ENA INNOVATION
EnglishTürkçe

ENA Innovation — Legal Documents

Security Infrastructure

Last Updated: June 7, 2026
Contents

1. Security Architecture Overview

ENA Innovation designs and operates the EnaSpace platform with security as a core architectural principle, not an afterthought. Our security posture covers infrastructure, application, identity, and operational layers.

Legal basis for security measures. The technical and organizational measures described in this document are implemented in compliance with KVKK Article 12 (obligation to take necessary technical and administrative measures to prevent unlawful processing of and access to personal data) and GDPR Article 32 (appropriate technical and organizational security measures). These measures also satisfy the contractual security obligations in our Data Processing Agreement.

This page summarizes our security practices and how you can report a security concern. For contractual security commitments to enterprise customers, please refer to our Data Processing Agreement available through portal.enaspace.com.

2. Transport Security

TLS 1.3 Everywhere. All connections between your browser, mobile application, or API client and EnaSpace servers are encrypted using TLS 1.3. Older protocol versions (TLS 1.0, 1.1) and weak cipher suites are explicitly disabled.

HSTS. HTTP Strict Transport Security headers are enforced across all domains, instructing browsers to use HTTPS only and preventing protocol downgrade attacks.

Certificate Pinning. Where applicable, our mobile and client applications use certificate pinning to prevent man-in-the-middle attacks.

3. Infrastructure Security

Hosting. The EnaSpace platform is hosted on Huawei Cloud in the TR-West-1 (Istanbul) region, providing data residency within the Republic of Türkiye.

Container Orchestration. Workloads run on highly available, enterprise-grade container orchestration clusters. Each service runs in isolated namespaces with strict inter-service communication policies enforced by network policies and service mesh controls.

Data Encryption at Rest. All data stored in our database systems is encrypted using AES-256 encryption. Object storage (uploaded files, media, exports) is encrypted at the storage layer with AES-256 using managed encryption keys.

Infrastructure Hardening.

  • Nodes and containers run minimized OS images with reduced attack surface.
  • Network security groups restrict inbound traffic to authorized ports only.
  • All infrastructure changes are version-controlled and applied via GitOps pipelines with mandatory review gates.

Backups and Recovery.

  • Automated daily backups with integrity verification are maintained for all production databases and object storage.
  • RPO (Recovery Point Objective): ≤ 24 hours — meaning in the event of data loss, we can restore to a state within the previous 24 hours.
  • RTO (Recovery Time Objective): ≤ 4 hours for critical systems — meaning we aim to restore full service availability within 4 hours of a confirmed system failure event.
  • Backup copies are stored in geographically separated storage within the same jurisdiction (Türkiye).

4. Access Control and Identity Management

EnaGate — Self-Hosted Identity Infrastructure. The EnaSpace ecosystem uses EnaGate (enagate.com) for centralized authentication and authorization across all products. EnaGate is powered by a self-hosted, enterprise-grade identity and access management platform deployed and operated entirely on ENA Innovation's own infrastructure within the TR-West-1 region. No third-party cloud identity provider has access to EnaSpace user identity data. This self-hosted approach ensures that authentication events, user credentials, and session data never leave ENA Innovation's controlled environment.

Multi-Factor Authentication. MFA is strongly recommended and, for administrative accounts, enforceable by Tenant administrators. ENA Innovation requires MFA for all internal access to production systems.

Role-Based Access Control (RBAC). Access to platform resources is controlled by fine-grained role assignments. Users receive only the permissions required for their function (principle of least privilege).

Internal Access Controls.

  • Production system access for ENA Innovation personnel requires individual authentication and MFA.
  • Database and infrastructure access is logged and reviewed.
  • No standing access to production data is granted; access is time-limited and approved through a change management process.
  • Access privileges are reviewed quarterly.

5. Tenant Isolation

Logical Isolation. Each Tenant's data is logically isolated from all other Tenants through database-level row security policies. An application-layer bug cannot inadvertently expose one Tenant's data to another.

Cryptographic Namespace Binding. Tenant identifiers are cryptographically bound to their access tokens, preventing token reuse across Tenants.

API-Level Enforcement. All API endpoints validate Tenant context on every request. Authorization is enforced at the data access layer, not only at the route level.

Integration Credential Protection. Tenant-configured integration secrets — including BYO SMS provider API keys and webhook signing secrets — are stored using AES-256-GCM envelope encryption with keys derived from the platform master encryption key via HKDF. Secret values are never exposed in plaintext through the admin API. Outbound webhook and BYO SMS requests use HTTPS only; SSRF protections restrict outbound requests to public endpoints. Webhook event payloads are signed with HMAC-SHA256.

6. Monitoring and Incident Response

24/7 Monitoring. ENA Innovation operates continuous monitoring of platform health, authentication events, and anomalous access patterns with automated alerting.

Intrusion Detection. Behavioral anomaly detection identifies unusual patterns (e.g., credential stuffing, bulk API access, lateral movement).

Incident Response. In the event of a confirmed security incident, our incident response procedure includes:

  1. Immediate containment and scope assessment.
  2. Notification to affected Tenants within 72 hours of confirmed impact.
  3. Post-incident report provided to affected enterprise customers.
  4. Regulatory notification where required.

Status Page. Real-time platform status and incident updates are published at status.enagate.com.

7. Certifications and Compliance

Huawei Cloud Infrastructure Certification. EnaSpace is hosted on Huawei Cloud infrastructure, which holds ISO/IEC 27001:2013 (Information Security Management System) certification for its data centre operations. This certification covers physical access controls, environmental controls, and operational procedures at the data centre level.

ENA Innovation's certification status. ENA Innovation has not yet obtained independent ISO 27001 or SOC 2 certification at the organization level. We are actively working toward ISO 27001 certification. In the interim, our security controls are aligned with ISO 27001 Annex A control objectives and are described in this document and in the DPA Annex II.

Penetration Testing. ENA Innovation conducts periodic security reviews and penetration testing of the platform. Tests are conducted by qualified internal or third-party security professionals at minimum annually. Summary findings are available to enterprise customers on request under NDA. Critical vulnerabilities identified during testing are remediated on a priority basis before being publicly disclosed.

Regulatory compliance. Our security practices are designed to satisfy the requirements of KVKK Article 12, GDPR Article 32, and sector-specific security guidance issued by the Personal Data Protection Authority (KVKK Kurulu).

8. Your Responsibilities

Security is a shared responsibility model. ENA Innovation secures the underlying platform, infrastructure, and default configurations. As a Tenant or End User, you are responsible for:

  • Protecting your EnaGate credentials. Use a unique, strong password and enable MFA on your account.
  • Managing user access. Assign roles with the minimum necessary privileges. Promptly revoke access for departing users.
  • Keeping software updated. Ensure the browsers and devices you use to access EnaSpace are running supported, up-to-date software.
  • Reporting anomalies. If you notice unusual activity on your account, report it immediately.
  • Securing your integrations. If you use EnaSpace APIs, outbound webhooks, or BYO SMS gateways, protect signing secrets and provider credentials, use HTTPS endpoints you control, verify webhook signatures before processing received events, and rotate credentials when team members with access depart.

9. Responsible Disclosure

We welcome security researchers and users who responsibly report potential vulnerabilities. ENA Innovation follows a coordinated disclosure process:

How to report:

Send your finding to [email protected] with subject line "Security Vulnerability Report". Please include:

  • A clear description of the vulnerability.
  • Steps to reproduce the issue.
  • Potential impact assessment.
  • Any proof-of-concept (screenshots, request/response samples).

Our commitments:

  • We will acknowledge receipt within 2 business days.
  • We will investigate and provide an update within 14 business days.
  • We will not pursue legal action against good-faith reporters who comply with this disclosure process.
  • We will credit researchers (with consent) when a valid vulnerability is remediated.

Out of scope: Social engineering, phishing of ENA Innovation employees, attacks against user accounts you do not own, physical attacks.

10. Contact

For security inquiries or vulnerability reports:

ENA Innovation Sağlık ve Yazılım Teknolojileri San. Tic. A.Ş.

  • Email: [email protected] — Subject: "Security Vulnerability Report"
  • MERSİS: 0334130943400001