Enso is a privacy-first, proximity-based social platform. Security is enforced at the database layer via Row-Level Security on every table. All data encrypted in transit (TLS 1.3) and at rest (AES-256). Ephemeral by design — chat sessions auto-expire in 24 hours. No card data stored. No data sold. GDPR/CCPA compliant.
65
Database tables
with RLS enabled
56
RPCs with auth
enforcement
24h
Chat auto-expiry
(ephemeral data)
0
Card data stored
on platform
30d
Full data purge
on deletion
Core Security Architecture
🔒 Encryption
TLS 1.3 — all data in transit
AES-256 — all data at rest (AWS)
Bcrypt — password hashing
JWT (HS256) — session tokens (1hr TTL)
Signed URLs — file storage access
🛡️ Access Control
Row-Level Security on every table
Zero-trust: DB enforces all access
Role-based: User / Creator / Venue
OAuth 2.0 (Google, Apple Sign-In)
Separate anon / service_role API keys
📦 Data Minimization
Location: transient, never persisted
Chat: auto-deleted on expiry
No passive tracking or location history
User invisible until opt-in discovery
Full deletion within 30 days
Infrastructure & Partner Security
Infrastructure
Supabase Cloud (AWS) — SOC 2 Type II
Multi-AZ redundancy + daily backups + PITR
DDoS protection (AWS Shield + Cloudflare)
Deno-sandboxed Edge Functions
Rate limiting per IP and per user
Parameterized queries (SQL injection prevention)
Venue & Creator Data Isolation
Venue analytics RLS-restricted to owner
Stripe Connect — no commingled funds
Creator audience metrics anonymized
Booking data visible only to parties
Staff permission management per venue
Content moderation system (764 lines)
Payment Security
💳 Stripe
PCI DSS Level 1 certified. All card processing handled by Stripe. Zero card data on Enso servers.
📱 RevenueCat
SOC 2 Type II. App Store & Google Play subscription billing. Webhook signatures validated.
🤖 Anthropic (Cue AI)
Enterprise security. No data retention. AI chat assistance proxied via Edge Functions only.
Compliance
✓ GDPR
✓ CCPA
✓ COPPA (18+ enforced)
✓ PCI DSS (via Stripe)
✓ SOC 2 Type II (via Supabase)
✓ Apple App Store Guidelines
✓ Google Play Policies
72hr breach notification
DPAs with all vendors
US data residency (AWS)