Here is a sampling of just some of the measures that we take to ensure the security and integrity of our offering.


Our cloud-based infrastructure is hosted by Amazon Web Services, on an architecture built to meet the requirements of the most security-sensitive organizations. This includes all backup, DDOS protections and firewall services. Amazon Web Services publishes reports on its compliance with SOC 2 and numerous other standards and controls.


Only the outer web tier servers of our multi-tiered architecture are publicly accessible, and only over HTTP/HTTPS. None of our application tier or data tier servers are exposed to the public Internet.


Sensitive traffic flowing into and out of our servers via api.enzoic.com use TLS 1.2 with 256-bit encryption. Firewalls are configured to only permit traffic on HTTP/HTTPS from the public Internet, rejecting other traffic.


APIs are implemented as a series of RESTful web services with JSON payloads. All APIs must be accessed via HTTPS and require authentication.


Both our Credential API and Password API (including its use with Enzoic for Active Directory) utilize a partial hash approach for comparisons with our databases. This approach ensures no clear text or credential hash data leaves your environment and that comparisons can be done locally so we don’t know if a match was found.


We never store data submitted to our Exposures API, Credential API or Password API. Query data is kept in memory on our servers only long enough to perform the database lookup, and then the memory is zeroed out at the end of the call.


Our Exposures Alert Service API stores only a hashed value representing the data being monitored and is held in an encrypted database.  When our monitoring detects an exposure, a callback to the customer is made over an encrypted channel.


We store absolutely no financial or other personal information.