Security by Design

Security

Security is not a feature. It's our architecture. Security by Design, not retrofitted.

Infrastructure Security

Immutable Infrastructure

Where possible, systems are not manually modified or patched, but completely redeployed. This reduces the attack surface and eliminates configuration drift.

Tenant Isolation

Strict logical isolation between customers at network and compute level. No cross-tenant access.

VPC & Network Isolation

Each customer receives a dedicated Virtual Private Cloud with fully separated address space at Layer 2 and Layer 3.

European Infrastructure

Bare-metal servers in Germany. No US cloud provider. No US Cloud Act.

Container Image Security

Automated vulnerability scanning of all container images.

Supply Chain Security

Signed artifacts, verified base images, traceable build pipelines.

Physical Security

Tier III+ Data Center

Frankfurt, redundant power and cooling systems.

24/7 Access Control

Physical access controlled and logged.

Environmental Monitoring

Temperature, humidity, smoke, continuously monitored.

Data Protection

Encryption at Rest

Storage layer and all node disks fully encrypted.

European Data Sovereignty

GDPR-native, not retrofitted. No data processing outside the EU. No US dependencies, no CLOUD Act exposure.

Data Residency

Data does not leave Europe. Full control over storage location.

Access Management

OIDC-Based Access

Infrastructure access via OpenID Connect.

RBAC

Fine-grained, role-based access control.

Multi-Factor Authentication

2FA/MFA at all levels. FIDO2 hardware keys as standard.

Audit Logs

Traceability of security-relevant access and changes across all platform components.

Monitoring & Response

24/7 Monitoring

Continuous monitoring of the entire platform infrastructure with automated alerts.

Network Visibility & Anomaly Detection

Network anomaly detection based on flow data. Automated alerts for suspicious traffic patterns.

Incident Response

Defined incident response procedures. Direct communication in case of emergency. Post-incident analysis and documentation.

Compliance & Certifications

What enum fulfills and where data center certifications apply.

GDPR

Native, fully EU-based.

NIS2

Architecture designed for NIS2 compliance. Technical measures per §30 BSIG implemented.

DORA

Infrastructure supports requirements of regulated financial service providers.

Data Center: NTT Frankfurt

Certified ISO 27001, ISO 9001, EN 50600. These are the data center operator's certifications.

How we work

Security starts with us – not just with your infrastructure.

FIDO Security Keys + VPN

Standard for internal systems: VPN + FIDO2 hardware key – two layers, not either/or. No password login, no SMS OTP. Systems that don't support FIDO2 are accessible exclusively via VPN and additionally secured.

Signed Git Commits

All commits are cryptographically signed. Unsigned commits are automatically rejected. Complete traceability of every code change.

No Public Access to Management Systems

Core infrastructure and management interfaces are not reachable from the internet. No IP whitelisting as a substitute.

Encrypted Devices

All work devices fully encrypted.

Regular Security Reviews

Internal and external reviews of our infrastructure and processes.

Least Privilege

Minimal permissions for all internal accounts. Access only to what is currently needed.

Responsible Disclosure

The security of our platform and our customers' data is our highest priority. We value the work of security researchers and the community who help us identify and fix vulnerabilities.

Scope

In-Scope

  • enum Cloud Platform (*.enum.co, *.enum.cloud)
  • enum API and Console
  • enum Kubernetes Engine, enum Object Storage, enum Compute, enum Network, enum VPC, enum Cloud DNS, enum CDN, enum Cloud WAF
  • Network infrastructure and edge components

Out-of-Scope

  • Social engineering, phishing or physical attacks
  • Denial-of-Service attacks (DoS/DDoS)
  • Spam or mass registrations
  • Vulnerabilities in third-party software not operated by enum
  • Vulnerabilities requiring physical access to devices or infrastructure

Rules

  • —If you encounter customer data during testing, stop immediately and report the vulnerability.
  • —Do not perform any actions that could affect the availability of our services.
  • —You may only interact with accounts you own or with explicit written permission.
  • —Do not disclose vulnerability details before we have fixed the issue and given you clearance.
  • —We ask that you report vulnerabilities promptly after discovery.
  • —No stunt hacking, no extortion, no leverage.

Our Promise

  • We consider good-faith security research to be authorized activity, even if it technically violates our terms of service.
  • We will acknowledge receipt of your report within 48 hours.
  • We will keep you updated on the status of the fix.
  • We will not take legal action against you as long as you comply with this policy.
  • We compensate reported vulnerabilities. The amount depends on severity and report quality. We will inform you on a case-by-case basis.

Reporting

Please report vulnerabilities via email to:

security@enum.co

Please include in your report:

  • —Description of the vulnerability
  • —Steps to reproduce
  • —Affected systems or endpoints
  • —Potential impact (assessment)
  • —Proof of Concept if available (screenshots, logs, code)

If possible, encrypt your email with our PGP key: /.well-known/security.txt

Security Contact

Do you have security questions or want to report a vulnerability? Our security team is here for you.

security@enum.co
Report Vulnerability
Responsible Disclosure
Security Questions
General Inquiries
Responsible Disclosure
We compensate responsibly reported security vulnerabilities.
Compliance
Audit & Certification
Security - enum GmbH