Practices
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- JWT-based auth with rotating refresh tokens
- Mandatory MFA for admin / super-admin roles, with elevated MFA for danger-zone actions
- Per-product database isolation, row-per-tenant inside
- Nightly off-site backups
- Signed audit log for every critical action
Sub-processors
- Paddle — subscription billing (Merchant of Record)
- Postmark — transactional email
- Cloud VPS provider — primary hosting
Responsible disclosure
Found a vulnerability? Email security@enlinka.co. We commit to acknowledging within 48 hours.