One page covering certifications, sub-processors, data residency, and the controls that exist today — including what is not in place. Where we are not yet certified, we say so. The matrix below mirrors the one in our public SECURITY.md and is updated whenever a control changes state.
We will not claim a certification we do not hold. Roadmap dates are targets; if we slip, we update this page within 30 days.
| Framework | Status | Notes | Artifact |
|---|---|---|---|
| POPIA · Act 4 of 2013 | Aligned by design | Product was built around POPIA from day one — DSAR tooling, consent log, cross-border transfer ledger are core features, not bolted on. Information Officer designation in progress. | Compliance overview on request |
| SOC 2 Type I | Not yet started | Audit engagement is not yet signed. Target Q4 2026. The control framework is being implemented in parallel with the launch. | Roadmap on request |
| SOC 2 Type II | Not yet started | Begins ~12 months after Type I issuance. No date claimed until Type I is in flight. | — |
| ISO/IEC 27001:2022 | Not pursued | Not on the near-term roadmap. We will pursue if customer demand makes it the right priority. | — |
| GDPR · UK GDPR | Standard DPA available | Customer DPA available on request. Standard Contractual Clauses cover EU/UK transfer for our US sub-processors. | DPA template |
| PCI DSS | Out of scope | Endon does not store, process, or transmit cardholder data. PAN detectors operate as redaction only and never persist matched values. | — |
Prompt content is scanned in-browser, in the customer's DOM. The scanner does not transmit prompt text to Endon servers. Only metadata — event hash, detector class, decision, timestamp — leaves the device.
Every record is tenant-scoped at the database row level via Postgres Row-Level Security. Queries are filtered against the authenticated user's tenant_id. An automated cross-tenant isolation test is on the near-term backlog.
DSAR tooling, consent tracking, retention policies, and the cross-border transfer ledger are core features built into the product from the start — not features added later for compliance theatre.
We will not claim SOC 2, ISO 27001, or controls we have not implemented. This page is updated whenever a control changes state — including downgrades.
Supabase region is customer-selectable. Prompt content is never stored on Endon servers — scanning happens in-browser, in the customer's DOM. The scanner only transmits event metadata.
| Data class | Default handling | Region |
|---|---|---|
| Prompt content (raw) | Never stored on Endon servers. Scanned in-browser, in the customer's DOM. | Customer device |
| Audit metadata (event hashes, decisions, tool, severity) | Stored in tenant database | Supabase customer region |
| Customer account data (org, users, roles) | Stored in tenant database | Supabase customer region |
| Backups | Supabase-managed snapshots with point-in-time recovery | Supabase customer region |
| Application logs | Standard retention via hosting provider; payload scrubbing applied | Railway US East |
We notify customers in advance of adding a sub-processor. Customers may object to additions in writing.
| Sub-processor | Purpose | Region | Transfer mechanism |
|---|---|---|---|
| Supabase | Primary database, authentication, row-level security | Customer-selectable region | Standard SCC + DPA |
| Railway | API hosting | US East | Standard SCC + DPA |
| Vercel | Static site / marketing | Global edge | Standard SCC + DPA |
| Stripe | Billing (currently test mode pre-launch) | United States | Standard SCC + DPA |
| SendGrid | Transactional email (account, alerts, invites) | United States | Standard SCC + DPA |
| Sentry | Application error monitoring (when enabled by customer) | EU or US per customer choice | Standard SCC + DPA · PII scrubbing enforced |
Including the controls that are not in place. Misrepresenting status would be far worse than the gap itself.
| Control | State | Implementation |
|---|---|---|
| Encryption in transit | In place | TLS 1.2+ on all production endpoints |
| Encryption at rest | In place | AES-256 via Supabase-managed encryption |
| Authentication | In place | Supabase Auth — JWT tokens, short-lived, refresh-token rotation |
| MFA | Partial | Available for users; not yet enforced platform-wide for admins |
| SSO / SCIM | In place | OIDC and SAML supported; SCIM 2.0 endpoint for provisioning |
| Authorisation | In place | Role-based access control, tenant-scoped, least-privilege defaults |
| Tenant isolation | Partial | Row-Level Security (RLS) at the database; automated cross-tenant test pending |
| Customer-managed keys (CMEK) | Partial | Feature shipped, not yet independently audited |
| Audit logging | In place | Tamper-evident hash chain; export-to-CSV/PDF available |
| Browser security headers | In place | HSTS, CSP, X-Frame-Options, Permissions-Policy, Referrer-Policy |
| Startup-time security checks | In place | App refuses to boot in production with insecure config |
| Secret scanning in CI | In place | gitleaks runs on every PR |
| Dependency vulnerability scanning | Planned | Planned for Q3 2026 |
| Static application security testing (SAST) | Planned | Planned for Q3 2026 |
| External penetration test | Planned | Planned pre-GA. None completed as of this writing. |
| 24/7 SOC monitoring | Not in place | Not in place. Engineering team is on-call. |
| DDoS protection beyond hosting defaults | Not in place | Not in place. Defaults from Railway and Vercel apply. |
| Bug bounty program | Not in place | Not in place. Responsible disclosure policy is published instead. |
Email security@endonai.com with technical details and a proof of concept. Researchers acting in good faith will not be pursued. Full policy in our SECURITY.md.
We will share the implementation detail behind any control above, walk through our architecture, and answer your security questionnaire — without a discovery call first. Just email security@endonai.com and tell us what you need.