Security

Enaia is committed to protecting the confidentiality, integrity and availability of client information. This document describes the Enaia security and privacy practices, operational processes, and security technology that protects the information.

Our Commitment

  • Enaia is committed to protecting the privacy of its customers and considers it as a fundamental pillar in ensuring trust. Enaia’s information privacy and security governance is aligned with the International Organization for Standardization (ISO) 27001 and 27002 security standards, the National Institute of Standards and Technology (NIST) Special Publications 800 Series, and the AICPA SOC 2 Trust Service Principles.
  • Based on these frameworks, Enaia has developed and implemented a risk-based information technology privacy and security program that includes a set of written policies, procedures, and security controls designed to ensure the privacy and security of member information.
  • Enaia follows security-by-design and privacy-by-design principles, monitors its programs and controls on a continuous basis, and is committed to ongoing privacy and security improvement.

Security & Privacy Framework and Risk Assessment

Enaia has implemented policies and procedures to prevent, detect, and contain security and privacy violations, and implemented reasonable and appropriate physical, administrative, and technical safeguards to mitigate security risks to acceptable levels.

  • Risk Assessment – Enaia has identified and categorized threats and vulnerabilities to the loss, modification, or theft of personal and confidential information. This analysis estimates both the frequency of potential threats and the likelihood that they will occur.
  • Security and Privacy Controls – Enaia uses a combination of people, process, and technology, as well as a defense-in-depth strategy that ensures that personal information and other information assets are consistently protected, configured, maintained, and monitored.
  • Policies and Procedures – Enaia has implemented written policies and procedures that address the proper use and disclosure of confidential information, implement security and privacy controls, and mitigate the risks and vulnerabilities identified.
  • Risk Management - Enaia reviews and updates its risk analysis on a periodic basis, actively monitors reports of new security and privacy issues and threats, updates procedures, and responds to incidents in a timely manner.

Physical and Environmental Security

Enaia operates its computer systems in high-security data centers that meet SSAE 18 SOC 2 Type 2 standards. The data centers are physically secured to minimize disruption and prevent theft, tampering, and damage.

Organizational Security

Enaia security team, led by the CTO, is responsible for the implementation and management of our security program and enforcement of security policies. The CTO is supported by the members of Information Security, Application Security, and Governance, Risk, and Compliance teams who are responsible for respective processes.

Security and Privacy Awareness Training

Security and privacy awareness training is provided during onboarding as well as during annual training. Based on job responsibilities, customized Secure Code Training is provided to focus on the security of confidential information.

Incident Reporting

All personnel are trained to immediately report any improper disclosure of information, suspected security issues, device loss, suspicious emails, or security incidents to the Security Officer.

Protecting Customer Data

The focus of Enaia’s security program is to prevent unauthorized access to customer data. To this end, our team of security and compliance practitioners, working in partnership with peers across the company, take exhaustive steps to identify and mitigate risks, implement best practices, and constantly develop ways to improve. For more details, please see the Enaia Privacy Policy.

Security and Privacy By Design (Development)

Enaia has built a robust and secure development lifecycle which includes policies and processes in place for in-house secure software development and acquired software. Security and privacy are continuously addressed at different stages of the development lifecycle with continuous updates and patching of the application being performed related to build and delivery.

  • Change Management – Enaia applies a systematic approach to managing change and uses commercial source control systems, version numbers, branching strategies, and defect tracking systems to maintain and track revisions of software and systems.
  • Secure Coding – Enaia performs code review and security testing of the applications it develops. Secure software coding principles include, but are not limited to: input validation; output encoding; session management; error handling; logging; access control; encryption; database security; and protection from cross-site scripting attacks.
  • Testing – Enaia performs verification and quality assurance of its systems including peer review, unit tests, automated tests, manual tests, static and dynamic security tests, and performance tests, and regular penetration tests.
  • Deployment – Enaia has implemented an automated software configuration management system to consistently deploy software. Enaia prohibits changes to the production environment until a proposed change has been tested and approved through development review, quality assurance, and management signoff.

Encryption

Enaia customer data is hosted within the US. Data is encrypted with industry standard data-at-rest encryption algorithms with logical data separation and enforced by the application. All data transmitted between Enaia clients and the Enaia services is done using strong encryption protocols. Enaia supports the latest recommended secure cipher suites to encrypt all traffic in transit including use of the most updated and secure TLS/HTTPS protocols.

Vulnerability Management

Enaia uses automated vulnerability scanning tools and periodic penetration testing to inform its risk assessment, identify vulnerabilities, and prioritize mitigation activities of servers and software.

Acceptable Use

Enaia has implemented policies and procedures that specify the functions that can be performed using company computing resources as well as protections for workstations

System Monitoring, Logging, and Alerting

Enaia monitors servers, workstations, and mobile devices to retain and analyze a comprehensive view of the security state of its corporate and production infrastructure. Analysis of logs is automated to the extent practical to detect potential issues and alert relevant personnel. Enaia systems and services maintain an audit trail of changes to sensitive data including the time of the change and the user who performed each change

Disaster Recovery and Business Continuity Plan

Enaia utilizes services deployed by its hosting provider to benefit from multi-zone for high-availability and multi-region for backup and disaster recovery. The multi-region locations protect Enaia service from loss of connectivity, power infrastructure and other common location-specific failures.

Enaia tests backups on a periodic basis to ensure they can be successfully restored. Backups are encrypted using Advanced Encryption Standard (AES-256).

Enaia has a systematic written disaster recovery (DR) plan to respond to disasters, restore data, and resume operations with an established Recovery Point Objective (RPO) and Recovery Time Objective (RTO).

Incident Response

Enaia has established policies and procedures for responding to potential security and privacy incidents. All security incidents are managed by Enaia’s Security Team. The policies and procedures define the types of events that must be managed via the incident response process and classifies them based on severity. In the event of a material incident, affected customers will be informed via email from our customer experience team. Incident response procedures are tested and updated at least annually.

Data Subject Requests

For assisting customers with their data subject request obligations, Enaia has processes in place to facilitate such requests. Customers may reach out to support when they receive a request for which they believe Enaia’s assistance is required. Users can reach out directly to Enaia via support or by emailing the privacy team at hello@enaia.co.

Vendor Management

Enaia relies on sub-service organizations to run efficiently. Where those sub-service organizations may impact the security of Enaia’s production environment, we take appropriate steps to ensure our security and privacy posture is maintained by establishing agreements that require service organizations to adhere to confidentiality commitments we have made to users.

  • Written Contracts – Enaia maintains written agreements with vendors who manage confidential. Enaia requires that its vendors and subcontractors implement appropriate safeguards and provide notification of security incidents and information breach in a timely fashion.
  • Vendor Security Assessments – Enaia qualifies the vendors it uses to manage confidential information and to ensure their practices have an appropriate level of administrative, physical, and technical safeguards and they have the necessary security management and training processes.
  • Management Review - Enaia reviews its information privacy and security management program and policies on a periodic basis to ensure the effectiveness of the program and the continuous improvement of its security posture and practices.

Safeguarding this data is a critical responsibility we have to our customers, and we continue to work hard to maintain that trust. Please contact your Enaia representative if you have any questions or concerns.

Responsible Disclosure

Our security team is always working for you. To report potential security vulnerabilities via responsible disclosure, please email: security@enaia.co.