Trust & Safety

Security

Last updated: June 2026

🔒

Encryption in transit

TLS 1.2+ on all connections

🛡️

Encryption at rest

AES-256 database encryption

🔑

Two-factor auth

TOTP-based 2FA available

🏗️

Workspace isolation

Row-level security per account

Infrastructure security

ERMIntel is hosted on Cloudflare Pages with global edge delivery. Our database infrastructure runs on Supabase, a SOC 2 Type II certified platform. All infrastructure is managed by providers with enterprise-grade physical and logical security controls.

Data isolation

Every ERMIntel workspace is isolated at the database layer using row-level security (RLS) policies enforced in PostgreSQL. No user can access data belonging to another account — this is enforced at the query level, not just the application layer. Our account isolation function operates with a locked search path to prevent privilege escalation.

Authentication

  • Email and password authentication with bcrypt hashing via Supabase Auth.
  • Time-based one-time password (TOTP) two-factor authentication is available and recommended for all accounts.
  • Session tokens are short-lived and rotated on each request.
  • Middleware enforces authentication on all authenticated routes — unauthenticated requests are redirected to the login page.

Encryption

All data transmitted between your browser and ERMIntel is encrypted using TLS 1.2 or higher. Data stored in our database is encrypted at rest using AES-256. Evidence documents submitted for review are processed in memory and are not stored in plaintext.

AI processing

Evidence documents are processed by Anthropic (Claude) and/or OpenAI APIs solely to generate ERM maturity assessments. We use these APIs under data processing agreements that prohibit use of your data for model training. AI processing occurs over encrypted connections and documents are not retained by these providers beyond the scope of the API request.

Webhook security

ERMIntel's n8n automation workflows are protected by HMAC-SHA256 webhook secrets. All inbound webhook requests are validated against a shared secret before processing. Requests with invalid or missing signatures are rejected.

Vulnerability disclosure

If you discover a security vulnerability in ERMIntel, please report it responsibly to security@ermintel.com. We will acknowledge your report within 48 hours and aim to resolve confirmed vulnerabilities within 30 days. We ask that you do not publicly disclose vulnerabilities before we have had the opportunity to address them.

Security updates

We monitor our dependencies for known vulnerabilities and apply security patches on a regular basis. Infrastructure security updates are applied by our hosting providers as part of their managed service commitments.

Contact

For security enquiries, contact security@ermintel.com. For general privacy questions, see our Privacy Policy.