EVA

Trust & Safety

Security & Compliance

EVA+ is built for enterprise procurement teams that say no to everything. Here's how we've built security into every layer of the platform.

Request Security Documentation

We provide the following on request for qualified enterprise prospects:

  • · SOC 2 Type II report (under NDA)
  • · Data Processing Agreement (DPA)
  • · Security questionnaire responses (SIG Lite / CAIQ)
  • · Penetration test executive summary
  • · Architecture diagram (private-deploy mode)
Request the security packetsecurity@evaplus.ai

Infrastructure

  • Deploys into customer-owned AWS environment (VPC tenancy available)
  • AWS KMS — AES-256 encryption at rest for all stored data
  • TLS 1.2+ enforced for all data in transit
  • Network isolation via VPC with private subnets and security groups
  • No data leaves customer AWS boundary in private-deploy mode

Access Controls

  • IAM least-privilege access — every agent action scoped to minimum required permissions
  • Role-Based Access Control (RBAC) within the EVA+ platform
  • Multi-factor authentication (MFA) enforced for all EVA+ accounts
  • Single Sign-On (SSO) via SAML 2.0 / OIDC for enterprise customers
  • Session tokens expire after inactivity; refresh token rotation enforced

Agent Safety

  • Dry-Run mode: every agent write action requires explicit human approval
  • Immutable audit log: every agent action logged with timestamp, user, and outcome
  • No irreversible actions (contracts, payments, public posts) without dual approval
  • Rate limits and circuit breakers prevent runaway automation

Compliance

  • SOC 2 Type II aligned practices (report available on request)
  • GDPR-compliant data processing — DPA available for enterprise customers
  • CCPA compliant — data subject rights honored within 30 days
  • Standard Contractual Clauses (SCCs) for cross-border data transfers
  • Subprocessor list maintained and updated — 30-day notice for changes

Security Operations

  • Security incident response policy with 72-hour breach notification (GDPR-aligned)
  • Regular penetration testing by third-party security firms
  • Vulnerability disclosure program — report@evaplus.ai
  • Annual security training for all engineering staff
  • Dependencies audited for CVEs — automated alerts via Dependabot
For our full sub-processor list, see /legal/sub-processors. For privacy inquiries: privacy@evaplus.ai.