At Endgame, it is our priority to protect the privacy and security of your and your customers' data. We address this responsibility through a security and privacy by design methodology and by following to industry-leading standards.
SOC 2 Compliance
Endgame has completed SOC 2 Type II Certification. In addition to regular audits of our policies and procedures, we partner with Drata for continuous monitoring of our compliance.
Our report is available upon request under NDA to current and prospective customers. Visit our Trust Site or speak with your Account Executive, to request access.
GDPR/CCPA
Endgame is compliant with both GDPR and CCPA. Our list of sub-processors we work with and the purpose for why we use their services is kept current and available on our public docs page. We have a Data Processing Agreement (DPA) available upon request.
For data deletion requests, please email the details of the request to privacy@endgame.io.
Disclosure
Endgame believes in responsible disclosure. Our Vulnerability Disclosure Policy (VDP) covers the details, but if you notice a security issue or concern we want to hear from you at security@endgame.io. We do not currently have a bug bounty program.
Open Source Stance
Endgame evaluates libraries on a case-by-case basis, but our default stance is to allow non-invasive licenses approved by OSI.
A comprehensive library report is available upon request under NDA to current and prospective customers. Email us at support@endgame.io to request.
Generative AI
Endgame leverages OpenAI Enterprise as a sub-processor for text summarization and natural language interaction processing. No data sent to OpenAI is used for training purposes.
OpenAI consistently meets or exceeds our rigorous standards for third-party vendors, including SOC 2 Type II certification and GDPR/CCPA compliance.
Additional Information
- Endgame availability is reported at https://status.endgame.io/
- You can request access to our latest security artifacts at our trust site.
- We are currently hosted on GCP in the US-Central1 region
- Data encrypted at rest (AES256) and in transport (HTTPS/TLS)
- Zero knowledge Endgame API keys (we only store a hashed value for your key)
- Auth0 managed authentication/authorization. This includes support for SSO/SAML
- We follow the principle of least privilege for employee access to production environments and data
- We perform constant vulnerability scanning on dependencies and container images
- We undergo Third-Party Penetration Test and Security Review at least annually