Skip to content Skip to footer
Menu Close
Close
Sign in
Get Started
Go to app
Menu Close
Close
Sign in
Get Started
Go to app

Security Overview

Last updated: October 01, 2025

Introduction

At enfue, the security of your data is our highest priority. We understand the trust you place in us when you use our HR technology platform, and we are committed to protecting your information with industry-leading security practices.

Our platform is hosted entirely on Amazon Web Services (AWS), a global leader in cloud infrastructure. The AWS platform powers our development, deployment, and hosting environments. AWS data centers maintain strict physical, network, and environmental controls and hold certifications including ISO 27001, SOC 1/2/3, and PCI DSS.

We leverage multiple availability zones to ensure resilience and high availability, and we apply layered defenses such as firewalls, network segmentation, and DDoS protection.

The availability of our system is disclosed transparently and openly on our Status page.

1. Comprehensive data protection

Our platform and processes follow security best practices for a layered approach to protect your data. We have tools and processes such as a vulnerability scanner, a secure software development lifecycle, penetration testing, and industry-standard security controls to help you safeguard your data from bad hands.

Our security practices cover the key steps from the Development Lifecycle (SDL) Security to the infrastructure where your data is located, to ensure that the product is as secure as possible.

1.1. Securing our products

At enfue, we focus on integrating security into each stage of the overall product life cycle. There are many methods and tools we leverage to achieve this.

DevSecOps

The fundamental principle of implementing security that we embrace, DevSecOps, is about introducing security earlier in the application development life cycle (a.k.a shift-left), thus minimizing the impact of vulnerabilities and bringing security closer to the development team.

The code reviews and automated security checks are mandatory for every single code change pushed to our product. The security checks include, but are not limited to, credentials scanning, vulnerability scanning, and code security analysis.

Code analysis

We have automated code analysis that covers all code repositories at enfue. The tool executes various static analysis tools that improve the overall security of our codebase. Any vulnerability found by the platform prevents the pull requests from being merged into the repository.

Vulnerabilities management

We actively monitor for and patch vulnerabilities in third-party libraries. Such vulnerabilities are visible to us from a public database, GitHub Advisory.

Incident response

enfue has a comprehensive approach to handling security incidents. We consider a security incident as one of the highest security issues to deal with.

We have an internal framework with documents for different incident types and how to tackle them properly. The framework includes not only steps to analyze and recover from incidents, but also proactive actions to monitor and prevent them.

  • We continuously monitor infrastructure and application logs to detect suspicious activity.

  • Automated alerts notify our security team of unusual behavior.

  • We maintain a documented incident response plan to quickly contain and remediate issues.

  • In the event of a breach, we commit to timely customer notification in line with legal and contractual requirements.

1.2 Securing our internal teams

Our employees undergo regular privacy and security training, ensuring they understand best practices and how to respond to security incidents.

The developers are specifically trained against OWASP Top 10 risks and continue assessing them in day-to-day operations.

1.3 Securing your data

We have a number of measures to ensure that we keep customer data secure, available, and that customers retain control over it according to industry practices and relevant compliance.

Data centers

enfue products and data are hosted with the industry-leading cloud hosting provider Amazon Web Services (AWS). We leverage its optimal performance, high availability, and redundancy globally to offer the best experience to our customers. The data centers are located across multiple zones in the Pacific Asia region within AWS to avoid a single point of failure of any single data center.

Physical access to our data centers, where customer data is hosted, is limited to authorized personnel only, with access being reviewed and verified through a strict process.

Data encryption

Any customer of enfue products is encrypted in transit over public networks using TLS 1.2+. Our product is accessible via the web browser over a secure HTTPS protocol.

Data drives on servers holding customer data on AWS utilize industry-standard AES-256 encryption at rest, secured by the AWS Key Management Service.

Key and Secret Management

enfue utilizes the Key Management Service (KMS) provided by the underlying cloud provider for key management. All credentials and sensitive keys are managed using secure vaults, AWS Secrets Manager, and rotated regularly.

Access to customer data

We treat all customer data as top-secret information and have implemented strict access control and processes, following the least privilege principles.

Within enfue, internal access is restricted to authorized personnel and goes through an internal review process. Authentication is done via our company’s Microsoft account, federated with Multi-Factor Authentication (MFA) enforced for all employee accounts. All access is logged and continuously monitored by AWS native services, ensuring transparency and immutability.

Unauthorized or inappropriate access to customer data is treated as a security incident and managed through our incident management process. This process includes instructions to notify affected customers if a breach of policy is observed.

Retention and deletion of data

We have procedures in place to respond to user requests regarding the deletion of personal data. If you would like to make such a request, please contact our support team.

2. Compliance & Privacy

We treat compliance and data privacy as a foundational principle of our product. From the earliest stages of development, we have designed our system and processes to handle personal information responsibly and in line with regulatory expectations.

We align our practices with the requirements of the General Data Protection Regulation (GDPR), ensuring that personal data is collected and processed with transparency, limited to its intended purpose, and safeguarded through strong access controls. Individuals have the ability to request access to or deletion of their personal data, and our support team is ready to respond promptly to such requests.

Our approach to security and compliance is guided by the NIST Cybersecurity Framework (CSF), which provides a structured methodology for identifying, protecting, detecting, responding to, and recovering from security risks. This framework helps us continuously evaluate and strengthen our security posture as we grow.

enfue is pursuing ISO 27001, which is part of our roadmap as we mature. In the meantime, we are committed to maintaining strong internal practices, regularly reviewing our policies, and staying aligned with recognized industry standards.

3. Responsible Disclosure

We welcome input from the security community. If you discover a potential vulnerability, please report it responsibly to security@enfue.com.

4. Our Commitment

Security is not a one-time effort — it’s an ongoing commitment. At enfue, we continually review and enhance our practices to stay ahead of emerging threats and to ensure that your trust in us is always well-placed.

 

 

  News: enfue strives to become the #1 Applicant Tracking System in Vietnam: Explained video → Watch