ENA Feedback
Security

Security Overview

How Enafeedback protects your data — encryption, access control, infrastructure, and responsible disclosure.

Last updated on

Security is built into every layer of Enafeedback. This page provides an overview of the security measures in place.

Data encryption

  • In transit — All data is transmitted over TLS 1.2+. HTTP is not supported; all endpoints redirect to HTTPS.
  • At rest — Database content is encrypted at the storage layer using AES-256.
  • File attachments — Files uploaded by visitors (photos, audio) are stored in object storage with server-side encryption.

Multi-tenancy isolation

Each workspace is a fully isolated tenant:

  • Row-Level Security (RLS) — All database queries are scoped to a tenant_id using PostgreSQL RLS policies. A bug in the application layer cannot leak data between workspaces.
  • Separate credentials — Each workspace has its own database session with a tenant-specific JWT claim.

Access control

  • All admin dashboard requests are authenticated via OpenID Connect (OIDC) — tokens are short-lived (1 hour) and refreshed automatically.
  • API requests require a Bearer token (see Authentication).
  • Role-based permissions are enforced at the API layer on every request, not just in the UI.

Webhook security

Webhook payloads are signed with HMAC-SHA256. Verify signatures on every incoming request. See Webhooks.

Infrastructure

Enafeedback runs on Kubernetes on Huawei Cloud (Frankfurt region, EU) with:

  • Private networking between services (no public internet exposure for internal APIs)
  • Regular automated backups (daily, 30-day retention)
  • Automated failover for the database cluster

Penetration testing

Enafeedback undergoes annual penetration testing by an independent third party. Executive summaries of test results are available to enterprise customers under NDA. Contact your account manager.

Responsible disclosure

If you discover a security vulnerability, please report it to [email protected]. We follow a 90-day responsible disclosure policy:

  1. Acknowledge receipt within 48 hours.
  2. Provide a preliminary assessment within 7 days.
  3. Release a fix within 90 days.
  4. Credit the reporter (with consent) in the release notes.

Do not publicly disclose vulnerability details until 90 days after initial report or until a fix is released, whichever is sooner.

Security changelog

Security-relevant fixes are listed in the product changelog with a 🔒 tag. Access the changelog from Admin → Changelog in the dashboard.

Privacy & Compliance

GDPR and KVKK compliance in Enafeedback — data retention, anonymisation, PII handling, and deletion requests.

Authentication

Admin login via OIDC SSO, session management, and API token authentication in Enafeedback.

On this page

Data encryptionMulti-tenancy isolationAccess controlWebhook securityInfrastructurePenetration testingResponsible disclosureSecurity changelog