Security Policy
Last updated: 16 May 2026
Security is central to how Encrisoft designs, develops, operates and supports its products. This public Security Policy summarises Encrisoft's security approach in a way that is useful to customers and safe for publication. It does not disclose sensitive technical implementation details.
3.1 Security Governance
Encrisoft maintains security governance practices designed to support confidentiality, integrity, availability, privacy and operational resilience. Security responsibilities are reviewed as the company, products and customer obligations evolve. Public claims of certification are made only where they are supported by current evidence and approved for publication.
3.2 Infrastructure and Cloud Security
Encrisoft uses reputable infrastructure and service providers selected for reliability, security capability and operational suitability. Infrastructure access is restricted to authorised personnel with legitimate operational need. Encrisoft applies environment separation, deployment controls, monitoring and resilience measures appropriate to the service and customer risk profile.
3.3 Access Control
Encrisoft applies least-privilege access principles, role-based access controls, privileged-access restrictions, authentication controls, access reviews and audit logging for sensitive systems. User access is managed according to business need and removed when no longer required.
3.4 Encryption and Data Protection
Encrisoft protects data in transit using secure communication protocols and uses encryption at rest where appropriate for the system, data type and risk. Credentials, secrets and API keys are handled using secure storage, restricted access and operational controls designed to reduce unauthorised exposure.
3.5 Secure Software Development
Security is considered throughout the software development lifecycle. Practices include code review, dependency review, configuration review, separation of environments, release controls, security testing, secrets hygiene, issue tracking and remediation prioritisation. Encrisoft continues to improve these practices as products mature.
3.6 Logging, Monitoring and Threat Detection
Encrisoft monitors systems for operational health, suspicious activity, authentication events, API activity, infrastructure issues and security-relevant events. Logs are protected against unauthorised access and are used to support troubleshooting, investigation, auditability and incident response.
3.7 Vulnerability Management
Encrisoft identifies, assesses and remediates vulnerabilities using risk-based prioritisation. Activities may include dependency scanning, vulnerability scanning, patching, configuration review, security testing and review of responsible disclosure reports. Remediation timeframes are based on severity, exploitability, exposure, customer impact and operational risk.
3.8 Incident Response
Encrisoft maintains incident response processes for identifying, escalating, investigating, containing, remediating and learning from security incidents. Where required by law, contract or regulator expectations, Encrisoft will notify affected parties or authorities in accordance with applicable requirements.
3.9 Backup, Resilience and Continuity
Encrisoft maintains backup, recovery and resilience practices appropriate to each service. Customers remain responsible for their own continuity planning, alert-response procedures, downstream actions and customer-side integrations unless a written agreement states otherwise.
3.10 Vendor and Subprocessor Security
Encrisoft assesses third-party providers based on the nature of the service, data processed, access level and operational dependency. Contractual, technical and organisational safeguards are applied where appropriate. A public subprocessor list is maintained for customer processor services.
3.11 Responsible Disclosure
Security researchers and customers may report suspected vulnerabilities to security@encrisoft.com. Reports should be made in good faith and should avoid service disruption, privacy violations, data access beyond what is necessary to prove the vulnerability, public disclosure before remediation and social engineering. Encrisoft will review credible reports and take appropriate remediation action.
3.12 Shared Responsibility
Security is shared between Encrisoft and its customers. Customers are responsible for securing their devices, users, API keys, integrations, channels, workspaces, notification recipients, internal processes and downstream actions. Encrisoft is not responsible for customer misconfiguration, compromised customer credentials or third-party environments outside Encrisoft's reasonable control.
3.13 Contact
| Contact | Detail |
|---|---|
| Security | security@encrisoft.com |
| Privacy | privacy@encrisoft.com |
| Support | support@encrisoft.com |
| Website | https://encrisoft.com |