an afterthought—it's the foundation of everything we build. We understand that you trust us with sensitive business data, and we take that responsibility seriously.

Our multi-layered security approach includes:

• Defense in Depth: Multiple overlapping security controls at every layer
• Zero Trust Architecture: Never trust, always verify—every access request is authenticated and authorized
• Continuous Monitoring: 24/7/365 security operations center monitoring all systems
• Proactive Testing: Regular penetration testing, vulnerability assessments, and security audits
• Rapid Response: Dedicated incident response team ready to act within minutes
• Transparency: Clear communication about our security practices and any incidents

We recognize that security is a shared responsibility. This page provides comprehensive information about our security measures and guidance on how you can protect your account and data.

2. Data Encryption

We use military-grade encryption to protect your data both in transit and at rest, ensuring that your sensitive business information remains confidential and secure.

2.1 Encryption in Transit

All data transmitted between your device and our servers is protected using:

• TLS 1.3: Latest Transport Layer Security protocol with perfect forward secrecy
• 256-bit AES Encryption: Industry-standard encryption for all data in motion
• Certificate Pinning: Prevents man-in-the-middle attacks by validating server certificates
• HSTS (HTTP Strict Transport Security): Enforces secure connections at the browser level
• Secure WebSocket Connections: Real-time data streams encrypted end-to-end

2.2 Encryption at Rest

All data stored in our systems is encrypted using:

• AES-256 Encryption: All database records, file storage, and backups are encrypted
• Google Cloud KMS: Enterprise key management system for encryption keys
• Envelope Encryption: Data encryption keys are themselves encrypted with master keys
• Key Rotation: Automatic rotation of encryption keys every 90 days
• Separate Key Storage: Encryption keys stored separately from encrypted data

2.3 Application-Level Encryption

Beyond infrastructure encryption, we implement additional protection:

• Field-Level Encryption: Sensitive fields (payment info, API keys) encrypted separately
• Encrypted Backups: All backup files encrypted before storage
• Encrypted Logs: Sensitive information in logs is redacted or encrypted
• Secure Password Hashing: Passwords hashed using bcrypt with salt (cost factor 12)

3. Infrastructure Security

EnrichlyAI's infrastructure is built on Google Cloud Platform (GCP), leveraging world-class security controls and best practices.

3.1 Google Cloud Platform Security

We benefit from Google's comprehensive security infrastructure:

• Physical Security: Data centers with biometric access controls, 24/7 surveillance, and armed security
• Hardware Security: Custom-designed servers with hardware security modules (HSMs)
• Network Security: Google's private fiber network with advanced DDoS protection
• Security Certifications: GCP holds ISO 27001, SOC 2/3, PCI DSS, and many other certifications
• Geographic Redundancy: Data replicated across multiple availability zones

3.2 Network Security

Our network architecture implements defense in depth:

3.3 Application Security

Our application architecture follows security best practices:

• Containerization: Applications run in isolated Docker containers with minimal privileges
• Kubernetes Security: Pod security policies, network policies, and RBAC enforcement
• Immutable Infrastructure: Servers never patched—always rebuilt from secure base images
• Security Scanning: All container images scanned for vulnerabilities before deployment
• Service Mesh: Istio service mesh provides automatic mTLS between microservices
• API Security: Rate limiting, input validation, and JWT-based authentication

3.4 Database Security

• Cloud SQL with Private IP: Databases not accessible from public internet
• Automated Backups: Daily encrypted backups with point-in-time recovery
• Read Replicas: Separate read replicas for analytics to protect production data
• SQL Injection Prevention: Parameterized queries and ORM-based data access
• Database Auditing: All queries logged and monitored for suspicious activity

4. Access Controls and Authentication

We implement strict access controls to ensure only authorized individuals can access systems and data.

4.1 User Authentication

• Multi-Factor Authentication (MFA): Available for all users, required for enterprise accounts
• Strong Password Requirements: Minimum 12 characters, complexity requirements enforced
• Password Hashing: Bcrypt with per-user salts and high cost factor
• Session Management: Secure session tokens, automatic timeout after inactivity
• OAuth 2.0 / SSO: Enterprise single sign-on integration with major providers
• Device Fingerprinting: Detect and alert on logins from new devices
• Geographic Restrictions: Optional geo-blocking for enhanced security

4.2 Role-Based Access Control (RBAC)

Fine-grained permissions control what users can access:

Role	Permissions	Use Case
Admin	Full account access, user management, billing	Account owners and administrators
Manager	Create/edit searches, export data, view reports	Team leads and project managers
Member	View searches, limited export capabilities	Standard team members
Viewer	Read-only access to shared searches	Stakeholders and reviewers

4.3 Employee Access Controls

Strict controls govern employee access to customer data:

• Principle of Least Privilege: Employees only access systems necessary for their role
• Just-In-Time Access: Temporary elevated privileges expire automatically
• Access Requests: All privileged access requires approval and audit trail
• Background Checks: All employees undergo background verification
• Confidentiality Agreements: NDAs signed by all employees and contractors
• Access Audits: Quarterly reviews of all employee access permissions
• Immediate Revocation: Access terminated within minutes of employee departure

4.4 API Security

• API Key Management: Unique API keys per integration, easy rotation
• Scoped Permissions: API keys can be restricted to specific operations
• Rate Limiting: Protect against abuse with configurable rate limits
• IP Whitelisting: Restrict API access to approved IP addresses
• Webhook Verification: HMAC signatures verify webhook authenticity

5. Security Monitoring and Incident Response

Our Security Operations Center (SOC) maintains constant vigilance over our systems and data.

5.1 Security Monitoring

• 24/7/365 Monitoring: Round-the-clock security team monitoring all systems
• SIEM (Security Information and Event Management): Centralized logging and correlation
• Real-Time Alerting: Automated alerts for suspicious activity trigger immediate investigation
• Anomaly Detection: Machine learning identifies unusual patterns and behaviors
• Threat Intelligence: Integration with threat feeds to block known malicious actors
• User Behavior Analytics: Detect compromised accounts through behavioral analysis
• Infrastructure Monitoring: System health, performance, and security metrics tracked

5.2 Incident Response

We maintain a comprehensive incident response program:

Our incident response process:

1. Detection: Automated systems and manual reviews identify potential incidents
2. Triage: Incident severity assessed and response team assembled
3. Containment: Affected systems isolated to prevent spread
4. Investigation: Root cause analysis and scope determination
5. Remediation: Threat eliminated and systems restored
6. Communication: Affected customers notified per legal requirements
7. Post-Mortem: Lessons learned and improvements implemented

5.3 Incident Communication

We commit to transparent communication:

• Timely Notification: Customers notified within 72 hours of confirmed data breach
• Status Page: Real-time status updates at status.enrichly.ai
• Direct Communication: Email and in-app notifications for affected users
• Post-Incident Reports: Detailed reports shared with affected customers
• Regulatory Compliance: All legally required notifications submitted on time

5.4 Logging and Auditing

• Comprehensive Logging: All access, changes, and administrative actions logged
• Immutable Audit Logs: Logs cannot be modified or deleted, stored for 1 year
• Regular Audits: Quarterly security audits and log reviews
• Compliance Reporting: Audit logs available for compliance verification

6. Compliance and Certifications

EnrichlyAI maintains rigorous compliance with industry standards and regulations to protect your data and meet legal requirements.

6.1 SOC 2 Type II Certification

We have successfully completed SOC 2 Type II audits, demonstrating our commitment to:

• Security: Systems protected against unauthorized access
• Availability: Systems available for operation and use as committed
• Confidentiality: Confidential information protected as committed
• Processing Integrity: System processing is complete, valid, accurate, timely, and authorized
• Privacy: Personal information collected, used, retained, disclosed, and disposed of properly

SOC 2 reports available to enterprise customers under NDA upon request.

6.2 GDPR Compliance

For our European customers, we ensure full compliance with GDPR:

• Data Processing Agreements: DPAs available for all customers
• Right to Access: Easy access to all personal data we hold
• Right to Erasure: Complete data deletion within 30 days of request
• Data Portability: Export data in machine-readable formats
• Consent Management: Clear opt-in mechanisms for data processing
• Breach Notification: 72-hour notification requirement met
• Privacy by Design: Privacy considerations in all product development
• EU Data Residency: EU customer data stored in EU data centers

6.3 CCPA Compliance

California residents have specific rights under CCPA:

• Right to Know: Transparency about data collection and use
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt-out of data sales (we don't sell data)
• Non-Discrimination: Equal service regardless of privacy choices
• Authorized Agents: Support for authorized agent requests

6.4 Industry-Specific Compliance

Additional compliance frameworks in progress:

• HIPAA: Healthcare data security for medical practice customers
• FERPA: Educational records protection for school customers
• FedRAMP: Federal government cloud security requirements

7. Third-Party Security

We carefully vet all third-party services and maintain strict security requirements for our vendors.

7.1 Vendor Security Assessment

All third-party vendors undergo rigorous security evaluation:

• Security Questionnaires: Comprehensive assessment of vendor security practices
• Compliance Verification: Require SOC 2, ISO 27001, or equivalent certifications
• Contract Requirements: Security obligations codified in vendor contracts
• Regular Reviews: Annual reassessment of all critical vendors
• Incident Response: Vendors must notify us of any security incidents

7.2 Third-Party Services We Use

Service	Purpose	Security Certification
Google Cloud Platform	Infrastructure and hosting	SOC 2, ISO 27001, PCI DSS
Google Places API	Business data enrichment	Google security standards
Stripe	Payment processing	PCI DSS Level 1, SOC 2
SendGrid	Transactional email	SOC 2 Type II
Auth0	Authentication services	SOC 2, ISO 27001, GDPR
Cloudflare	CDN and DDoS protection	SOC 2, ISO 27001

7.3 Subprocessor Management

• Subprocessor List: Complete list of data processors maintained and published
• Change Notification: 30-day notice before adding new subprocessors
• Objection Rights: Customers can object to new subprocessors
• Data Processing Agreements: DPAs in place with all subprocessors

7.4 API and Integration Security

For integrations and APIs we connect to:

• OAuth 2.0: Secure delegated access without sharing passwords
• Minimal Scopes: Request only necessary permissions
• Token Encryption: All access tokens encrypted at rest
• Automatic Expiration: Refresh tokens expire and require re-authentication

8. Data Backup and Recovery

We maintain comprehensive backup and disaster recovery procedures to ensure your data is never lost.

8.1 Backup Strategy

• Automated Daily Backups: Full database backups every 24 hours
• Incremental Backups: Continuous incremental backups every 6 hours
• Point-in-Time Recovery: Restore data to any point within last 30 days
• Geographic Redundancy: Backups replicated to 3 separate geographic regions
• Encrypted Backups: All backups encrypted with AES-256
• Backup Testing: Monthly restoration tests verify backup integrity
• Retention Policy: Daily backups retained for 30 days, monthly backups for 1 year

8.2 Disaster Recovery

Our disaster recovery plan ensures business continuity:

• Recovery Time Objective (RTO): 4 hours maximum downtime
• Recovery Point Objective (RPO): Maximum 1 hour of data loss
• Hot Standby Systems: Failover systems ready to activate immediately
• Automated Failover: Automatic switching to backup systems
• Annual DR Testing: Full disaster recovery exercises conducted yearly
• Documented Procedures: Detailed runbooks for all recovery scenarios

8.3 High Availability Architecture

• Multi-Zone Deployment: Services distributed across availability zones
• Load Balancing: Traffic distributed across multiple servers
• Auto-Scaling: Automatic capacity adjustment based on demand
• Database Replication: Real-time replication to standby databases
• 99.9% Uptime SLA: Guaranteed availability for enterprise customers

8.4 Data Retention and Deletion

• Active Data: Retained while account is active
• Account Deletion: Data deleted within 30 days of account closure
• Secure Deletion: Multi-pass data wiping for permanent deletion
• Backup Purging: Deleted data removed from backups within 90 days
• Legal Hold: Data preserved when legally required despite deletion requests

9. Vulnerability Management

We proactively identify and remediate security vulnerabilities through comprehensive testing and monitoring programs.

9.1 Security Testing

• Quarterly Penetration Testing: Independent security firms conduct full penetration tests
• Annual Red Team Exercises: Simulated attacks test our defenses
• Automated Vulnerability Scanning: Daily scans of all systems and applications
• Code Security Reviews: Manual security review of all code changes
• Static Analysis: Automated static code analysis in CI/CD pipeline
• Dynamic Analysis: Runtime security testing in staging environments
• Dependency Scanning: Automated scanning of third-party libraries

9.2 Vulnerability Remediation

Timely remediation based on severity:

Severity	Definition	Remediation Time
Critical	Remote code execution, data breach risk	24 hours
High	Authentication bypass, privilege escalation	7 days
Medium	Information disclosure, CSRF	30 days
Low	Minor information leakage	90 days

9.3 Security Development Lifecycle

Security integrated into every phase of development:

• Threat Modeling: Security threats identified during design phase
• Secure Coding Standards: OWASP guidelines followed by all developers
• Code Review: Peer review with security focus for all changes
• Security Testing: Automated security tests in CI/CD pipeline
• Staging Security Scans: Full security scan before production deployment
• Production Monitoring: Security monitoring in production environments

9.4 Patch Management

• Critical Patches: Applied within 24 hours of release
• Security Patches: Applied within 7 days of release
• Regular Updates: Monthly patching cycle for non-critical updates
• Zero-Downtime Deployments: Rolling updates without service interruption
• Rollback Capability: Quick rollback if patches cause issues

10. Employee Security Training

Our employees are our first line of defense. We invest heavily in security awareness and training.

10.1 Security Training Program

• New Hire Training: Comprehensive security training within first week
• Annual Refresher: Mandatory annual security training for all employees
• Phishing Simulations: Monthly simulated phishing tests
• Security Champions: Designated security advocates in each team
• Incident Response Training: Regular drills and tabletop exercises
• Secure Coding Training: Specialized training for engineering teams

10.2 Training Topics

• Password security and authentication best practices
• Phishing and social engineering recognition
• Data handling and classification procedures
• Incident reporting and response procedures
• GDPR, CCPA, and privacy law compliance
• Secure software development practices
• Physical security and device management
• Third-party risk management

10.3 Security Culture

Building a security-first culture:

• Security Awareness: Regular security tips and updates shared company-wide
• Incident Reporting: Easy, anonymous security incident reporting
• No-Blame Culture: Focus on learning from mistakes, not punishment
• Security Metrics: Track and celebrate security improvements
• Executive Commitment: CEO and executives visibly prioritize security

10.4 Vendor and Contractor Training

• All contractors complete security training before access granted
• Third-party developers trained on secure coding practices
• Support contractors trained on data handling procedures
• Regular re-certification for long-term contractors

11. Reporting Security Issues

We welcome reports from security researchers and users who discover potential vulnerabilities.

11.1 Responsible Disclosure Policy

We follow coordinated vulnerability disclosure:

• Initial Response: Acknowledge receipt within 24 hours
• Investigation: Confirm and assess vulnerability within 72 hours
• Remediation: Fix critical issues within 24 hours, others per severity
• Disclosure: Coordinated public disclosure after fix is deployed
• Credit: Public acknowledgment of researchers (if desired)

11.2 Bug Bounty Program

Bounty amounts based on severity and impact:

• Critical: $2,500 - $10,000
• High: $1,000 - $2,500
• Medium: $250 - $1,000
• Low: $100 - $250

11.3 Security Researcher Guidelines

We ask security researchers to:

• Make good faith effort to avoid privacy violations and data destruction
• Only test against your own accounts or with explicit permission
• Do not perform attacks that degrade our service (DoS, spam, etc.)
• Do not access or modify other users' data
• Allow us reasonable time to fix issues before public disclosure
• Do not exploit vulnerabilities beyond proof-of-concept

11.4 Safe Harbor

We will not pursue legal action against security researchers who:

• Follow our responsible disclosure policy
• Act in good faith to discover and report vulnerabilities
• Do not violate the guidelines above
• Do not access data beyond what's necessary to demonstrate the vulnerability

11.5 Scope

In scope for bug bounty:

• *.enrichly.ai domains and subdomains
• EnrichlyAI web application and APIs
• Mobile applications (if available)

Out of scope:

• Third-party services and integrations
• Social engineering attacks against employees
• Physical security issues
• Issues requiring unlikely user interaction

12. Security Best Practices for Users

Security is a shared responsibility. Here are best practices to keep your account secure.

12.1 Account Security

12.2 Data Protection

• Limit Data Sharing: Only share data with team members who need access
• Review Permissions: Regularly audit user permissions and remove unnecessary access
• Export Carefully: Secure downloaded data files with encryption
• API Key Security: Rotate API keys regularly, never commit to version control
• Delete Old Data: Remove outdated searches and exports you no longer need

12.3 Phishing Awareness

Red flags to watch for:

• Urgent requests to verify account or payment information
• Emails from domains other than @enrichly.ai
• Links that don't go to enrichly.ai (hover to check)
• Requests for passwords, API keys, or payment information
• Poor grammar or spelling in official-looking emails

12.4 Device Security

• Keep Software Updated: Update operating systems and browsers promptly
• Use Antivirus: Install reputable antivirus software on all devices
• Secure Networks: Avoid public WiFi for accessing EnrichlyAI; use VPN if necessary
• Lock Devices: Enable screen locks with PINs or biometrics
• Log Out: Log out when using shared or public computers

12.5 Team Security

• Onboarding/Offboarding: Add users promptly when joining, remove immediately when departing
• Principle of Least Privilege: Grant minimum necessary permissions for each role
• Regular Audits: Review team members and permissions quarterly
• Security Training: Educate team members on security best practices
• Incident Reporting: Establish clear procedures for reporting security concerns

12.6 Compliance Considerations

If you're subject to specific regulations:

• Data Residency: Contact us about region-specific data storage options
• Business Associate Agreements: Available for HIPAA-covered entities
• Data Processing Agreements: Sign DPAs for GDPR compliance
• Audit Reports: Request SOC 2 reports for vendor assessments
• Custom Security Controls: Enterprise customers can discuss additional security requirements