Skip to content
Start free
Security

EU-hosted, encrypted everywhere, yours to export anytime.

The technical detail behind the calm. Ensaria is built single-handedly by one person, but the security baseline matches what serious B2B SaaS ships. No SOC 2 yet — we'll be honest about it.

EU-only data residency

All user data lives in Neon's EU-Central region (Frankfurt). Backups run inside the same region. No data ever crosses the Atlantic. Subprocessors are listed publicly at /subprocessors with their regions.

Encryption in transit and at rest

TLS 1.3 on every connection (HSTS preloaded). Database storage encrypted at rest with per-instance keys. Object storage on Cloudflare R2 uses server-side encryption.

Row-level security

Every user-owned table in the database has Postgres RLS policies that scope reads and writes to the authenticated user. Verified across 23 tables; a misconfigured query fails closed, never leaks rows.

Authentication

Magic-link by default — no passwords to leak. Optional Google and GitHub OAuth. Session tokens are short-lived; long-lived refresh tokens never reach the client. Sign-in attempts are rate-limited per-IP and per-email.

Backups + recovery

Continuous WAL-based backups via Neon, 7-day point-in-time recovery. A 30-day delete grace period means an accidentally-deleted account stays fully restorable in our system for a month, then is hard-deleted.

Data export and deletion

Settings → Export builds a single JSON file with every project, task, block, time entry, payment, and setting. No download gate, no upsell. Settings → Delete account starts the 30-day grace; one click in Settings → Restore brings it back.

What we don't yet have

Honest gaps.

Ensaria is early. There are things bigger products have and we don't — yet. The honest list:

  • SOC 2 Type II.Not started. We'll begin the runway once paying-customer count makes it sensible (~year 2). Until then, we'll publish what we have: this page, subprocessors, DPA on request.
  • SSO / SCIM.Built for solo freelancers; no team plan, so no team SSO. If that changes we'll add it.
  • Public security disclosure program. Coming. For now, email security@ensaria.comand we'll respond within two business days.
Policies

Read the legal small print.

Found a security issue?

Email security@ensaria.com with reproduction steps. We aim to acknowledge within one business day and fix critical issues within seven. No bounty program yet — we'll thank you publicly (if you want) and credit you in the changelog.