Certifications
| Standard | Status |
|---|---|
| SOC 2 Type II | Certified |
| HIPAA | Compliant |
| GDPR | Compliant |
Data ownership and privacy
You always own your data.- Encord never uses customer data to train models or share with third parties
- Labels, annotations, datasets, and models belong to you
- Data can be exported at any time in standard formats
- Upon contract termination, all customer data is deleted from Encord systems per agreed retention schedules
Data residency
By default, the Encord application layer is hosted on Google Cloud Platform (GCP). For organizations with data residency requirements:- Bring-your-own-storage: Your raw files remain in your own AWS, GCP, or Azure buckets and are never copied to Encord infrastructure
- VPC deployment: The full Encord application stack runs within your cloud environment
- On-premise / air-gapped deployment: No data or traffic leaves your internal network
Access controls
Workspace roles
Access within Encord is governed by a layered role model: Workspace level:- Admin — full access to all resources, users, and settings
- Workforce Manager — can manage Taskers and create resources
- Member — can create and access resources they are invited to
- Tasker — can only access tasks explicitly assigned to them
- Admin — full project control including settings and user management
- Team Manager — can manage tasks, assignments, and analytics; cannot change project settings
- Annotator — can label tasks assigned to them
- Reviewer — can review and approve/reject tasks assigned to them
- Annotator + Reviewer — combined role
API and SDK access
Programmatic access to Encord is controlled via API keys, which are generated per user and can be revoked at any time. Keys are scoped to the user’s permissions — a Tasker’s API key cannot access Projects outside their assignments. See Access Keys for key management instructions.Authentication
Multi-Factor Authentication (MFA)
Encord supports MFA for all user accounts via:- Authenticator app (TOTP) — e.g. Google Authenticator, Authy
- SMS verification — one-time codes sent to a registered device
SSO (Single Sign-On)
Enterprise customers can integrate Encord with their existing identity provider (IdP) using SSO. Contact support to configure SSO for your organization.Encryption
All data handled by Encord is encrypted:- At rest: AES-256 encryption for all stored data
- In transit: TLS 1.2+ for all network communication between clients and Encord servers
Audit and governance
Audit trails
Encord maintains logs of key actions within the platform, including:- User login and authentication events
- Task creation, assignment, and state transitions
- Label submission, approval, and rejection
- User and permission changes
Project and data governance
- Project tags allow you to categorize, filter, and report across annotation programs
- Dataset access controls restrict which users can see and work with specific datasets
- Ontology permissions prevent unauthorized changes to labeling schemas
- Workspace Admin join — Workspace Admins can join any project within the Workspace for oversight and auditing purposes
Responsible disclosure
If you discover a security vulnerability in Encord, please report it responsibly to security@encord.com. Encord investigates all reports and responds promptly.Where to go next
- Platform Architecture — deployment models and data flow
- Workspace Settings — user management and access configuration
- Settings — MFA setup and API key management
- Scaling and Operations — workforce structure and QA workflows