Enjoy HQ Technical and Organisational Measures


  • By default, EnjoyHQ does not collect personal data. However, depending on the data imported into the platform, details such as names, email addresses and other personal information can be collected. You’re in full control of the types of data imported


  • Data in transit encrypted up to TLS1.2 (HTTPS).
  • Data at rest is encrypted with AES256-bit.
  • Tunneling via encrypted protocol (AWS SSM)


Physical access control

  • EnjoyHQ’s hosting provider is AWS. AWS has in place several controls to provide security to their customers.
  • AWS is compliant with several security certifications: ISO27001, SOC1 (SSAE 18), SOC2, SOC3, PCI-DSS

Logical access control

  • Only selected engineers of EnjoyHQ have access to the production environment. 
  • Users need to authenticate using Single Sign-On and valid MFA to initiate a tunneled connection, which terminates automatically after a period of inactivity
  • Access is granted on a need-to-know basis, previously reviewed and approved by senior management.
  • EnjoyHQ meets the standard requirements of password complexity. For additional information, please review section 4.3 of the EnjoyHQ security whitepaper.

Role-based access control

  • EnjoyHQ logs every access in the Actvity feed (being the Customer’s view of the platform) and in the production environment.
  • EnjoyHQ works with the authorization concept:

Monitoring of data transmission

  • Logging and monitoring.
  • Encryption of data transmissions using modern technological standards.

Erasure of data

  • Backups are stored for 31 days after contract expiration, then are securely erased.

Monitoring of separation

  • Separate databases -> Data is logically segregated.
  • Separation of live and test data.
  • Sandboxing.
  • Separate Systems.


  • System-based logging.
  • Security/logging software.


Ensuring availability

  • Auto-scaling and automatic service availability management
  • Disaster recovery concept.
  • Emergency plan.
  • Contingency plans and reporting channels.
  • Disaster recovery tests of AWS data centers are carried out by AWS

Purpose limitation

  • Written agreement on commissioned data processing.
  • Training of all employees authorised to access data.
  • Committing employees to confidentiality.
  • Regular data protection audits.
  • Right to audit.

Resilience of the systems

  • Auto-scaling groups.
  • Ongoing monitoring services.

Post-incident recovery

  • Backup strategy.
  • Backup method.
  • Recovery concept for IT systems.

Regular review of technical and organisational measures

  • On an annual basis, EnjoyHQ measures being audited during the SOC 2 Type 2.
  • On a regular basis, EnjoyHQ performs internal security audits according to its internal policies.