Trust at Enterwise
Last updated: 22 May 2026
We're building an AI-native platform for business analysis and organizational change. Your trust depends on knowing how we handle your data, who can see it, and what we will and won't do with it. This page lays it out.
Early Access Notice
Enterwise is currently in early access. Our security and compliance posture matures alongside the product as we move toward commercial launch. We will not overstate our position.
Security
We protect customer data with:
- Encryption in transit (TLS) and at rest
- Access controls based on least privilege; role-based access and Row-Level Security at the database
- Multi-factor authentication on critical accounts
- Infrastructure logging and audit trails (who created or changed content, and when)
- Personnel obligations to maintain confidentiality
- Vendor due diligence before adding any subprocessor
A more detailed Technical and Organisational Measures (TOMs) summary is available on request and forms part of our Data Processing Agreement.
Vulnerability disclosure
Found a security issue? Email security@enterwise.ai. We acknowledge within 2 business days and work with you on responsible disclosure. We do not currently run a paid bug bounty programme but will recognise meaningful findings publicly with your consent.
Reliability and incidents
We do not provide a formal service-level agreement (SLA) during early access. Target response times for incidents reported to security@enterwise.ai:
- Critical (service down, suspected data exposure): acknowledge within 4 hours
- High (significant degradation): acknowledge within 1 business day
- Medium / low: acknowledge within 3 business days
If we determine personal data has been compromised, we will notify affected customers within 48 hours of becoming aware, and the relevant supervisory authority where required.
Customer data is backed up daily by our cloud provider; recovery is exercised as part of provider operations. Planned maintenance is announced in advance through the Service.
Privacy
We collect only what we need to run the Service. We do not sell your data, run ads, or use third-party product analytics or trackers. Most customer data stays in the European Union.
See our Privacy Policy and Cookie Policy for the full picture.
AI commitments and data flow
Building an AI-native product demands extra transparency. Our commitments:
- Customer content is not used to train third-party AI models. Our AI subprocessors are contractually bound to the same.
- AI usage logs (prompts, outputs, telemetry) are retained for 90 days, solely for reliability, abuse prevention, debugging, and cost monitoring.
- AI outputs are not decisions about you. Enterwise does not make automated decisions with legal or similarly significant effects.
How AI requests flow
When you use an AI feature in Enterwise:
- Prompt context (the workspace content relevant to the request) is sent from our EU-hosted application (Vercel) to one of our AI providers: OpenAI (US, language and audio transcription), Mistral AI (EU, language and audio transcription), or ElevenLabs (US, audio transcription).
- The provider processes the request and returns an output. No provider retains your content beyond what is needed to return the response, and none uses it to train their models(verified via each provider's API terms and our account configuration; the verification is repeated quarterly).
- We store a log of the prompt, output, and operational telemetry (tokens, model, cost, errors) for 90 days in our EU-hosted database (Supabase, Frankfurt). This log is used only for reliability, abuse prevention, debugging, and cost monitoring.
- After 90 days, AI logs are deleted automatically.
- Your underlying workspace content remains in our EU-hosted database for the term of your account; deletion follows the retention schedule in our Privacy Policy.
Audio recordings get extra protection
Audio you upload is used only for transcription, not for live speech-to-text or other purposes. After a successful transcription, the audio file is removed from our storage; only the transcript remains in your workspace. If transcription fails, we keep the audio for up to seven (7) days so you can retry, then delete it automatically. Audio is never retained indefinitely.
Subprocessors
These third-party service providers process customer personal data on Enterwise's behalf. Each is bound by a Data Processing Agreement and a duty of confidentiality. We give customers at least 30 days' advance notice before adding or replacing a subprocessor.
| Subprocessor | Service | Region |
|---|---|---|
| Supabase, Inc. | Cloud provider, managed database, authentication | United States, European Union |
| Vercel, Inc. | Cloud provider, application hosting | United States |
| Resend | Email delivery | United States |
| Google LLC | Identity provider (OAuth sign-in) | United States, European Union |
| Mistral AI SAS | Artificial intelligence, transcription | European Union |
| OpenAI, L.L.C. | Artificial intelligence, transcription | United States |
| ElevenLabs, Inc. | Artificial intelligence, transcription | United States |
Data residency and international transfers
Most customer data is stored in the European Union. Some subprocessors are based in the United States and process data under the European Commission's Standard Contractual Clausesand the equivalent UK transfer mechanisms, together with each provider's supplementary measures (encryption in transit and at rest, access controls, regional storage where offered).
Compliance
Enterwise is in early access. We do not currently hold SOC 2, ISO 27001, or other formal security certifications. Our security programme is being built to align with these frameworks ahead of commercial launch.
We welcome customer due-diligence questionnaires at contact@enterwise.ai.
Contact
| Topic | |
|---|---|
| Privacy questions, data subject requests | privacy@enterwise.ai |
| Security questions, vulnerability reports, due diligence | security@enterwise.ai |
| General questions, support | contact@enterwise.ai |