Security at Enbbox
Notifications carry sensitive data — subscriber identifiers, contact details, and application-critical messages. We take the security of this data seriously.
Infrastructure Security
| Layer | Implementation |
|---|---|
| Encryption in Transit | TLS 1.3 enforced on all API, webhook, and dashboard traffic |
| Encryption at Rest | AES-256 for all stored data including subscriber records and notification logs |
| Network Security | Private networking between services, no public-facing databases |
| DDoS Protection | Cloud-native DDoS mitigation on all public endpoints |
| Containerization | All services run in isolated containers with minimal privileges |
Data Protection
| Practice | Details |
|---|---|
| API Key Security | Keys are hashed at rest; displayed only once at creation |
| Provider Credentials | Encrypted with per-project keys; never logged or exposed |
| Subscriber Data | Processed solely for notification delivery; retained per plan policy |
| Data Isolation | Complete project-level data isolation — no cross-project access |
Access Control
- Role-Based Access Control (RBAC): Project members have granular permissions
- OAuth 2.0 Authentication: Secure sign-in with industry-standard protocols
- Session Management: Automatic session expiry and secure cookie handling
- Invite-Only Projects: Team members added via secure invitation tokens
Operational Security
- Dependency Scanning: Automated vulnerability scanning in CI/CD pipeline
- Code Review: All changes reviewed before deployment
- Monitoring: 24/7 automated alerting for anomalous activity
- Incident Response: Documented response procedures with < 72 hour breach notification
- Regular Updates: Security patches applied within 48 hours of disclosure
Compliance Readiness
| Standard | Status |
|---|---|
| GDPR | Compliant — DPA available |
| CCPA | Compliant — Data deletion and portability supported |
| SOC 2 | Controls implemented — formal audit planned |
Responsible Disclosure
If you discover a security vulnerability, please report it responsibly:
We will acknowledge receipt within 24 hours and aim to provide a resolution timeline within 5 business days. We do not pursue legal action against researchers acting in good faith.
Questions
For security-related questions, contact [email protected] or review our Privacy Policy and DPA.