Data Security & Privacy
- Last Updated: 9 Mar 2026
- Next Review: 1 Jul 2026
Because Invisiq is deployed entirely within your own environment — whether on-premises or in your own cloud account — your data never leaves your infrastructure. This page explains what data the product processes, how it is protected, and what controls you have as the operator.
Data Residency
Section titled “Data Residency”Invisiq is a self-hosted product. All data processed by the application resides in storage that you provision and control. Enprivacy has no access to your data unless you explicitly grant it (for example, during a support session that you initiate).
What Data Does the Product Process?
Section titled “What Data Does the Product Process?”| Data category | Description | Where stored |
|---|---|---|
| Content | Documents, text, or other content | Metadata is stored in the application’s database provisioned by you. Files remain in your file or blob storage, or may be uploaded to a file or blob storage provisioned by you and attached to the application. |
| Databases | Database schemas, tables, structure, sample data, and connection details | Metadata is stored in the application’s database provisioned by you. Some sample data is also stored in the application’s database provisioned by you. |
| AI & LLM Engagements | Conversations, messages, and files | Full chat conversations are stored in the application’s database provisioned by you. Files are stored in the attached file or blob storage provisioned by you. |
| Workspaces | Application settings, secrets, and connection details | Any application secrets are typically provided to the application via environment variables and securely managed by you. Other application configuration details are stored in the application database. |
Encryption at Rest
Section titled “Encryption at Rest”The product does not manage storage encryption itself — this is handled at the infrastructure layer, which you control. We recommend the following:
- Database: Enable encryption at rest on your database (e.g. Postgres with encrypted volumes, RDS with KMS, Azure SQL TDE).
- Object storage: Enable server-side encryption on your blob/object storage (e.g. S3 SSE-KMS, Azure Storage Service Encryption).
- Filesystem: Use encrypted volumes for any host-level persistent storage.
Our Deployment Guide includes recommended encryption configurations for common infrastructure stacks.
Encryption in Transit
Section titled “Encryption in Transit”- All internal service-to-service communication within the product uses TLS 1.2+.
- The product exposes HTTPS endpoints only; HTTP is either disabled or automatically redirected.
- We recommend terminating TLS at your load balancer or ingress controller using a certificate from a trusted CA.
Authentication and Authorisation
Section titled “Authentication and Authorisation”- The product supports SSO via SAML 2.0 / OIDC integration with your identity provider through our authentication service. Alternatively, we support passwordless authentication via a time-limited one-time security code sent to the user’s email account. We do not currently support local accounts.
- MFA enforcement is available.
- Role-based access control (RBAC) is built in. Roles and permissions are documented in Access Control Guide.
- API access is authenticated via API keys. API keys are scoped and can be rotated.
Secrets Handling
Section titled “Secrets Handling”- The application never logs secrets, passwords, or API tokens.
- The application does not store passwords.
- Certain database columns are encrypted by the application using bcrypt with application-defined secrets.
- Application secrets (database credentials, signing keys) are read from environment variables or a mounted secret store at startup and are not written to disk by the application.
Network Isolation
Section titled “Network Isolation”The product is designed to operate in a network-isolated environment with the sole exception of the user authentication and entitlement system:
- Minimal outbound internet connectivity. All features work without general outbound access to the internet. The application must be able to connect to auth.enprivacy.com for user authentication and entitlement.
- Update checks — the product does not phone home to check for updates.
Recommended network controls are documented in Network Security Guide.
Audit Logging
Section titled “Audit Logging”The product emits structured audit logs covering:
- User authentication events (login, logout, failed attempts)
- Privilege changes and administrative actions
- Data access and modification events (configurable scope)
- System configuration changes
Logs are written to stdout in JSON format and are intended to be forwarded to your SIEM. Log retention is managed by your infrastructure. Audit logs are also stored in the application’s database.
Backup and Recovery
Section titled “Backup and Recovery”Backup and recovery is your responsibility as the operator. Our Operations Guide provides:
- Recommended backup scope (databases, object storage, configuration)
- Suggested backup frequency
- Restore procedures and estimated RTO/RPO targets for reference architectures
Vulnerability Disclosure for Data-Related Issues
Section titled “Vulnerability Disclosure for Data-Related Issues”If you discover a vulnerability that could affect the confidentiality, integrity, or availability of data processed by Invisiq, please report it via our Vulnerability Disclosure Policy. We treat all data-related reports as high priority.