Data Security

Ender Turing handles sensitive customer-conversation data at scale — voice calls, chat transcripts, email, and ticket content from regulated industries like banking, insurance, and healthcare. Security isn't a marketing layer; it's a core engineering constraint.

This page documents our current security posture: the certifications we hold, how data flows through our systems, who can access what, and how we respond when something breaks. For Enterprise customers, this page is the public-facing summary — the full Trust & Compliance pack (SOC 2 report, penetration-test results, infrastructure diagrams, sub-processor list with detail) is available under NDA.

We hold and maintain the following certifications and align with the following frameworks:

• SOC 2 Type II — independently audited security, availability, and confidentiality controls. Continuous observation period, latest report available under NDA. See announcement.
• GDPR-compliant — DPA available, lawful-basis tracking, right-to-erasure workflow, audit logs
• PCI DSS 4.0.1 aware — card data redacted from transcripts and indices; we are not a cardholder-data processor ourselves but support compliant deployments
• EU AI Act ready — high-risk obligations addressed: deployer logs, fundamental-rights impact assessment templates, transparency obligations
• ISO 27001 aligned — controls mapped to the ISO 27001 framework; formal certification on roadmap for 2026

Every byte of customer data is encrypted both in transit and at rest:

• In transit: TLS 1.3 with strong cipher suites, HSTS, certificate pinning where supported
• At rest: AES-256-GCM in our managed cloud (AWS / GCP); customer-managed keys (CMK) available on Enterprise
• Backups: encrypted with the same standards, replicated across availability zones, retained per customer policy
• Application secrets: stored in HashiCorp Vault / AWS Secrets Manager, rotated automatically

Access to customer data is governed by least-privilege principles:

• Customer admins control all in-product access via Role-Based Access Control (RBAC). Roles: Admin, Manager, Team Lead, Agent — fully customizable on Enterprise.
• SSO via SAML 2.0 / OIDC available on Growth and above. Active Directory and Azure AD supported.
• MFA required for all admin accounts; recommended for all users.
• Ender Turing staff cannot access customer conversation content without an explicit support-ticket request from your side. Every staff access action is audit-logged with user ID, timestamp, scope, and reason.
• Just-in-time access for engineers — production access requires fresh approval per session, expires within hours.

Where your data lives is your choice:

• EU-default: Frankfurt & Warsaw regions (AWS / GCP) — our default for all customers
• US: Virginia region available on Enterprise
• On-premise: full deployment in your own VPC, data centre, or air-gapped environment — Enterprise tier, one-time setup fee depending on scope
• Customer data isolation: logical isolation at the application layer with row-level security; physical isolation available on dedicated-tenant Enterprise deployments

If something goes wrong, our response is structured and predictable:

• 24/7 on-call rotation across the engineering and security teams
• Severity classification within 15 minutes of detection
• Customer notification within 72 hours for any incident affecting customer data — regardless of regulatory requirement
• Post-incident review shared with affected customers within 7 business days, including root cause and remediation
• Status page updated in real time during ongoing incidents — status.enderturing.com

Report a vulnerability or suspected incident: security@enderturing.com. We acknowledge within 24 hours, even on weekends.

Every action in the platform is logged for audit:

• User logins, role changes, permission edits
• Conversation access (who viewed which call when)
• Score adjustments, dispute resolutions, compliance-rule changes
• Data exports, deletions, retention-policy changes
• API access with full request/response metadata

Audit logs are immutable, retained per customer-defined policy (default: 7 years for Enterprise, 2 years for Growth). Available via API for SIEM integration. Audit-ready evidence packs can be exported on demand for regulators.

We use a small set of vetted sub-processors to operate the Service. Each is bound by a DPA and EU SCCs where applicable:

• AWS — cloud infrastructure (EU regions: Frankfurt, Warsaw)
• GCP — cloud infrastructure for select workloads (EU region: Frankfurt)
• HashiCorp Cloud — secrets & key management
• Datadog — observability & metrics (EU instance)
• Sentry — error tracking (self-hosted on our infrastructure)
• Stripe — payment processing (PCI DSS Level 1)

Enterprise customers receive 30-day advance notice of any new sub-processor handling their data, with a right to object. Full sub-processor list with descriptions is part of our DPA appendix.

Security is shared. Some responsibilities sit on your side:

• Configure RBAC roles & permissions appropriately for your team
• Enforce strong password policies and MFA for your users
• Promptly remove access for departing employees
• Review audit logs periodically for anomalies
• Notify us immediately of any suspected unauthorized access
• Ensure conversations you upload comply with your own data-collection consent obligations

We welcome reports from security researchers. If you've found a vulnerability:

• Email security@enderturing.com with details (steps to reproduce, impact, affected URLs)
• Don't publicly disclose until we've had a chance to fix — we aim to triage within 24 hours and remediate critical issues within 14 days
• Don't access or modify customer data, disrupt the service, or test against accounts you don't own
• We don't run a paid bounty program, but we publicly credit responsible disclosures (with your permission) and respond fast

External security assessments are part of our annual cadence:

• Annual penetration tests by a third-party firm — covering web app, API, and infrastructure
• Quarterly internal security reviews by our engineering team
• Continuous dependency scanning via GitHub Advanced Security and Snyk
• Static and dynamic analysis in CI for every code change

Results summaries are available to Enterprise customers under NDA.

For security-specific inquiries, vulnerability reports, or compliance questions:

• Security: security@enderturing.com · acknowledged within 24 hours
• Privacy / DPO: privacy@enderturing.com
• Compliance & audit evidence: compliance@enderturing.com
• Postal: Ender Turing UAB, Saltoniškių g. 7, LT-08105 Vilnius, Lithuania