Security
Enterprise-grade security for your compliance data
Your compliance data is sensitive. We protect it with SOC 2 Type II certified infrastructure, AES-256 encryption, and the same security controls we help you implement. Security is not just our product. It is how we operate.
Certifications
Compliance certifications and attestations
We hold ourselves to the same standards we help you achieve. Our infrastructure and practices are independently audited and certified.
SOC 2 Type II
CertifiedAudited annually by independent third-party auditors. Report available under NDA.
ISO 27001 Aligned
AlignedSecurity controls aligned with ISO 27001 information security management standards.
GDPR Compliant
CompliantFull GDPR compliance with DPA available. EU data subjects have full rights enforcement.
HIPAA Ready
BAA AvailableBusiness Associate Agreement available for healthcare organizations handling PHI.
Infrastructure Security
How we protect your data
Defense in depth. Every layer of our infrastructure is designed with security as the primary concern.
Encryption Everywhere
All data encrypted at rest with AES-256 and in transit with TLS 1.3. Database encryption uses AWS KMS with customer-managed keys available on Enterprise plans.
AWS Infrastructure
Hosted on AWS with SOC 2, ISO 27001, and FedRAMP certified infrastructure. All data stored in US data centers (us-east-1) with cross-region backups.
Zero-Trust Access
Role-based access control, SSO integration with SAML 2.0 and OIDC, mandatory MFA for all team members, and IP allowlisting on Enterprise plans.
24/7 Security Monitoring
Real-time threat detection, automated vulnerability scanning, and intrusion detection. Security events logged and monitored continuously.
Automated Backups
Continuous database backups with point-in-time recovery. Daily encrypted snapshots retained for 30 days. Cross-region replication for disaster recovery.
Complete Audit Trail
Every action logged with immutable audit trails. User activity, API calls, evidence changes, and administrative actions all tracked for compliance.
Data protection practices
We follow data protection principles aligned with GDPR, CCPA, and industry best practices. Your compliance data belongs to you, and we are stewards, not owners.
Integration Security
How we connect to your tools
Evidence collection requires integration with your infrastructure. Here is how we do it securely.
Read-only access
All integrations operate on read-only basis. We never write to or modify your production systems.
Official APIs only
We use only official vendor APIs. No screen scraping, no stored credentials, no direct database access.
OAuth 2.0
Industry-standard OAuth 2.0 for all integrations. Tokens encrypted and can be revoked at any time.
Minimal scopes
We request only the minimum API scopes needed. No access to data beyond what is required for evidence collection.
Security documentation
Request our SOC 2 Type II report, penetration test results, security questionnaire responses, or custom security documentation.
Request documentationReport a vulnerability
We welcome responsible disclosure from security researchers. Report vulnerabilities to our security team and we will respond within 24 hours.
[email protected]Enterprise security
Need SSO, SCIM provisioning, custom data residency, or dedicated infrastructure? Talk to our enterprise team.
Contact enterprise salesFAQ
Security questions
Is Evidr SOC 2 certified?
Yes. Evidr maintains SOC 2 Type II certification, audited annually by an independent third-party auditor. Our SOC 2 report covers Security, Availability, and Confidentiality trust service criteria. The report is available to customers and prospects under NDA.
Where is my data stored?
All customer data is stored in AWS data centers located in the United States (us-east-1 region). Data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3. For EU customers requiring data residency, contact our sales team about Enterprise plans with regional deployment options.
Does Evidr access my production systems?
No. Evidr operates on a read-only basis through official API integrations with services like AWS, GitHub, Okta, and others. We never require or request direct access to your production infrastructure, databases, or servers. All evidence collection happens through authorized API calls.
How does Evidr handle data retention?
You control your data retention settings. Evidence and compliance data are retained according to your organization configuration. Upon account termination or deletion request, all data is permanently deleted from our systems within 30 days, including backups.
Can I get a Business Associate Agreement (BAA)?
Yes. For healthcare organizations subject to HIPAA, we offer Business Associate Agreements on Growth and Enterprise plans. Contact our sales team to set up a BAA before processing any protected health information (PHI).
Do you have a bug bounty program?
Yes. We run a responsible disclosure program and work with security researchers to identify and fix vulnerabilities. If you discover a security issue, please report it to [email protected]. We do not take legal action against researchers who follow responsible disclosure practices.
How do you handle employee access to customer data?
Access to customer data is strictly limited. All employees undergo background checks and security training. Access is role-based and logged. Production data access requires approval and is time-limited. We follow the principle of least privilege.
What happens if there is a security incident?
We have a documented incident response plan. In the event of a security incident affecting customer data, we notify affected customers within 72 hours as required by GDPR. We provide detailed information about the incident, impact assessment, and remediation steps.
Have security questions?
Our security team is ready to answer questions, provide documentation, or schedule a security review call with your team.