Security Overview
Security is a foundational requirement, not an afterthought. EngageIQ's security program covers the full stack — infrastructure, application, data, and people — and is designed to protect the confidentiality, integrity, and availability of customer data at all times.
We publish this page to give customers, security researchers, and enterprise procurement teams transparent visibility into our controls, practices, and commitments.
TLS 1.2+
Encryption in transit
AES-256
Encryption at rest
99.9% target
Uptime SLA
Infrastructure Security
Cloud provider
EngageIQ is hosted exclusively on Amazon Web Services (AWS), one of the world's most certified cloud providers. AWS infrastructure operates under ISO 27001, SOC 1/2/3, PCI DSS, and other internationally recognized frameworks.
Network segmentation
- All production workloads run inside private Virtual Private Clouds (VPCs) with no direct public internet access.
- Security groups enforce strict inbound and outbound rules using least-privilege network ACLs.
- Public-facing load balancers terminate TLS before forwarding traffic to private application tiers.
- Separate network environments for production, staging, and development prevent cross-environment data access.
DDoS & edge protection
AWS Shield Standard is enabled across all public endpoints to mitigate volumetric DDoS attacks. Rate limiting is enforced at the API layer for all authenticated and unauthenticated endpoints.
Data Security & Encryption
Encryption in transit
All data in transit between clients and EngageIQ services is encrypted using TLS 1.2 or higher. We enforce HTTP Strict Transport Security (HSTS) with a long max-age and preloading, ensuring browsers always use HTTPS. Unencrypted connections are rejected.
Encryption at rest
All persistent data stores — databases, object storage, and backups — are encrypted at rest using AES-256 via AWS-managed keys (AWS KMS). Disk-level encryption is enabled on all compute instances.
Secrets management
Application secrets, API keys, and credentials are stored in a secrets manager — never in source code or environment variables committed to version control. Secrets are rotated on a defined schedule and immediately upon suspected compromise.
Backup & recovery
- Automated encrypted database backups are taken daily with point-in-time recovery enabled.
- Backups are retained for a rolling 30-day window and stored in a separate AWS region.
- Recovery procedures are tested periodically to validate restoration integrity.
Access Controls
Principle of least privilege
Internal access to production systems is granted only to team members with a demonstrated operational need. All access is role-based, documented, and reviewed on a quarterly basis. Access is revoked immediately upon role change or departure.
Multi-factor authentication
MFA is mandatory for all EngageIQ employees accessing production infrastructure, cloud consoles, and internal tooling. Phishing-resistant hardware keys (FIDO2/WebAuthn) are required for privileged access.
Privileged access management
- Direct production database access is prohibited except through a time-limited, audited bastion.
- All privileged sessions are logged and reviewed.
- SSH key rotation and certificate-based authentication are enforced.
Customer workspace isolation
Each customer workspace is logically isolated at the data layer. Row-level access controls ensure that one customer's data cannot be accessed by another, even within shared infrastructure.
Application Security
- Input validation and parameterized queries are enforced platform-wide to prevent SQL injection and injection attacks.
- Output encoding is applied at all rendering surfaces to prevent XSS.
- CSRF protection is implemented on all state-changing endpoints via token verification.
- Security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy) are set on all HTTP responses.
- Dependency scanning runs on every pull request and nightly against the full dependency tree.
- Container images are scanned for known CVEs before deployment.
- A web application firewall (WAF) is active on all public-facing endpoints.
Secure development lifecycle
Security reviews are integrated into the development process. Critical changes undergo design review before implementation, code review before merge, and automated security testing before deployment. Engineers receive annual security awareness training and role-specific secure-coding training.
Monitoring, Logging & Incident Response
Continuous monitoring
All API requests, authentication events, administrative actions, and infrastructure changes are logged centrally. Automated alerts fire on anomalous patterns — including unusual login locations, high error rates, and unexpected data-access volumes.
Incident response
EngageIQ maintains a formal incident response plan with defined severity levels, escalation paths, and remediation timelines. The plan is tested through tabletop exercises at least annually.
| Severity | Definition | Initial response SLO |
|---|---|---|
| Critical (P0) | Data breach, service-wide outage, active exploit in production | < 1 hour |
| High (P1) | Significant feature degradation, potential data exposure, security finding | < 4 hours |
| Medium (P2) | Partial feature impairment, security advisory, non-critical finding | < 24 hours |
| Low (P3) | Minor issue, informational finding, cosmetic defect | < 72 hours |
Breach notification
If a personal data breach occurs that is likely to result in a risk to individuals, we will notify the relevant supervisory authority within 72 hours where required by the GDPR, and will inform affected customers without undue delay to support their own notification obligations.
Third-Party & Subprocessor Security
Every subprocessor we use is evaluated for security and compliance before onboarding. We require data-processing agreements and conduct periodic reviews. Our core infrastructure subprocessors include:
Amazon Web Services
Core hosting. ISO 27001, SOC 2 Type II, PCI DSS certified.
Amazon SES
Email delivery relay. Operates under AWS's security framework.
Stripe
Payment processing. PCI DSS Level 1 certified.
Sentry
Error monitoring. ISO 27001 certified. Only error metadata is transmitted.
PostHog
Product analytics. EU-hosted option available. Minimal PII transmitted.
Compliance & Certifications
EngageIQ's security program is designed to align with the following frameworks and regulations:
- GDPR & UK GDPR — data processing agreements, controller/processor obligations, and DSR workflows.
- CCPA / CPRA — consumer rights, no-sale obligations, and data minimization.
- CAN-SPAM & CASL — email sending compliance enforced at the platform level.
- SOC 2 Type II — our audit program is designed around the Trust Services Criteria (Security, Availability, Confidentiality).
- ISO 27001 — we follow ISO 27001-aligned information-security management practices.
Enterprise & compliance documentation
Penetration Testing
EngageIQ engages independent third-party security firms to conduct comprehensive penetration tests of the application and infrastructure at least annually. Findings are tracked to resolution and verified in follow-up testing.
Customers who wish to conduct their own security testing must obtain written authorization in advance by contacting security@engageiq.com. Unauthorized scanning or testing is prohibited under our Terms of Service.
Responsible Disclosure
We believe in working with the security community to identify and fix vulnerabilities. If you discover a security issue, please report it to us responsibly.
How to report
Email security@engageiq.com with a detailed description of the vulnerability, steps to reproduce, and your assessment of impact. Encrypt sensitive reports with our PGP key (available on request).
Our commitments to researchers
- We will acknowledge your report within 2 business days.
- We will provide an estimated timeline for investigation within 5 business days.
- We will notify you when the vulnerability is resolved.
- We will not pursue legal action against good-faith researchers who follow this policy.
- We will publicly credit researchers who wish to be acknowledged (with their permission).
Scope
In scope: the EngageIQ platform, APIs, and SDKs. Out of scope: social-engineering attacks against EngageIQ staff, physical security, or third-party services we rely on. Please do not perform denial-of-service testing, access or modify customer data, or disclose vulnerabilities publicly before we have had a reasonable opportunity to remediate.
No bug bounty at this time
Contact
EngageIQ Security Team
Vulnerability reports & security inquiries: security@engageiq.com
Enterprise compliance documentation: security@engageiq.com
General legal: legal@engageiq.com
Read next