Trust & Security

Security Overview

A transparent account of how EngageIQ secures your data: from infrastructure and encryption to access controls, monitoring, compliance, and responsible disclosure.

Effective June 12, 2026
Last updated June 12, 2026
01

Security Overview

Security is a foundational requirement, not an afterthought. EngageIQ's security program covers the full stack — infrastructure, application, data, and people — and is designed to protect the confidentiality, integrity, and availability of customer data at all times.

We publish this page to give customers, security researchers, and enterprise procurement teams transparent visibility into our controls, practices, and commitments.

TLS 1.2+

Encryption in transit

AES-256

Encryption at rest

99.9% target

Uptime SLA

02

Infrastructure Security

Cloud provider

EngageIQ is hosted exclusively on Amazon Web Services (AWS), one of the world's most certified cloud providers. AWS infrastructure operates under ISO 27001, SOC 1/2/3, PCI DSS, and other internationally recognized frameworks.

Network segmentation

  • All production workloads run inside private Virtual Private Clouds (VPCs) with no direct public internet access.
  • Security groups enforce strict inbound and outbound rules using least-privilege network ACLs.
  • Public-facing load balancers terminate TLS before forwarding traffic to private application tiers.
  • Separate network environments for production, staging, and development prevent cross-environment data access.

DDoS & edge protection

AWS Shield Standard is enabled across all public endpoints to mitigate volumetric DDoS attacks. Rate limiting is enforced at the API layer for all authenticated and unauthenticated endpoints.

03

Data Security & Encryption

Encryption in transit

All data in transit between clients and EngageIQ services is encrypted using TLS 1.2 or higher. We enforce HTTP Strict Transport Security (HSTS) with a long max-age and preloading, ensuring browsers always use HTTPS. Unencrypted connections are rejected.

Encryption at rest

All persistent data stores — databases, object storage, and backups — are encrypted at rest using AES-256 via AWS-managed keys (AWS KMS). Disk-level encryption is enabled on all compute instances.

Secrets management

Application secrets, API keys, and credentials are stored in a secrets manager — never in source code or environment variables committed to version control. Secrets are rotated on a defined schedule and immediately upon suspected compromise.

Backup & recovery

  • Automated encrypted database backups are taken daily with point-in-time recovery enabled.
  • Backups are retained for a rolling 30-day window and stored in a separate AWS region.
  • Recovery procedures are tested periodically to validate restoration integrity.
04

Access Controls

Principle of least privilege

Internal access to production systems is granted only to team members with a demonstrated operational need. All access is role-based, documented, and reviewed on a quarterly basis. Access is revoked immediately upon role change or departure.

Multi-factor authentication

MFA is mandatory for all EngageIQ employees accessing production infrastructure, cloud consoles, and internal tooling. Phishing-resistant hardware keys (FIDO2/WebAuthn) are required for privileged access.

Privileged access management

  • Direct production database access is prohibited except through a time-limited, audited bastion.
  • All privileged sessions are logged and reviewed.
  • SSH key rotation and certificate-based authentication are enforced.

Customer workspace isolation

Each customer workspace is logically isolated at the data layer. Row-level access controls ensure that one customer's data cannot be accessed by another, even within shared infrastructure.

05

Application Security

  • Input validation and parameterized queries are enforced platform-wide to prevent SQL injection and injection attacks.
  • Output encoding is applied at all rendering surfaces to prevent XSS.
  • CSRF protection is implemented on all state-changing endpoints via token verification.
  • Security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy) are set on all HTTP responses.
  • Dependency scanning runs on every pull request and nightly against the full dependency tree.
  • Container images are scanned for known CVEs before deployment.
  • A web application firewall (WAF) is active on all public-facing endpoints.

Secure development lifecycle

Security reviews are integrated into the development process. Critical changes undergo design review before implementation, code review before merge, and automated security testing before deployment. Engineers receive annual security awareness training and role-specific secure-coding training.

06

Monitoring, Logging & Incident Response

Continuous monitoring

All API requests, authentication events, administrative actions, and infrastructure changes are logged centrally. Automated alerts fire on anomalous patterns — including unusual login locations, high error rates, and unexpected data-access volumes.

Incident response

EngageIQ maintains a formal incident response plan with defined severity levels, escalation paths, and remediation timelines. The plan is tested through tabletop exercises at least annually.

SeverityDefinitionInitial response SLO
Critical (P0)Data breach, service-wide outage, active exploit in production< 1 hour
High (P1)Significant feature degradation, potential data exposure, security finding< 4 hours
Medium (P2)Partial feature impairment, security advisory, non-critical finding< 24 hours
Low (P3)Minor issue, informational finding, cosmetic defect< 72 hours

Breach notification

If a personal data breach occurs that is likely to result in a risk to individuals, we will notify the relevant supervisory authority within 72 hours where required by the GDPR, and will inform affected customers without undue delay to support their own notification obligations.

07

Third-Party & Subprocessor Security

Every subprocessor we use is evaluated for security and compliance before onboarding. We require data-processing agreements and conduct periodic reviews. Our core infrastructure subprocessors include:

Amazon Web Services

Core hosting. ISO 27001, SOC 2 Type II, PCI DSS certified.

Amazon SES

Email delivery relay. Operates under AWS's security framework.

Stripe

Payment processing. PCI DSS Level 1 certified.

Sentry

Error monitoring. ISO 27001 certified. Only error metadata is transmitted.

PostHog

Product analytics. EU-hosted option available. Minimal PII transmitted.

08

Compliance & Certifications

EngageIQ's security program is designed to align with the following frameworks and regulations:

  • GDPR & UK GDPR — data processing agreements, controller/processor obligations, and DSR workflows.
  • CCPA / CPRA — consumer rights, no-sale obligations, and data minimization.
  • CAN-SPAM & CASL — email sending compliance enforced at the platform level.
  • SOC 2 Type II — our audit program is designed around the Trust Services Criteria (Security, Availability, Confidentiality).
  • ISO 27001 — we follow ISO 27001-aligned information-security management practices.

Enterprise & compliance documentation

Customers on Enterprise plans can request our security questionnaire responses, DPA, subprocessor list, and compliance evidence package. Contact security@engageiq.com.
09

Penetration Testing

EngageIQ engages independent third-party security firms to conduct comprehensive penetration tests of the application and infrastructure at least annually. Findings are tracked to resolution and verified in follow-up testing.

Customers who wish to conduct their own security testing must obtain written authorization in advance by contacting security@engageiq.com. Unauthorized scanning or testing is prohibited under our Terms of Service.

10

Responsible Disclosure

We believe in working with the security community to identify and fix vulnerabilities. If you discover a security issue, please report it to us responsibly.

How to report

Email security@engageiq.com with a detailed description of the vulnerability, steps to reproduce, and your assessment of impact. Encrypt sensitive reports with our PGP key (available on request).

Our commitments to researchers

  • We will acknowledge your report within 2 business days.
  • We will provide an estimated timeline for investigation within 5 business days.
  • We will notify you when the vulnerability is resolved.
  • We will not pursue legal action against good-faith researchers who follow this policy.
  • We will publicly credit researchers who wish to be acknowledged (with their permission).

Scope

In scope: the EngageIQ platform, APIs, and SDKs. Out of scope: social-engineering attacks against EngageIQ staff, physical security, or third-party services we rely on. Please do not perform denial-of-service testing, access or modify customer data, or disclose vulnerabilities publicly before we have had a reasonable opportunity to remediate.

No bug bounty at this time

We do not currently operate a formal paid bug-bounty program. We do extend recognition and gratitude to researchers who disclose responsibly.
11

Contact

EngageIQ Security Team

Vulnerability reports & security inquiries: security@engageiq.com

Enterprise compliance documentation: security@engageiq.com

General legal: legal@engageiq.com

Read next

Acceptable Use Policy