Home > Firm > Trust Center

Trust Center

ENG’s Commitment to Security, Privacy, and Compliance

Certifications & Frameworks

ENG is committed to the highest standards of data protection, with safety as a top priority for customers and processes. Our Trust Center provides transparency into security controls, compliance posture, and operational practices aligned with industry-recognized frameworks, including SOC 2 Type II, ISO/IEC 27001, and ISO/IEC 27701.

Audit framework

SOC 2 Type II

Security, availability, and confidentiality

Independent audit framework for how ENG manages and safeguards client data.

Covers Security, Availability, and Confidentiality.

Independently audited by a third-party CPA firm.

Request SOC 2 Type II report

Security certification

ISO/IEC 27001

Information security management

Framework for an Information Security Management System focused on confidentiality, integrity, and availability.

Certified ISMS across people, processes, and technology.

Risk-based control selection aligned with Annex A.

Regular internal audits and management reviews.

Request ISO/IEC 27001 report

Privacy certification

ISO/IEC 27701

Privacy information management

Extension of ISO 27001 for privacy and the responsible handling of personal and sensitive data.

Covers PII processing as a controller and processor.

Alignment with GDPR privacy principles.

Request ISO/IEC 27701 report

Information Security Program

ENG maintains a formal Information Security Management System (ISMS) structured around ISO/IEC 27001 and SOC 2 Type II Trust Services Criteria.

Key Areas

Security governance and risk management

Endpoint and network security

Continuous monitoring and logging

Identity and access management (IAM)

Secure software development lifecycle (SDLC)

Highlights

Multi‑factor authentication enforced

Least privilege access model

Security awareness training for all employees

Annual penetration testing and vulnerability scanning

Privacy Program Overview

ENG is committed to protecting personal data and aligns its privacy practices with GDPR, ISO/IEC 27701, and SOC 2 Type II Privacy principles (where applicable)

Key Controls

Data minimization and purpose limitation

Consent and lawful processing mechanisms

Defined data retention schedules

Regular privacy risk assessments (PIAs/DPAs)

Risk & Vendor Management

Risk Management

Formal risk assessment process using likelihood × impact

Risks reviewed and approved by leadership

Continuous monitoring of high‑risk areas

Third‑Party Risk Management

Security assessments for critical vendors

Contractual security and privacy requirements

Ongoing reassessments for high‑risk vendors

Data Protection & Architecture

Data Hosting & Processing

Data hosted with enterprise‑grade cloud providers

Encryption in transit (TLS 1.2+) and at rest (AES‑256)

Logical tenant separation

Access Controls

Role‑based access control (RBAC)

Logging and monitoring of privileged access

Quarterly access reviews

Availability & Incident Response

Business Continuity & Disaster Recovery

Documented BCP and DR plans

Regular testing and tabletop exercises

Defined RTO/RPO targets

Incident Response

Formal incident response plan

24/7 monitoring and triage

Customer notification procedures aligned with contractual and regulatory requirements

Policies

Available Policies

Information Security Policy

Access Control Policy

Privacy & Data Protection Policy

Incident Response Policy

Vendor Risk Management Policy

Full policies available upon request

FAQs

Do you share your SOC 2 report publicly?

No. SOC 2 reports are shared upon request under NDA.

Where is customer data stored?

Data resides in approved cloud environments with controls.

How often are audits performed?

SOC 2 Type II annually; ISO/IEC 27001 and ISO/IEC 27701 surveillance audits annually.

Sections