Trust & Security

We protect the tools that protect your data. Here's how EmberHound handles your information and what you can request for your security review.

How data is processed

EmberHound follows a strict data minimisation architecture. No raw sensitive data ever leaves your endpoints.

EndpointLocal scan
Masked MetadataEncrypted transit
Cloud ConsoleTenant isolated

Agent scans locally

All file scanning and pattern matching happen on the endpoint device (OCR analysis available as an add-on). The platform never accesses the file system.

Only masked previews uploaded

Sensitive values are redacted on-device before transmission. Only metadata and masked findings leave the endpoint.

No raw file storage

EmberHound never stores original files or raw sensitive data. Only fingerprints and masked previews are persisted.

Encrypted in transit

All communications use TLS 1.3 with certificate pinning. Findings metadata is encrypted at rest with AES-256.

Tenant isolation

Row-Level Security enforces strict multi-tenant data isolation at the database layer. Each organisation's data is completely separate.

Security architecture

Security is built into every layer of EmberHound's architecture.

Zero Data Exfiltration

Scanning happens on-device. Only metadata and findings are transmitted — never the raw sensitive data.

Encryption in Transit & at Rest

All communications use TLS 1.3. Findings metadata is encrypted at rest with AES-256.

Device Authentication

Every agent authenticates with a unique, rotating device token. Certificate pinning prevents MITM attacks.

Tenant Isolation

Row-Level Security enforces strict multi-tenant data isolation at the database layer.

Audit Trail

Every action — login, policy change, finding suppression — is logged with actor, timestamp, and IP.

In detail

Compliance alignment

GDPR Articles 5, 30, 32

Data minimisation, records of processing, and appropriate technical measures.

Learn more →

PCI DSS 4.0

Cardholder data discovery and scope reduction for PCI compliance.

Learn more →

Live operational status

Real-time uptime and incident history for the EmberHound console, API, agent ingestion, and authentication. Monitored every five minutes from an independent GitHub Actions workflow so the status page stays reachable even if our primary infrastructure is degraded.

Visit status.emberhound.com for current service status and historical uptime.

Reporting a vulnerability

If you believe you've found a security issue in EmberHound — in the cloud platform, the device agent, or our public website — please disclose it privately so we can investigate and remediate before any details are made public. We respond to every report and will not pursue legal action against good-faith researchers acting within scope.

Email security@emberhound.com with a description, reproduction steps, and any proof-of-concept material.

Request compliance documents

Data Processing Agreement

Standard contractual clauses and data processing terms for GDPR compliance.

Security Whitepaper

Technical deep-dive into our encryption model, agent architecture, and data handling.

Request a Document

We use cookies to improve your experience and analyse site usage. Privacy policy.