Security Policy

1. Security controls

• Encryption in transit using modern TLS
• Encryption at rest on managed cloud infrastructure
• Per-user access controls enforced through backend rules
• OAuth credentials and sensitive secrets protected at rest
• Least-privilege API scope model for Google integrations

2. Google API data handling

HeyEnso's use of Google Workspace API data follows the Google Workspace API User Data and Developer Policy, including Limited Use requirements.

3. Responsible disclosure

If you discover a vulnerability, please report it responsibly and do not publicly disclose details before we can investigate.

• Email: security@heyenso.com
• Include affected endpoint/feature, steps, and impact
• We aim to acknowledge reports within 2 business days

4. Security contact metadata

Machine-readable policy reference: security.txt

5. Contact

Security: security@heyenso.com