What's Enforgate's compliance posture?
An honest statement of where we are today, not a certification claim we can't back up. See also Security & data handling for the technical controls.
SOC 2
Enforgate is not currently SOC 2 certified. The technical controls a SOC 2 audit would examine — encryption of stored secrets, hashed credentials, fail-closed defaults, an immutable audit trail, role-based access control, CI security gates (dependency scanning, secret scanning) — are already in place and described on Security & data handling. If a formal SOC 2 Type II report is a requirement for your evaluation, contact us — we can discuss timeline and scope for your specific need.
Data residency
The dashboard and gateway run on Railway; the primary database is a managed Postgres instance on Neon. As of this writing the service runs in a single region (US) — we don't yet offer a choice of data residency region. If regional data residency is a requirement, contact us to discuss it.
Sub-processors
Services that may process your data on our behalf, beyond your own configuration:
| Provider | Purpose |
|---|---|
| Neon | Primary database (Postgres) — all account, configuration, and audit data. |
| Railway | Application hosting for the gateway and dashboard, and the Redis instance used for the live approval bus. |
| Resend | Transactional account email (verification, password reset) and, when you don't configure your own SMTP, approval-notification email. |
| Paddle | Billing — our merchant of record for paid subscriptions. |
| Cloudflare | Edge failover routing for the public site. |
Notification destinations youconfigure — Slack, Microsoft Teams, Telegram, or your own SMTP server — receive approval-request content because you directed it there; they aren't sub-processors we chose on your behalf.
Data subject rights (GDPR / PDPL)
Depending on where you're located, you may have the right to access, correct, export, or delete your personal information, and to object to or restrict certain processing. To exercise any of these rights, contact us as described in the Privacy Policy— we don't yet have a fully self-service export/delete flow in the dashboard, so these requests are handled directly.
Retention — what actually happens
This is worth being precise about, since “retention” is easy to overstate. Your plan's audit retention window (7 / 90 / 365 days) controls how far back the dashboard's Live Feed and audit export show you — it is a visibility window, not an automatic deletion job. Audit and usage records otherwise persist in the database for as long as your account is active. When you delete your account, we delete or anonymize your personal information and associated records within a reasonable period, except where we must retain something to meet a legal obligation. See Privacy Policy for the full statement.
Incident response
See our Security Disclosure Policy for how to report a vulnerability, and Status for how we communicate about incidents affecting the service.