© 2026 Enso Labs LLC. All rights reserved.
Security
A plain-English summary of the security posture behind Enso Labs and Kanso. For the full legal language, see the master legal document.
All traffic to and from Enso Labs services uses TLS 1.2+ with modern cipher suites. Data at rest is encrypted on managed infrastructure (Vercel, Supabase) using AES-256 equivalents. Database backups inherit the same encryption as the primary store.
Production secrets live only in Vercel environment variables and are never committed. Application code requests data only for the signed-in user; administrative access is limited, logged, and requires strong authentication.
We work only with sub-processors that offer appropriate contractual protections, including Data Processing Agreements (DPAs), Standard Contractual Clauses for international transfers, and documented security practices. The complete list lives in the legal framework and is updated when it changes.
AI inference on your data is performed by trusted model providers under agreements that prohibit training their foundation models on customer inputs. Enso Labs does not sell personal data, does not share it for cross-context behavioral advertising, and does not run targeted ad networks.
If you believe you've found a security issue, please email us before disclosing publicly. We aim to acknowledge within one business day and to coordinate a fix and a public advisory once the issue is resolved. We do not currently operate a paid bug bounty, but we credit reporters who follow responsible disclosure.
We monitor production errors through Sentry with privacy-safe defaults (no session replay, no PII capture). In the event of a personal-data incident, we notify affected users and regulators as required under applicable law (GDPR 72-hour window, UK-GDPR, US state laws). Notification includes what happened, what data was involved, and what we're doing about it.
HSTS with preload, X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, Referrer-Policy: strict-origin-when-cross-origin, and a restrictive Permissions-Policy disabling camera, microphone, geolocation, payment APIs, and FLoC.
We run lint, typecheck, and format gates in CI; npm audit is reviewed before each release; and we track upstream security advisories for the frameworks we depend on (Next.js, React, Sentry, Supabase client, Tailwind).
Developer machines run full-disk encryption and managed endpoint protection. Source-code access requires 2FA on GitHub.
The marketing site (ensolabs.cc) does not set analytics or advertising cookies. Error monitoring scrubs PII and IP addresses, and session replay is off by default.
Please email the security team before disclosing publicly. Include reproduction steps, affected versions, and any supporting evidence.
support@ensolabs.ccFor a full breakdown of our data-handling commitments, read the legal framework.