Resources

    Security Overview

    Endee is built for regulated industries. ISO 27001 certified, SOC 2 Type II audited, and GDPR-ready, with Queryable Encryption for workloads where data sovereignty is non-negotiable.

    ISO 27001SOC 2 Type IIGDPRQueryable Encryption

    Compliance

    Industry certifications

    ISO 27001 certification badge

    ISO 27001

    Information Security Management

    Endee is ISO 27001 certified across its cloud and enterprise offerings. Controls cover data classification, access management, physical and environmental security, incident response, and business continuity. Certification scope, certificate number, and audit reports are available to enterprise customers under NDA.

    SOC 2 Type II certification badge

    SOC 2 Type II

    Security, Availability & Confidentiality

    Annual SOC 2 Type II audits are conducted by an independent AICPA-accredited auditor covering the Trust Service Criteria for Security, Availability, and Confidentiality. Reports are available to prospective and existing enterprise customers during security review.

    GDPR certification badge

    GDPR

    European Data Protection Regulation

    Endee Cloud operates EU-resident deployments to satisfy GDPR data residency requirements. Standard Contractual Clauses (SCCs) are available for cross-border data processing. Data Processing Agreements (DPAs) are available on request and included with all Enterprise contracts. Right-to-erasure tooling allows vector-level deletion of individual records.

    Security

    Queryable Encryption

    Search encrypted data without ever exposing it. True zero-knowledge security.

    CLIENT ENVIRONMENTDatauser_id: 12345content: "Hello"EncryptClient-sideQuery"find similar"EncryptQueryResultsReadable DataDecryptClient-sideENDEE SERVEREndeeEncrypted DataSearchOn Encrypted DataEncryptedEncrypted Results

    Zero Knowledge

    Your data is encrypted client-side. We never see your raw vectors or queries.

    Searchable Encryption

    Perform similarity searches on encrypted data without decryption on our servers.

    Compliance Ready

    Meet ISO 27001, GDPR, and SOC 2 requirements with encryption at rest and in transit.

    Available in Endee Enterprise

    Core Technology

    Queryable Encryption

    Similarity search on encrypted data, the server never sees plaintext

    How it works

    Queryable Encryption is a client-side encryption scheme designed for vector similarity search. Before data is sent to Endee, the client encrypts each vector using a key that only the client holds. The encrypted vector (ciphertext) is stored in the Endee index and used for graph construction. When a query arrives, the client encrypts the query vector with the same key. The server computes approximate nearest neighbors in encrypted space and returns encrypted result identifiers. The client decrypts the result identifiers to retrieve the matching records.

    What the server sees

    The Endee server processes ciphertext throughout. It stores encrypted vectors, constructs graph edges between ciphertext representations, and traverses the graph during query execution. At no point does the server receive or process plaintext vectors. Endee's infrastructure operators, including cloud provider employees and Endee staff, cannot reconstruct original vectors from the ciphertext stored on disk or in memory.

    Key management

    Encryption keys are generated and held exclusively by the client application. Endee never receives, stores, or has access to client encryption keys. Customers may integrate with their existing KMS (AWS KMS, HashiCorp Vault, Azure Key Vault) for key lifecycle management. Key rotation is supported without re-indexing: the client re-encrypts vectors incrementally and the index accepts both old and new ciphertext during the rotation window.

    Performance characteristics

    Encryption overhead is sub-5ms per vector on modern hardware. Graph traversal in encrypted space adds a small constant factor compared to plaintext search, which is within acceptable bounds for the majority of production workloads. Queryable Encryption is available as an Enterprise feature. Contact sales for specific performance benchmarks for your use case and hardware environment.

    Controls

    Security at every layer

    Encryption at Rest

    AES-256 encryption for all stored data in Endee Cloud. Customer-managed encryption keys available on Enterprise plans.

    Encryption in Transit

    TLS 1.3 for all API traffic. Mutual TLS (mTLS) available for Enterprise deployments requiring client certificate authentication.

    Role-Based Access Control

    Fine-grained RBAC with API key scoping, collection-level permissions, and read/write separation. SSO via SAML 2.0 and OIDC on Enterprise plans.

    Audit Logging

    Immutable audit logs of all API operations, authentication events, and administrative actions. Exportable to SIEM systems via syslog or webhook.

    Vulnerability Management

    Continuous dependency scanning, annual penetration testing by a third-party firm, and a coordinated disclosure program. CVE patches released within SLA windows.

    Data Residency

    Choose the region where your data lives. Endee Cloud supports multiple cloud regions globally. Enterprise on-premises deployment ensures data never leaves your infrastructure.

    Security documentation

    ISO 27001 certificates, SOC 2 reports, DPAs, and penetration test summaries are available under NDA to enterprise customers and qualified prospective customers. Contact our team to initiate a security review.

    Request security docs Enterprise deployment