> ## Documentation Index
> Fetch the complete documentation index at: https://docs.encord.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security and Compliance

> Encord's security certifications, data governance controls, access management, and compliance posture for enterprise deployments.

Encord is built to meet the security and compliance requirements of regulated industries and security-conscious enterprises. This page covers certifications, data controls, access management, and the tools available to enforce governance across your deployment.

***

## Certifications

| Standard          | Status    |
| ----------------- | --------- |
| **SOC 2 Type II** | Certified |
| **HIPAA**         | Compliant |
| **GDPR**          | Compliant |

Encord undergoes regular third-party audits to maintain these certifications. Audit reports and compliance documentation are available to enterprise customers on request — contact your customer success manager or [support](mailto:support@encord.com).

***

## Data ownership and privacy

**You always own your data.**

* Encord never uses customer data to train models or share with third parties
* Labels, annotations, datasets, and models belong to you
* Data can be exported at any time in standard formats
* Upon contract termination, all customer data is deleted from Encord systems per agreed retention schedules

### Data residency

By default, the Encord application layer is hosted on **Google Cloud Platform (GCP)**. For organizations with data residency requirements:

* **Bring-your-own-storage**: Your raw files remain in your own AWS, GCP, or Azure buckets and are never copied to Encord infrastructure
* **VPC deployment**: The full Encord application stack runs within your cloud environment
* **On-premise / air-gapped deployment**: No data or traffic leaves your internal network

See [Platform Architecture](/solutions-documentation/enterprise-ai/platform-architecture) for details on each deployment model.

***

## Access controls

### Workspace roles

Access within Encord is governed by a layered role model:

**Workspace level:**

* **Admin** — full access to all resources, users, and settings
* **Workforce Manager** — can manage Taskers and create resources
* **Member** — can create and access resources they are invited to
* **Tasker** — can only access tasks explicitly assigned to them

**Project level** (separate from Workspace roles):

* **Admin** — full project control including settings and user management
* **Team Manager** — can manage tasks, assignments, and analytics; cannot change project settings
* **Annotator** — can label tasks assigned to them
* **Reviewer** — can review and approve/reject tasks assigned to them
* **Annotator + Reviewer** — combined role

This separation ensures annotators and reviewers only see the data and tasks relevant to their work — not the broader Workspace.

### API and SDK access

Programmatic access to Encord is controlled via **API keys**, which are generated per user and can be revoked at any time. Keys are scoped to the user's permissions — a Tasker's API key cannot access Projects outside their assignments.

See [Access Keys](/platform-documentation/General/general-access-keys) for key management instructions.

***

## Authentication

### Multi-Factor Authentication (MFA)

Encord supports MFA for all user accounts via:

* **Authenticator app** (TOTP) — e.g. Google Authenticator, Authy
* **SMS verification** — one-time codes sent to a registered device

MFA can be enforced at the Workspace level for enterprise customers. Users must enroll before accessing the platform when MFA is required.

See [Settings](/platform-documentation/Annotate/annotate-settings-general) for MFA setup instructions.

### SSO (Single Sign-On)

Enterprise customers can integrate Encord with their existing identity provider (IdP) using SSO. Contact [support](mailto:support@encord.com) to configure SSO for your organization.

***

## Encryption

All data handled by Encord is encrypted:

* **At rest**: AES-256 encryption for all stored data
* **In transit**: TLS 1.2+ for all network communication between clients and Encord servers

For VPC and on-premise deployments, encryption key management can be handled by your own KMS (Key Management Service).

***

## Audit and governance

### Audit trails

Encord maintains logs of key actions within the platform, including:

* User login and authentication events
* Task creation, assignment, and state transitions
* Label submission, approval, and rejection
* User and permission changes

Enterprise customers can request access to audit logs for compliance reporting. Contact your customer success manager for details.

### Project and data governance

* **Project tags** allow you to categorize, filter, and report across annotation programs
* **Dataset access controls** restrict which users can see and work with specific datasets
* **Ontology permissions** prevent unauthorized changes to labeling schemas
* **Workspace Admin join** — Workspace Admins can join any project within the Workspace for oversight and auditing purposes

***

## Responsible disclosure

If you discover a security vulnerability in Encord, please report it responsibly to [security@encord.com](mailto:security@encord.com). Encord investigates all reports and responds promptly.

***

## Where to go next

* [Platform Architecture](/solutions-documentation/enterprise-ai/platform-architecture) — deployment models and data flow
* [Workspace Settings](/platform-documentation/General/general-workspace-settings) — user management and access configuration
* [Settings](/platform-documentation/Annotate/annotate-settings-general) — MFA setup and API key management
* [Scaling and Operations](/solutions-documentation/enterprise-ai/scaling-and-operations) — workforce structure and QA workflows
