Legal Document

Privacy Policy

Last updated: Feb 01, 2026

1. Introduction and Scope

This Privacy Policy (“Policy”) describes how Ennote Security Inc. ("Ennote Security", “we”, “us”, or “our”) collects, uses, discloses, processes, and protects personal information relating to individuals (“you” or “your”).

This Policy applies when you:

Visit our website(s) where this Policy is posted (collectively, the “Websites”);
Register for or use our secrets management platform, CLI tools, Kubernetes Operators, and related services (collectively, the “Services”);
Communicate with us, including for support or inquiries; or
Attend our events or otherwise interact with us.

Ennote Security is a company based in British Columbia, Canada. We are committed to protecting your privacy in accordance with applicable privacy laws, including British Columbia's Personal Information Protection Act (PIPA).

Service Provider Role

This Policy does not apply to the extent we process personal information in the role of a service provider (or "processor") on behalf of our Customers for the content they create ("User Content"). In such cases, the Customer is the data controller.

We do not rent, sell, or trade your Personal Information.

2. Information We Collect

a) Information You Provide Directly

Account Information: Name, work email address, and authentication credentials (hashed).
User Content (Secrets): API keys, database credentials, and notes uploaded to the platform.
Note: Due to our Field-Level Encryption architecture, Ennote is architecturally unable to decrypt Secrets payload data. We process this data as opaque blobs.
Payment Information: Billing address and tax ID. Payment processing is handled by Stripe; we do not store full credit card numbers.

b) Information We Collect Automatically

Log Data: IP address, browser type, OS, and timestamps of interaction.
Usage Metrics: Aggregated data on feature usage (e.g., number of active projects, API call volume).

c) Infrastructure & Machine Data

When you deploy the Ennote Agent/Operator in your infrastructure:

Machine Identity: We collect ephemeral IP addresses and Service Tokens to authenticate your workloads.
Cluster Metadata: To facilitate Secret Syncing, we process Namespace names and Deployment annotations (specifically ennote.io/* tags). We do not access your application code or container logs.

3. Purposes of Use

Provide, maintain, and secure the Ennote Security platform.
Verify identity and authorize access to Workspaces.
Send transactional communications (security alerts, billing reminders).
Detect and prevent fraud and security incidents.

No AI Training on Secrets

We strictly do not use User Content (Secrets, Notes) to train Artificial Intelligence (AI) or Machine Learning (ML) models.

4. Legal Bases

In Canada (PIPA), we rely on Consent (implied or express). For GDPR (EEA/UK), we process data based on:

Contractual Necessity (to provide the Service).
Legitimate Interests (security, fraud prevention).
Legal Obligations (tax compliance).
Consent (for optional marketing).

5. Security Architecture

CORE

a) Hybrid Cryptography

We employ a defense-in-depth cryptosystem:

AES-256-GCM: For authenticated encryption of all secret payloads (Data at Rest).
NIST Kyber-1024 (PQC): Post-Quantum Key Encapsulation used for key exchange, protecting against future "Harvest Now, Decrypt Later" threats.
Transient Isolation: All cryptographic operations occur in isolated memory spaces.

b) Zero Persistence Architecture

Ennote employs a Zero Persistence design for sensitive keys. Data Encryption Keys (DEKs) are encrypted by a Key Encryption Key (KEK) managed within a Hardware Security Module (HSM).

Technical Guarantee

During cryptographic operations (such as wrapping/unwrapping secrets for a verified client), DEKs are processed exclusively in volatile memory (RAM).

Volatile Only: Plaintext keys exist for milliseconds in RAM.
No Disk Writes: At no point are plaintext DEKs written to disk, databases, or logs.
Immutable Audit: Access events are logged to a tamper-proof ledger.

c) Organizational Security

Vulnerability Disclosure: We maintain an active VDP at [email protected].
Breach Notification: Ennote Security will notify Customer of any confirmed unauthorized access to their User Content without undue delay.

7. Storage & Residency

Primary Location

Encrypted blobs are primarily stored on servers provided by AWS and GCP (United States).

Sovereign Key Control (BYOK)

Enterprise customers using Bring Your Own Key (BYOK) retain the Master Keys in their own cloud KMS (e.g., AWS KMS or Google Cloud KMS). In this configuration, Ennote stores encrypted data, but the Root of Trust resides within your jurisdiction and control.

8. Data Retention

Active Accounts: Retained as long as your account is active.
Deleted Accounts: Soft-deleted immediately; permanently purged within 30 days.
Audit Logs: Retained for 30 days (Team) or 1 year (Enterprise), then securely rotated.

9. Your Rights

Subject to local laws, you have the right to:

Access your personal data.
Correct inaccurate data.
Request deletion (Right to Erasure).
Export your data (Portability).

10. Regional Rights

EEA & UK (GDPR)

You have the right to lodge a complaint with a supervisory authority.

Right to Object to processing.
Right to Restrict processing.

California (CCPA)

Right to Know categories collected.
Right to Non-Discrimination.
We do not "sell" or "share" personal info for cross-context behavioral advertising.

11. Children

Our Services are B2B/Enterprise tools not intended for children under 13 (or 16 in EEA). We do not knowingly collect Personal Information from children.

12. Changes to Policy

We may update this Policy. If changes are material, we will provide prominent notice (e.g., email or website banner) prior to the change becoming effective.

13. Contact Us

Ennote Security Inc.

PO Box 18065, Delta RPO Tsawwassen
BC, V4L 2M4, Canada

Privacy Officer

[email protected]

Security Reports