Skip to main content
EnsoInsights

Legal

Trust, in writing.

Every contract that governs our relationship with customers and visitors is published here in plain language. Real terms, comprehensive scope, written for legal and procurement review — and readable enough for a CMO or brand lead who needs the gist before sign-off. For privacy and formal legal notices, email legal@ensoinsights.us. For product or account questions, email support@ensoinsights.us.

Data handling & security overview — encryption, isolation, subprocessors, and incident response — lives on this page below the agreements.

Security & data handling

How we protect customer data.

Enso Insights runs on established cloud services with strong, independently attested security controls — and adds product-level guardrails on the diagnostic data your CMO and brand org rely on. The full list of providers we rely on is set forth in Annex III of our Data Processing Agreement.

Published privacy policyData processing agreement on fileSubprocessors disclosed in customer DPASame terms for every customerUS-based operator · global-ready terms

How we operate

One set of terms. The same for every customer.

Enso Insights serves every customer on a single set of published terms — the same MSA, the same DPA, the same Privacy Policy, the same security posture, the same price. This is intentional. It lets us keep prices low, ship product weekly, and treat every customer equally — no most-favored-nation games, no quiet side-letters, no surprises in procurement.

If you can work with our standard terms, you can be running a diagnostic in five minutes. If your procurement process requires bespoke contractual terms, formal third-party security attestations (SOC 2 Type II, ISO 27001), or business-associate agreements, we’re probably not the right fit yet — and that’s okay.

Reference: MSA §1.1 — Uniform Terms

Encryption everywhere

Industry-standard encryption in transit and at rest. Backups are encrypted with rotated keys managed by our hosting providers.

Account isolation by default

Every request for your diagnostic data is tied to your account. Another customer cannot see your reports — access is enforced at the service layer, not only in the app UI.

Least-privilege access

Customer accounts use email or Google sign-in through our authentication provider. Administrative access to production is limited to the Enso Insights operator, uses short-lived sessions, and is MFA-protected. No shared role accounts.

We never train on your data

Your prompts, diagnostic outputs, and exports are not included in any model fine-tune, prompt-tuning corpus, or shared dataset. The no-training commitment is contractually enforced with each upstream AI provider at the tier we use.

Incident response

We maintain a written 72-hour breach-response playbook. If Customer Personal Data is affected by a confirmed incident, affected customers receive written notice within the windows required by our DPA and by applicable breach-notification law.

Delete on request

Email us with your account and we will remove your data from production systems on a timeline consistent with the underlying backup-retention policies of our hosting environment. We confirm completion in writing.

Data flow

What happens when you run a diagnostic.

In plain English, so you can skip the questionnaire.

  1. 1

    Your inputs leave your browser over an encrypted connection

    Diagnostic inputs (brand name, competitor set, market context, any free-text you add) are sent from your browser to Enso Insights over encrypted HTTPS. They are not written to public logs or intermediary caches in plaintext.

  2. 2

    We store it under your account

    The prompt, the resulting diagnostic job, and any derived scores are stored in your private workspace. Access is enforced so each customer only reads and writes their own data. We do not operate a shared pool of customer prompts.

  3. 3

    We send it to the upstream AI providers under commercial data terms

    The prompt is forwarded to the selected upstream AI providers under each vendor’s enterprise-style data-handling terms. At the tiers we use, upstream providers are contractually prohibited from training on Customer Data and retain data only as necessary to fulfill the request and comply with their legal obligations. Specific retention windows per provider are listed on our Subprocessors page.

  4. 4

    The response comes back, gets scored, and is stored with your diagnostic

    The engine response is scored against our rubric and stored alongside the diagnostic job — again row-scoped to your account. Exports and executive summaries are generated on demand from that stored data.

  5. 5

    Nothing you submit is used to train a model

    Not by us, and not by our upstream AI providers at the tiers we use. This is a contractual commitment in the MSA (§4.2) and in the Data Processing Agreement, not a best-effort promise.

References: MSA §4 (Data) · DPA · DPA Annex III

Subprocessors

Every vendor that touches your data.

The contractual table — name, region, role — lives in Annex III of the Data Processing Agreement. Where the DPA requires it, we give advance notice before engaging a new subprocessor.

For procurement and security review, use the published DPA your counsel will ask for; we do not maintain a separate marketing copy of the vendor table.

Open DPA Annex III →

Binding terms are the agreements linked at the top of this page: Privacy Policy, MSA, and DPA (including Annex III subprocessors). We do not negotiate or redline these for individual customers — see MSA §1.1.

Entity information. Enso Insights is the product name for the Services. The Services are provided by Enso Labs LLC, a United States limited liability company. On this page, “Enso Insights,” “we,” “our,” or “us” mean Enso Labs LLC in that capacity.