Here are some of the measures we implement at Enzoic to support our commitment to secure services:
Our cloud infrastructure is hosted on Amazon Web Services (AWS), using an architecture designed to meet the stringent requirements of highly security-sensitive organizations. This includes all backups, DDoS protections, and firewall services. AWS publishes reports on its compliance with SOC 2 and numerous other industry standards and controls. Enzoic undergoes regular security assessments and penetration testing conducted by reputable third-party firms to identify and remediate vulnerabilities proactively.
Only the outer web-tier servers of our multi-tiered architecture are publicly accessible, and only over HTTP/HTTPS. Our application-tier and data-tier servers are not exposed to the public Internet. Enzoic employs role-based access control and the principle of least privilege, ensuring that employees have access only to the data and systems necessary for their roles.
Sensitive traffic to and from our servers via api.enzoic.com uses TLS 1.2 with 256-bit encryption. Firewalls are configured to permit only HTTP/HTTPS traffic from the public Internet, rejecting all other traffic. In addition to encrypting data in transit, all sensitive data is also encrypted at rest using robust encryption algorithms, adding an extra layer of protection.
Our APIs are implemented as RESTful web services with JSON payloads. All APIs must be accessed via HTTPS and require authentication. Enzoic follows secure software development lifecycle practices, including regular code reviews, static code analysis, and vulnerability scanning to prevent security flaws.
Both our Credential API and Password API (including their use with Enzoic for Active Directory) utilize a partial hash approach for comparisons with our databases. This ensures that no plaintext or credential hash data leaves your environment, and comparisons are performed locally, so we have no knowledge if a match was found.
We never store data submitted to our Exposures API, Credential API, or Password API. Query data is kept in memory on our servers only long enough to perform the database lookup, after which the memory is zeroed out at the end of the call.
Our Exposures Alert Service API stores only a hashed value representing the data being monitored, held in an encrypted database. When our monitoring detects an exposure, we send a callback to the customer over an encrypted channel.
We do not store any financial or personal information whatsoever. All employees receive comprehensive security training, including topics like phishing awareness, data handling procedures, and incident reporting protocols.
Enzoic for Active Directory Only
Enzoic stores users’ passwords in a local cache, encrypted, using DPAPI with secondary entropy. These passwords never leave your environment.