Enforcer Labs Private Limited
Effective Date: May 1, 2026
Last Updated: May 17, 2026
Applies To: Enforcer Dashboard Only
1. Purpose
This document defines the security responsibilities shared between Enforcer Labs Private Limited ("Enforcer Labs," "Vendor") and the Customer ("Customer") for self-hosted deployments of Enforcer Dashboard. This model is essential for enterprise procurement reviews, SOC 2 alignment, and audit readiness.
2. Shared Responsibility Model Overview
Enforcer Dashboard follows a customer-managed deployment model. The Vendor provides the software; the Customer provides and manages all infrastructure, networking, storage, and runtime environments.
| Responsibility Domain | Enforcer Labs (Vendor) | Customer |
|---|---|---|
| Software source code security | ✅ | — |
| Application-level vulnerability patching | ✅ | — |
| Software architecture and design security | ✅ | — |
| Release of security updates and patches | ✅ | — |
| Security advisory notifications | ✅ | — |
| Documentation of security configurations | ✅ | — |
| Infrastructure provisioning | — | ✅ |
| Network security and firewalls | — | ✅ |
| Operating system patching | — | ✅ |
| Container runtime security | — | ✅ |
| Access control and identity management | — | ✅ |
| Database security and encryption at rest | — | ✅ |
| Backup and disaster recovery | — | ✅ |
| Monitoring and incident response | — | ✅ |
| Application of security patches | — | ✅ |
| Compliance with regulatory requirements | — | ✅ |
| Audit log retention and integrity | — | ✅ |
| SSL/TLS certificate management | — | ✅ |
| Third-party integration security | — | ✅ |
| Cloud provider account security | — | ✅ |
| Physical security of infrastructure | — | ✅ |
| Data classification and handling | — | ✅ |
3. Vendor Security Responsibilities
3.1 Secure Software Development
Enforcer Labs commits to:
(a) Following secure software development lifecycle (SSDLC) practices;
(b) Conducting code reviews and static analysis on all releases;
(c) Addressing reported security vulnerabilities in accordance with severity-based SLAs;
(d) Maintaining a responsible disclosure program for security researchers.
3.2 Vulnerability Management
| Severity | Response Time | Patch Release Target |
|---|---|---|
| Critical (CVSS 9.0-10.0) | 24 hours | 72 hours |
| High (CVSS 7.0-8.9) | 48 hours | 14 days |
| Medium (CVSS 4.0-6.9) | 5 business days | Next scheduled release |
| Low (CVSS 0.1-3.9) | 10 business days | Next scheduled release |
3.3 Security Advisories
Enforcer Labs shall notify Customers of critical and high-severity vulnerabilities via email to the designated security contact within the timeframes above.
3.4 Dependency Management
Enforcer Labs maintains a Software Bill of Materials (SBOM) and monitors third-party dependencies for known vulnerabilities using automated scanning tools.
4. Customer Security Responsibilities
4.1 Infrastructure Security
Customer shall:
(a) Deploy the Software in a secured network environment with appropriate segmentation;
(b) Implement firewalls, intrusion detection/prevention systems, and network access controls;
(c) Secure all ingress and egress points for the deployment environment;
(d) Maintain operating system and container runtime patches current;
(e) Implement encryption at rest for all databases and storage volumes.
4.2 Access Control
Customer shall:
(a) Implement the principle of least privilege for all user accounts;
(b) Use strong authentication mechanisms (multi-factor authentication is strongly recommended);
(c) Regularly review and audit user access to the Software;
(d) Promptly revoke access for terminated or reassigned personnel;
(e) Secure all API keys, credentials, and secrets used by or with the Software.
4.3 Audit and Logging
Customer shall:
(a) Enable and maintain audit logging within the Software;
(b) Forward audit logs to Customer's centralized logging and SIEM infrastructure;
(c) Retain audit logs for a minimum period consistent with Customer's compliance requirements;
(d) Monitor logs for security events and unauthorized access attempts;
(e) Protect log integrity against tampering or unauthorized deletion.
4.4 Incident Response
Customer shall:
(a) Maintain an incident response plan that includes the Software;
(b) Investigate and respond to security incidents involving the Software;
(c) Notify Enforcer Labs of suspected vulnerabilities in the Software;
(d) Coordinate with Enforcer Labs on incident resolution when the Software is implicated.
4.5 Third-Party Integration Security
Customer shall:
(a) Secure all credentials used to integrate the Software with cloud providers (AWS, Azure, GCP);
(b) Follow the principle of least privilege for IAM roles and service accounts granted to the Software;
(c) Regularly rotate credentials and access keys;
(d) Monitor and audit API access from the Software to integrated services.
5. Security Boundary Definitions
5.1 Vendor Boundary
The Vendor's security boundary includes:
- The Software application code and binaries
- Documentation and configuration guidance
- Security patches and updates delivered through official channels
- License management infrastructure
5.2 Customer Boundary
The Customer's security boundary includes:
- All infrastructure on which the Software operates
- All data processed by the Software
- All network connections to and from the Software
- All integrations between the Software and third-party services
- All user accounts and access within the Software
- All configuration and customization of the Software
5.3 Boundary Diagram
┌─────────────────────────────────────────────────────────────┐
│ CUSTOMER BOUNDARY │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Network │ │ Servers/ │ │ Database │ │ Cloud │ │
│ │ Security │ │ Compute │ │ Storage │ │ APIs │ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ ENFORCER DASHBOARD │ │
│ │ ┌────────────────────────────────────────────────┐ │ │
│ │ │ VENDOR BOUNDARY │ │ │
│ │ │ Application Code · Business Logic · UI │ │ │
│ │ │ Security Updates · Documentation │ │ │
│ │ └────────────────────────────────────────────────┘ │ │
│ │ │ │
│ │ Configuration · Credentials · Integrations │ │
│ │ (Customer-managed) │ │
│ └──────────────────────────────────────────────────────┘ │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ User │ │ Audit │ │ Backup │ │ Incident │ │
│ │ Access │ │ Logs │ │ DR │ │ Response │ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │
└─────────────────────────────────────────────────────────────┘
6. Data Handling
6.1 Enforcer Labs does not access, collect, store, or process any Customer Data processed by the Software.
6.2 Customer is the sole data controller and processor for all data within the Customer Environment.
6.3 Customer is responsible for data classification, handling, retention, and disposal.
7. SOC 2 Alignment
This Security Responsibility Model aligns with SOC 2 Trust Service Criteria:
| TSC | Vendor Alignment | Customer Responsibility |
|---|---|---|
| CC6.1 (Logical Access) | Software access controls provided | Customer configures and manages |
| CC6.2 (Credentials) | Secure credential handling in code | Customer manages all credentials |
| CC6.6 (System Boundaries) | Defined in Section 5 | Customer enforces boundaries |
| CC7.1 (Detection) | Audit logging built into Software | Customer monitors and alerts |
| CC7.2 (Monitoring) | N/A (self-hosted) | Full customer responsibility |
| CC8.1 (Change Management) | Versioned releases with changelogs | Customer applies changes |
8. Contact
Enforcer Labs Private Limited
Security Contact: legal@enforcer-cca.com
Website: https://enforcer-cca.com
This document is subject to attorney and security team review. Update the responsibility matrix based on any managed service offerings that may be introduced.