Trust & Firewall
Trust & Firewall Configuration
This page lists the network destinations Encelade uses so an enterprise firewall, secure web gateway, or proxy policy can allowlist the service for employees evaluating or using Encelade.
Domains to allowlist
The table below is derived from this repository's codepaths. Standard transport is HTTPS on port 443; Supabase Realtime adds WSS on 443.
This baseline covers fixed Encelade codepaths. User-supplied embeds, custom media URLs, and external integrations may add additional vendor domains beyond this list.
| Domain | Purpose | Protocol | Port |
|---|---|---|---|
www.encelade.ai | Primary Encelade site, authenticated routes, API traffic, MCP endpoints, and the Sentry tunnel at /api/monitoring. | HTTPS / SSE | 443 |
mpecifbzzyybcerfeghr.supabase.co | Supabase Auth, sessions, MFA, collaboration, and realtime updates. | HTTPS / WSS | 443 |
*.blob.vercel-storage.com | Public delivery for uploaded media, custom fonts, and blob-backed export snapshot handoff. | HTTPS | 443 |
docs.google.com | Optional direct CSV download for public Google Sheets used as chart data sources. | HTTPS | 443 |
prysm-export-worker.fly.dev | Async PDF and PPTX export worker used when external export processing is enabled. | HTTPS | 443 |
fonts.googleapis.com | Optional Google Font stylesheet loading from the editor font picker. | HTTPS | 443 |
fonts.gstatic.com | Optional Google Font file delivery. | HTTPS | 443 |
basemaps.cartocdn.com | Map basemap styles and tiles for map and globe layers. | HTTPS | 443 |
nominatim.openstreetmap.org | City lookup in the dotted globe editor. | HTTPS | 443 |
cdn.amplitude.com | Amplitude browser SDK download when product analytics is enabled. | HTTPS | 443 |
*.amplitude.com | Amplitude event ingestion and session replay endpoints when product analytics is enabled. | HTTPS | 443 |
IP ranges
Encelade runs on Vercel, Supabase, and Fly.io. Those platforms use dynamic IP ranges, so outbound allowlisting should be done by domain rather than by source IP. If your environment requires static IP ranges or a custom network review, contact security@encelade.ai.
Protocols
- HTTPS: standard web traffic for the Encelade UI, REST APIs, asset delivery, export initiation, and optional analytics/font/map requests.
- WSS: Supabase Realtime uses secure WebSockets for collaboration presence, patch sync, generation updates, and survey response events.
- SSE / Streamable HTTP: the MCP endpoint at
/api/mcpsupports streaming responses for AI clients, including the legacy/api/mcp/ssetransport.
Hosting & subprocessors
- Vercel: Web app, API routes, and static delivery. Region: global network; no route-level region pinning is committed in this repository.
- Supabase: PostgreSQL, Auth, and Realtime. Region: exact project region is not committed in this repository and resolves from NEXT_PUBLIC_SUPABASE_URL.
- Upstash Redis: Rate limiting and cache. Region: exact Redis region is not committed in this repository and resolves from UPSTASH_REDIS_REST_URL.
- Fly.io: Async export worker for PDF and PPTX generation. Region: primary_region is set to iad in services/export-worker/fly.toml.
- OpenAI: LLM provider used for AI commands and presentation generation. Region: not pinned in this repository.
- Anthropic: LLM provider used for generation, AI chat, and research workflows. Region: not pinned in this repository.
- Google Generative AI: Gemini provider used for generation options and image generation. Region: not pinned in this repository.
Data handling
Encelade stores account information (email, profile, workspace membership), the presentation content you create or import, uploaded media and fonts, generation prompts and the model outputs they produce, and standard product telemetry. Tenant data is isolated at the database level via row-level security and tenant-scoped foreign keys.
All traffic is encrypted in transit over HTTPS or WSS as described above. Data at rest is encrypted by the underlying managed services (Supabase Postgres for relational data, Vercel Blob for file storage, Upstash for cache and rate limits). The full list of providers that process customer data is published in Hosting & subprocessors above. For the full data-processing policy, see /legal/privacy.
GDPR posture
For customer-uploaded content, Encelade acts as a processor on behalf of the customer; for account-level data tied to the Encelade account itself, Encelade acts as a controller. A Data Processing Addendum is available at /legal/dpa.
Data subject requests — access, correction, export, or erasure — can be sent to security@encelade.ai. EU data residency requirements can be discussed with the same address; we don't make a blanket residency claim because the current managed-service regions are not pinned in this repository.
Data retention
Active account data is retained for the life of the account. When you delete a project or an account, the underlying records are removed immediately via cascading database deletion — there is no soft-delete window, no "trash" tier, and no separate purge job. Once deleted, content is no longer reachable through the product or its APIs.
Operational backups follow our infrastructure providers' standard retention windows (Supabase point-in-time recovery and Vercel platform backups). We are formalizing a single retention schedule with the exact windows for each data category and will publish it on this page. For specific retention questions, email security@encelade.ai.
Email template for IT
This template includes the current domain list and a direct link back to this page.
Subject: Firewall allowlist request for Encelade
Hello IT/Security team,
I'm evaluating Encelade for work and need network allowlisting so I can access the product, collaboration features, exports, and optional MCP connectivity.
Please allow outbound access to: www.encelade.ai (HTTPS / SSE, port 443); mpecifbzzyybcerfeghr.supabase.co (HTTPS / WSS, port 443); *.blob.vercel-storage.com (HTTPS, port 443); docs.google.com (HTTPS, port 443); prysm-export-worker.fly.dev (HTTPS, port 443); fonts.googleapis.com (HTTPS, port 443); fonts.gstatic.com (HTTPS, port 443); basemaps.cartocdn.com (HTTPS, port 443); nominatim.openstreetmap.org (HTTPS, port 443); cdn.amplitude.com (HTTPS, port 443); *.amplitude.com (HTTPS, port 443).
Reference: https://www.encelade.ai/trust
Thank you,
[Your name]Contact
For allowlist questions or enterprise security reviews, email security@encelade.ai. We can discuss SSO, DPAs, data residency requirements, and the current status of our security program, including SOC 2, with enterprise customers.
For broader legal and security policy information, see /legal/security.