Security

1. Security Philosophy

EnforceLayer is built around enforcement discipline.

We focus on:

• Visibility
• Configuration integrity
• Drift detection
• Measurable enforcement posture

We do not promise absolute protection.

We provide measurable improvement and monitoring of DNS-based email authentication controls.

2. Infrastructure Security

Hosting

EnforceLayer is hosted on Vercel infrastructure.

Infrastructure protections include:

• Global CDN
• Automatic HTTPS (TLS 1.2+)
• DDoS mitigation at edge layer
• Isolated serverless execution

We do not operate physical servers.

Data Storage

Data is stored in Supabase (PostgreSQL).

Security measures include:

• Encrypted connections (TLS)
• Role-based access
• Database-level access controls
• Restricted service key usage
• Server-side environment isolation

Sensitive access keys are never exposed to the client.

Payment Security

Payments are processed by Stripe.

• PCI compliance handled by Stripe
• We do not store credit card numbers
• Webhooks are verified via Stripe signature validation

Email Delivery

Monitoring alerts and service emails are delivered via:

• Resend
• Reputable infrastructure providers

SPF, DKIM, and DMARC are configured on our own sending domain.

3. Application Security

API Security

• Authenticated endpoints
• Token-based access control for reports
• Signed webhook validation
• Server-side enforcement of business logic

Report tokens are non-guessable and designed to prevent enumeration.

Access Control

Internal access to production systems is restricted.

• Principle of least privilege
• No public database access
• Environment variable protection
• Deployment via controlled pipeline

Encryption

• All traffic encrypted via HTTPS
• No plaintext transmission of sensitive data
• Secure token handling

4. Monitoring & Integrity Controls

EnforceLayer continuously monitors:

• DNS configuration changes
• Enforcement drift
• Alignment failures
• Risk score degradation

Monitoring jobs run via scheduled infrastructure.

Security logging includes:

• Access logs
• Error logs
• Webhook validation logs

5. What We Do NOT Do

To avoid misunderstanding:

• We do not access private email inboxes
• We do not store email message content
• We do not intercept email traffic
• We do not guarantee prevention of all spoofing
• We do not modify DNS records on your behalf

We provide analysis and guidance.

DNS changes are performed by the domain owner.

6. Responsible Disclosure

If you believe you have discovered a security vulnerability, please contact:

security@enforcelayer.com
or
support@enforcelayer.com

Please include:

• Description of the issue
• Steps to reproduce
• Impact assessment

We commit to reviewing valid reports promptly.

7. Service Limitations

EnforceLayer analyzes publicly available DNS records.

Limitations include:

• Dependency on external DNS providers
• Dependency on mail providers (Google, Microsoft, Zoho, etc.)
• Propagation delays
• Third-party infrastructure dependencies

Security posture improvements depend on correct DNS configuration.

8. Data Integrity & Backups

We implement:

• Database redundancy
• Infrastructure-level backup policies (via provider)
• Controlled deployment workflows

However, no cloud system guarantees zero downtime.

9. Compliance Position

EnforceLayer:

• Is not SOC 2 certified
• Is not ISO 27001 certified
• Is not a regulated financial institution

We rely on secure cloud infrastructure providers and enforce internal security discipline.

10. Continuous Improvement

Security is not static.

We regularly:

• Review logging practices
• Review token security
• Improve drift detection logic
• Harden subscription lifecycle validation
• Improve abuse detection

11. Contact

General support:
support@enforcelayer.com