Enga.gd is committed to protecting the confidentiality, integrity, and availability of customer and participant data. This Security Policy describes the administrative, technical, and physical safeguards we use to secure the Enga.gd platform (the "Service"). It should be read together with our Privacy Policy, Cookie Policy, and Terms of Service.

1. Scope

This policy applies to all systems, infrastructure, employees, contractors, and data processing activities operated or managed by Enga.gd (Learngistics Inc.).

2. Governance & Responsibility

3. Risk Management

• We perform annual risk assessments and track remediation actions.
• New features undergo a security review before production deployment.

4. Data Encryption

5. Access Control

• Principle of Least Privilege. Employees receive the minimum access required to perform their role.
• Multi‑Factor Authentication (MFA). Planned for Q1 2026 for all privileged accounts and administrative consoles.
• Role‑Based Access Control (RBAC). Enga.gd provides three built‑in roles: Superadmin (Learngistics staff – unrestricted platform access and configuration), Admin (customer administrators – create and manage organizations, events, checkpoints, and view analytics), and User/Participant (end users – interact with events and view only their own data). Additional scoped roles can be enabled per tenant if needed.
• Session Management. Sessions expire after 120 minutes of inactivity (configurable). Revoked tokens become invalid immediately.

6. Network & Infrastructure Security

• Production workloads run on Laravel Cloud (managed on AWS). Our primary region is ca‑central‑1 (Montreal, Canada), with a disaster‑recovery region in us‑east‑1 (N. Virginia, USA)—both ISO 27001‑certified data centres.
• Firewalls & WAF. Layer‑7 Web Application Firewall blocks common attacks (SQLi, XSS, CSRF, etc.).
• Vulnerability Management. Automated scans run weekly; critical CVEs are patched within 48 hours.
• DDoS Mitigation. Traffic is routed through a globally distributed CDN with built‑in DDoS protection.

7. Application Security

API Security. All public API calls require a bearer token passed in the Authorization header. Tokens are scoped to an Organization, can be rotated in the Admin UI, and are never returned in clear text after creation. Webhook payloads include an X-Engagd-Signature (HMAC-SHA256) so clients can verify authenticity. Requests are rate-limited to 10 requests / second and 1 000 requests / day per token; excess traffic is throttled.

8. Data Retention & Deletion

• Active data. Event and organization data remain in live databases for 12 months after an event ends unless an Account Admin deletes it sooner.
• Archived data. After 12 months, data is migrated to encrypted cold‑storage archives for audit, troubleshooting, and analytics. These archives may be retained indefinitely unless a valid deletion request overrides legal or business obligations.
• Backups. Point‑in‑time backups are kept for at least 30 days and then consolidated into long‑term, immutable snapshots stored in a separate AWS account for disaster‑recovery purposes.
• Contract termination. When a customer cancels service, we disable the organization and render data inaccessible within 30 days. Archived and backup copies may persist beyond that window where required by law, dispute resolution, or security forensics.
• User‑driven deletion. Admins can request that event or organization data be rendered inaccessible and marked for removal from live production systems. Residual copies in backups, cold archives, and system logs will continue to exist and may be retained indefinitely for security, compliance, or forensic purposes; therefore complete physical purge is not guaranteed.
• Residual data. System logs and aggregate analytics retained for platform integrity are stripped of personal identifiers wherever feasible.

9. Security Incident Notification

We will notify affected customers of a confirmed data breach within 72 hours of discovery, in accordance with applicable privacy laws.

10. Business Continuity & Disaster Recovery

Daily encrypted backups replicate to an off‑site region. Planned annual failover tests verify restoration procedures.

11. Compliance & Certifications

• Data hosting partners hold ISO 27001, SOC 2 Type II, and PCI DSS certifications.
• Enga.gd aligns internal controls with SOC 2 criteria; a formal audit is planned for Q4 2025.
• The platform supports GDPR and PIPEDA data‑subject rights (access, rectification, erasure). See Privacy Policy for details.

12. Third‑Party Sub‑Processors

We share customer data only with vetted sub‑processors necessary to deliver the Service (for example, cloud‑hosting, content‑delivery, and payment providers). A current register of these sub‑processors is available upon request; customers will receive at least 30 days' notice before we add or replace a sub‑processor that processes customer‑data.

13. Customer Responsibilities

• Configure strong passwords and enable MFA for all Organization admins.
• Review access logs and user permissions regularly.
• Obtain all necessary consents from Participants before collecting personal data.
• Promptly report suspected security issues to security@enga.gd.

Failure to follow these responsibilities may reduce or invalidate Enga.gd's obligations under the Terms of Service.

14. Policy Maintenance

This policy is reviewed annually or after significant infrastructure or legal changes. Updates will be posted here and, for material changes, communicated via email to registered account holders.