Security
Ensealed holds signed legal documents. We treat the bar accordingly.
Encryption
- TLS 1.3 for all traffic. HSTS with preload eligibility.
- AES-256 encryption at rest for the database and R2 storage.
- Signed PDFs carry a SHA-256 hash recorded on the audit trail. Tampering after the fact is detectable.
- RFC 3161 trusted timestamps from a Time Stamp Authority.
Access controls
- Row-Level Security on every customer table. Cross-tenant reads are physically impossible at the database layer.
- Role-based access controls within each workspace (owner, admin, member).
- Production access by Mesquite Dev personnel is logged and audited.
- SSO/SAML available on Enterprise.
Infrastructure
- Cloudflare Workers + R2 at the edge.
- Supabase Postgres in the United States.
- Cloudflare WAF and Bot Fight Mode in front of every request.
- Sentry error tracking with PII scrubbing before send.
- Uptime monitored from multiple regions via Better Stack and HetrixTools.
Certifications and frameworks
- Today: ESIGN, UETA, eIDAS Advanced (AdES), GDPR + CCPA baseline.
- Roadmap: SOC 2 Type I once enterprise demand justifies the audit. HIPAA in a separate Healthcare tier.
Reporting a vulnerability
We welcome security research and we will not pursue legal action against researchers who comply with our safe-harbor policy.
Email findings to security@ensealed.com or use the contact at /.well-known/security.txt.
Safe harbor
If you make a good-faith effort to comply with this policy:
- We will not pursue or support legal action against you.
- We will not report you to law enforcement.
- We will accept your finding through coordinated disclosure.
Rules of engagement
- Test only against accounts you own. Do not test against other customers' workspaces or documents.
- Do not exfiltrate data beyond what is necessary to demonstrate the finding.
- Give us a reasonable opportunity to fix before public disclosure (90 days suggested).
- No social engineering of employees, no physical attacks, no denial-of-service.
- Out of scope: anything in our subprocessors' infrastructure (report those to the vendor directly).
Rewards
Today we credit valid findings publicly on this page with your consent. We do not run a paid bounty yet. We may pay ad-hoc rewards for impactful findings while we build out a formal program.
Incident response
If we detect or are informed of a security incident affecting customer data, we follow this process:
- Detect and triage within 1 hour of internal alert or external report.
- Contain the issue, rotate keys, and stop further exposure within 24 hours.
- Notify affected customers by email within 72 hours of confirming a personal-data breach, in line with GDPR Article 33 and the strictest US state notification timelines we are subject to.
- Notify supervisory authorities (US state AGs, EEA DPAs, UK ICO) as required by jurisdiction. In the US we follow the strictest applicable state law.
- Publish a post-incident summary on this page within 30 days of resolution.
For status updates during an active incident, watch this page or follow our status page (linked at the top of the security disclosure form). To report a suspected ongoing incident, email security@ensealed.com with the word URGENT in the subject line.
Acknowledgments
Researchers who have responsibly disclosed will be listed here with their permission.
No findings to publish yet.