Legal

Security

Last updated: April 12, 2026

EnableMate is built with security and data protection at its core. We understand that our customers trust us with sensitive brand assets, campaign strategies, and business content. This page describes the measures we take to protect your data.

Our Approach

Security is not a feature — it is a foundational principle of how we build and operate EnableMate. We follow the principle of least privilege, encrypt data at every layer, and ensure that your organization's data is isolated from all other customers at the database level.

Encryption

  • All data in transit is encrypted using TLS 1.2 or higher
  • Data at rest is encrypted using AES-256 encryption
  • Database connections use SSL/TLS encryption
  • Authentication tokens are cryptographically signed (JWT with HS256)
  • Passwords are hashed using bcrypt with per-user salts — we never store plaintext passwords

Authentication & Access Control

  • Secure authentication via Supabase Auth with session-based tokens
  • Row-Level Security (RLS) enforces data isolation at the database level
  • Role-based access: Platform Admin, Organization Admin, and User roles
  • Organization-scoped data — users can only access data belonging to their organization
  • Password reset via secure email-based token flow

Infrastructure

  • Application hosted on Vercel with automatic TLS and DDoS protection
  • Database hosted on Supabase (AWS EU-Frankfurt region) with automated backups
  • File storage on Supabase Storage with access-controlled buckets
  • No customer data stored on developer machines or local environments
  • Environment secrets managed via Vercel environment variables — never committed to code

AI Data Handling

  • Your content is sent to AI providers (Anthropic, OpenAI) only when you trigger a generation request
  • AI providers process your data solely to fulfill the request and do not retain it
  • Neither Anthropic nor OpenAI uses your data to train their models (enterprise/API data policies apply)
  • Generated content is stored only in your organization's workspace
  • AI control settings let you define how much creative latitude the AI has — from strict reproduction to adaptive generation

Organizational Controls

  • Admins control who has access to the organization workspace
  • Region-based access allows scoping users to specific markets
  • Audit logging tracks key actions (user management, settings changes, content generation)
  • Content governance settings define brand guardrails enforced on all generated content
  • Campaign-level access controls via shared links with expiration

Incident Response

  • Security incidents are investigated and triaged within 24 hours
  • Affected customers are notified within 72 hours as required by GDPR and nFADP
  • Post-incident reports are provided for material security events
  • Vulnerabilities can be reported to security@enablemate.ai

Compliance

EnableMate is designed to comply with the Swiss Federal Act on Data Protection (nFADP) and the EU General Data Protection Regulation (GDPR). Our data processing practices, sub-processor agreements, and data transfer mechanisms are aligned with these frameworks.

For more details on how we handle personal data, see our Privacy Policy.

Responsible Disclosure

If you discover a security vulnerability in EnableMate, please report it responsibly to security@enablemate.ai. We take all reports seriously and will respond within 48 hours. We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.

Questions

For security-related questions or to request our Data Processing Agreement (DPA), contact us at security@enablemate.ai.

Note: This document is provided for informational purposes and should be reviewed by qualified legal counsel before relying on it for compliance purposes. If you have questions, contact us at legal@enablemate.ai.