Skip to main content
Enigm maintains a public security assurance model intended to help enterprise customers, security auditors, technical partners, and procurement teams understand the evidence available for external review. This page summarizes public assurance evidence without publishing internal audit reports, control evidence, internal findings, assessment workpapers, operational procedures, or restricted implementation details.

Overview

Security assurance at Enigm is based on formal governance, risk management, recurring security review, independent assessment, and continuous improvement. Assurance evidence is intended to support review of:
  • Information security governance.
  • Privacy-oriented platform design.
  • Data minimization and content confidentiality.
  • Secure development practices.
  • Security monitoring and incident readiness.
  • Cryptographic architecture review.
  • Controlled software delivery.
  • Compliance posture.
Assurance evidence does not replace technical due diligence, contractual review, deployment review, or customer-specific security assessment.

ISO 27001 Certification

Enigm maintains ISO/IEC 27001:2022 certification for its information security management system. The public certificate identifies:
  • Certified organization: ENIGM, LLC.
  • Standard: ISO/IEC 27001:2022.
  • Certification issue date: 23 November 2024.
  • Original certificate issue date: 23 November 2024.
  • Certificate expiry date: 22 November 2027.
  • Statement of Applicability date: 09 September 2024.
The certificate scope is:
System that supports the activities of encrypted messaging application development, according to the Statement of Applicability dated 09/09/2024.
The certificate is available for public review:

ISO/IEC 27001:2022 Certificate

Public certificate for ENIGM, LLC. information security management system.

Certification Scope

The ISO 27001 certification scope applies to the information security management system supporting encrypted messaging application development activities. The scope should be interpreted as an information security governance and management-system certification. It supports confidence in structured security management, risk review, control governance, and periodic assessment. The certification should not be interpreted as:
  • Evidence that no vulnerabilities exist.
  • A certification of every Enigm product feature.
  • A certification of every customer deployment.
  • A certification of cryptographic algorithms by Enigm.
  • A replacement for product security review.
  • A replacement for privacy, legal, or contractual assessment.

Assurance Evidence Categories

Public assurance evidence is organized around the following categories:
CategoryPublic Assurance Purpose
GovernanceDemonstrates that security responsibilities, oversight, and review processes exist.
Risk managementDemonstrates that risks are identified, prioritized, addressed, and reassessed.
Secure developmentDemonstrates that software development includes review, validation, and release controls.
CryptographyDemonstrates that cryptographic architecture is governed and reviewed as part of security assurance.
PrivacyDemonstrates that data minimization, identity minimization, and metadata reduction are design objectives.
Incident responseDemonstrates that security events are handled through structured response governance.
MonitoringDemonstrates that operational and security visibility support investigation and resilience.
ComplianceDemonstrates alignment with formal information security governance and assessment practices.

Security Review Practices

Enigm performs continuous and periodic security validation activities. These activities include:
  • Recurring security reviews.
  • Vulnerability assessments.
  • Security posture validation.
  • Infrastructure exposure reviews.
  • Configuration reviews.
  • Attack surface monitoring.
  • Security control validation.
  • Periodic adversarial security testing.
  • Simulated attack exercises.
  • Continuous monitoring.
Security findings are prioritized according to risk and addressed through remediation processes. Remediation activities are reviewed and verified according to the applicable governance process.

Privacy Assurance

Enigm security assurance is evaluated in the context of privacy. Security exists to support:
  • Privacy by design.
  • Data minimization.
  • Identity minimization.
  • Metadata reduction.
  • Content confidentiality.
  • Privacy-Preserving Device Handles.
  • User control.
Assurance review should verify that security controls do not create unnecessary collection, retention, or exposure of protected content. Administrative systems are not intended to provide plaintext access to messages, calls, media, attachments, or user conversations.

Cryptographic Assurance

Enigm incorporates post-quantum cryptographic algorithms standardized by NIST as part of its cryptographic architecture. This statement means that Enigm uses NIST-standardized post-quantum cryptographic algorithms as part of its architecture. It does not mean:
  • NIST has certified Enigm.
  • NIST has approved Enigm as a product.
  • NIST has audited Enigm.
  • Every Enigm component uses the same cryptographic mechanism.
Cryptographic assurance is reviewed as part of the broader security assurance program, including key lifecycle, device-bound trust, secure storage, verification workflows, and controlled software delivery.

Evidence Boundaries

Public assurance evidence is intentionally limited. Enigm does not publish:
  • Internal audit reports.
  • Internal control mappings.
  • Assessment workpapers.
  • Internal findings.
  • Internal remediation records.
  • Internal risk registers.
  • Operational procedures.
  • Internal infrastructure details.
  • Internal security tooling.
  • Non-public detection logic.
Restricted evidence can be handled through appropriate enterprise, legal, procurement, or audit review processes when required.

Security Limitations

Assurance evidence improves confidence, but it does not eliminate risk. Important limitations:
  • Certification does not ensure the absence of vulnerabilities.
  • Assessment activities may not identify every weakness.
  • Risk posture changes over time.
  • Product security depends on implementation, configuration, operational controls, and user behavior.
  • External systems may introduce risk outside Enigm control.
  • Public documentation cannot include all evidence needed for a full private audit.
Security assurance should be treated as an ongoing process rather than a static certification state.