EnforceAuth ships authorization. Here's how it ships safely.
Security, compliance, and operational commitments for EnforceAuth. Updated monthly. This page is for auditors, procurement, and security teams — not browsers.
Compliance
Compliance status.
Current attestations and the audits underway. Report copies, sub-processor lists, and penetration-test summaries are available under NDA — email security@enforceauth.com.
| Certification | Status | Target | State |
|---|---|---|---|
| SOC 2 Type I | Type I report scheduled | Q3 2026 | In progress |
| SOC 2 Type II | Audit window opens after Type I attestation | Q1 2027 | Planned |
| GDPR | DPA + SCCs available on request | Active | Active |
| CCPA / CPRA | Active — California-resident rights honored end-to-end | Active | Active |
| ISO 27001 | Controls mapped to SOC 2 work; certification follows | Q4 2027 | Planned |
| HIPAA BAA | BAA available for Govern-tier deployments | Active on Govern+ | Active |
| FedRAMP | On the roadmap — gated on Sovereign-tier reference customer | With Sovereign GA | Planned |
How we ship safely
Security controls, end to end.
EnforceAuth is a control plane for authorization. We hold ourselves to the same standard we ask customers to enforce.
Encryption everywhere
TLS 1.3 in transit, AES-256 at rest. Customer-managed keys available on Govern+. Decision-log signatures are tamper-evident.
Least-privilege access
EnforceAuth runs its own product on its own infrastructure. Every internal action passes through the same PDP customers use.
Auditable by design
Every decision, every policy change, every admin action is logged with the actor, timestamp, and bundle digest. Logs are retained up to 4 years on Govern+.
Vendor due diligence
DPA, SCCs, sub-processor list, and security questionnaire responses are available to qualified prospects on request.
Self-hosted & air-gapped
Govern customers can self-host the control plane in their own VPC. Sovereign adds full air-gapped deployment for federal and defense workloads.
Regional data residency
US-East and EU-West regions today. Additional regions available on Govern+ contracts. Cross-region replication is opt-in only.
Standards posture
Where EnforceAuth sits in the standards landscape.
EnforceAuth's policy language is Rego, the CNCF-graduated standard from the Open Policy Agent project. Every policy you author in Writ is portable to any OPA deployment.
AuthZEN 1.0 (OpenID Foundation, March 2026) is the emerging standard for PDP-PEP authorization decisions. The OPA project is tracking native AuthZEN 1.0 support upstream (opa#8449). EnforceAuth customers inherit AuthZEN conformance through OPA when that upstream support lands.
On open governance: EnforceAuth contributes back to OPA upstream and ships Zift as open source under Apache 2.0.
Vulnerability disclosure
Report a security issue.
Email security@enforceauth.com. PGP key on request. EnforceAuth responds within one business day. We follow a 90-day coordinated-disclosure window and credit researchers publicly with consent.
Incident response
When something goes wrong.
Public status page at status.enforceauth.com. Affected customers are notified within 24 hours of confirmed impact. Root-cause analyses publish within 14 days, redacted only for security-sensitive details.
Procurement & audit
Need deeper detail?
DPA, SCCs, sub-processor list, SOC 2 letter of intent, pen-test summaries, and security questionnaires are available under NDA. We turn around procurement requests within two business days.