Security

Customer data is encrypted in transit using TLS 1.3. Customer data is encrypted at rest using AES-256.

OAuth tokens for connected systems (GitHub, Linear, Slack, Calendar) are stored in a dedicated secrets store and are never written to logs.

Evaal staff access to production data is limited to a small on-call engineering group, requires multi-factor authentication, and is logged. Customer data is never accessed except in response to a customer support request or to investigate an incident.

Customer-side access is gated by your existing identity provider via OAuth; SSO via SAML/SCIM will be supported before general availability.

Evaal will offer EU and US data residency at general availability. Data does not cross regions unless the customer explicitly requests it. Subprocessor regions are documented in the DPA.

Evaal does not train any model on customer code, customer messages, customer tickets, or customer metadata. Customer data is never used to improve models that serve other customers.

When Evaal uses third-party LLMs to generate the natural-language summaries you read in your morning briefing, the prompts contain only the minimum metadata required to answer the question, and the LLM provider is contractually prohibited from training on those prompts.

Evaal is working toward SOC 2 Type II certification. Target completion is before general availability. Interim attestations and the security questionnaire are available on request.

Evaal will publish a public Trust Centre with audit reports, subprocessor list, and uptime history at trust.evaal.ai before general availability.

Evaal will notify affected customers of any security incident that may have exposed their data within the timelines required by the applicable law (GDPR Article 33: within 72 hours for the supervisory authority).

If you believe you have found a security issue, please email hello@evaal.ai. Evaal does not yet operate a public bug bounty programme but acknowledges all reports within two business days.