Security at a glance

• ISO/IEC 27001 certified
• SOC 2 in progress: we are working toward SOC 2 Type I, followed by SOC 2 Type II
• GDPR compliant
• Third-party penetration testing: performed regularly (at least annually), with an executive summary available upon request (subject to confidentiality)
• Subprocessors: currently our only subprocessor is Microsoft
• Cloud hosting: hosted in Microsoft Azure, Norway East region

Platform & architecture overview

Cloud hosting and data location

• Intelligent Workspaces is hosted in Microsoft Azure (Norway East region).
• We design and configure the service to store customer data in the Norway East region. Details and applicable terms are described in our DPA and security policy.

Data storage and network security

Database

• Customer data in our primary database is stored on infrastructure with restricted network access.
• The database is not publicly accessible and is only reachable from our application components.

File storage

• Files are stored in Azure Blob Storage.
• File access is controlled using Shared Access Signatures (SAS keys) to grant time-bound access to authorized parties and applications.

AI processing

• Where AI processing is used to provide Intelligent Workspaces features, we use models available through Azure services (e.g., Azure AI capabilities).
• We configure our use of AI services/subprocessors to disallow training on data.

Security controls

We operate a security program designed to protect the confidentiality, integrity, and availability of customer data.

Access control & confidentiality

• Environment separation: we maintain separate development, test, and production environments.
• Customer data handling: customer data is not used in development or test environments unless explicitly agreed in writing.
• Production access controls: access to production is restricted using role-based access control (RBAC) and auditable just-in-time (JIT) access mechanisms.
• Least privilege: access is granted on a need-to-know basis and reviewed according to internal procedures.

Operational security

• Security testing: we perform security testing activities and commission third-party penetration testing regularly (at least annually).
• Vulnerability management: we maintain processes to identify, prioritize, and promptly remediate security issues.
• Monitoring and logging: we maintain operational monitoring and logging appropriate for a SaaS environment.
• Change management: changes to production follow defined processes, including peer review.

Physical security

• As a cloud-only provider, we rely on Microsoft's physical security controls for the Azure facilities where our service is hosted.

Backups & Disaster Recovery

• Backups: we perform daily backups.
• Retention: backups are retained for 30 days.
• We are continuously improving platform resilience and data protection features.

Incident response & notification

• We maintain an incident response process to triage, investigate, contain, remediate, and learn from security incidents.
• If we become aware of a security incident or personal data breach affecting customer data, we will notify affected customers without undue delay in accordance with our contractual commitments.

Subprocessors

Our current subprocessors consist of:

• Microsoft (Azure) — cloud hosting, compute, storage, and supporting platform services (including AI services where applicable)

We maintain a subprocessor list and will provide notice of material changes in accordance with our DPA.

Customer responsibilities

Security is shared between Etain and the customer.

Customers are responsible for:

• Managing user lifecycle (provisioning/deprovisioning) and assigning appropriate roles.
• Configuring access to the service according to their internal policies.
• Using identity controls appropriate for their organization.

Within Intelligent Workspaces:

• We provide role-based access control (RBAC) to manage permissions within the service.
• We support single sign-on (SSO) with Microsoft Entra ID, enabling customers to centralize authentication and enforce their identity policies (e.g., MFA, conditional access) via their identity provider.

Security contact

For security and privacy inquiries, security questionnaires, or to request assurance materials (e.g., ISO certificate, pen test executive summary), please contact your Etain representative or use the contact channel specified in your agreement.