Infrastructure Security
Engagor is hosted exclusively in the European Union, with our primary infrastructure located in Amsterdam. We've built our platform with security as a foundational principle, not an afterthought.
All data transmitted between your systems and ours is encrypted using TLS 1.2 or higher. Data at rest is encrypted using industry-standard AES-256 encryption. Our infrastructure includes automated daily backups, DDoS protection, and network-level firewalls with intrusion detection.
We maintain strict access controls to our production environment. Only essential personnel have access, and all access is logged and audited.
Data Privacy & GDPR Compliance
As a Belgian company operating entirely within the EU, Engagor is fully compliant with the General Data Protection Regulation (GDPR).
We don't store personally identifiable information. All recipient email addresses are hashed using SHA-256 before storage. We work with engagement metrics and delivery data, not personal data. This approach means we can provide powerful analytics without the privacy risks associated with storing PII.
Our multi-tenant architecture ensures complete data isolation between customers. Your data is yours alone and is never accessible to other tenants or used for purposes beyond providing you with our services.
We support data retention policies configurable to your requirements, and we fully support the right to erasure under GDPR.
Application Security
Our application is built following security best practices and is designed to protect against the OWASP Top 10 vulnerabilities.
Access Control: Role-based access control ensures users only see what they're authorized to see. We support multiple permission levels from read-only viewers to tenant administrators.
Session Security: User sessions are managed with secure, randomly generated tokens. Sessions expire after periods of inactivity, and all session data is encrypted.
Input Handling: All user inputs are validated and sanitized to prevent injection attacks. We use parameterized queries for all database operations.
Updates: We maintain a regular patching schedule for all dependencies and infrastructure components.
Authentication
User passwords are hashed using bcrypt with appropriate cost factors, making brute-force attacks computationally impractical. We never store passwords in plain text or reversible encryption.
Session management includes automatic timeout after inactivity and secure cookie handling with appropriate flags for modern browsers.
On our roadmap: Two-factor authentication (2FA) and enterprise SSO/SAML integration for customers requiring centralized identity management.
AI & Data Handling
Engagor uses artificial intelligence to analyze your email program and surface insights. Here's how we handle this responsibly:
What the AI sees: Aggregated metrics, delivery statistics, and engagement patterns. The AI analyzes trends and anomalies in your data to provide actionable recommendations.
What the AI doesn't see: Individual recipient email addresses (only hashed identifiers), email content, or any personally identifiable information.
AI Provider: We use Anthropic's Claude API for AI processing. Anthropic does not use customer data to train their models. Your queries and data remain private.
No content analysis: Engagor is a deliverability and engagement analytics platform. We do not ingest, store, or analyze the content of your emails.
Operational Security
Audit Logging: Administrative actions and data access are logged for security review and compliance purposes.
Least Privilege: Team members are granted only the access necessary for their specific responsibilities.
Secure Development: We follow secure development practices including code review, dependency scanning, and staging environment testing before production deployment.
Incident Response: We maintain documented procedures for identifying, responding to, and recovering from security incidents. In the event of a security incident affecting your data, we will notify you promptly in accordance with GDPR requirements.
Data Center Security
Our infrastructure provider, Vultr, maintains SOC 2 Type II compliance for their data center operations. This includes physical security controls, environmental protections, and operational procedures.
Data centers feature:
- 24/7 security personnel and surveillance
- Biometric and multi-factor access controls
- Redundant power and cooling systems
- Fire detection and suppression
What We're Working On
We believe in transparency about where we are and where we're going. These security enhancements are on our roadmap:
- Two-factor authentication (2FA) for all user accounts
- SSO/SAML integration for enterprise customers
- Annual third-party penetration testing
- SOC 2 Type II certification for Engagor
Security Questions?
If you have questions about our security practices, need to complete a security questionnaire, or want to discuss specific requirements for your organization, we're happy to help.
For enterprise customers requiring a Data Processing Agreement (DPA), please contact us and we'll provide our standard agreement for review.
Last updated: January 2026