Security & Compliance

Last updated: 23 April 2026

Trust is the foundation of EVA. Every architectural decision — from how data flows between agents to how credentials are stored — is made with the security and privacy of principals in mind. This document outlines our security posture and compliance commitments.

1. Data Encryption

In Transit

All data transmitted between your devices and EVA's infrastructure is encrypted using TLS 1.3. Connections that do not support TLS 1.2 or higher are refused. HTTP connections are automatically redirected to HTTPS.

At Rest

Stored data — including conversation context, task history, and member profile information — is encrypted at rest using AES-256. Encryption keys are managed through a dedicated key management service and are rotated on a scheduled basis.

2. Access Controls

  • Least privilege — internal systems are granted only the permissions required for their specific function
  • Multi-factor authentication — required for all EVA staff accessing production systems
  • Role-based access control (RBAC) — member data is accessible only to the agents and personnel directly responsible for that account
  • Audit logging — all access to sensitive data is logged with timestamps and actor identities; logs are immutable and retained for 12 months

3. AI Model Isolation

Your data is never used to train, fine-tune, or improve AI models without your explicit written consent. Conversations, tasks, and outputs generated within your private channel remain isolated to your account. No cross-member data blending or shared model context occurs.

4. Infrastructure Security

  • Infrastructure hosted in ISO 27001-certified data centres
  • Network segmentation with firewalls and intrusion detection systems
  • Automated vulnerability scanning and dependency auditing on each deployment
  • Regular penetration testing by independent third parties
  • DDoS mitigation at the network edge

5. Regulatory Compliance

GDPR

EVA's data processing practices comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679). We maintain records of processing activities, have entered data processing agreements with sub-processors, and support all data subject rights. See our Privacy Policy for full details.

Swiss nDSG

EVA complies with the Swiss revised Federal Act on Data Protection (Datenschutzgesetz, DSG / nDSG), effective September 2023. Members resident in Switzerland benefit from all protections afforded under Swiss law in addition to GDPR standards.

Confidentiality

All EVA personnel and AI systems are contractually bound to strict confidentiality. Member interactions, business context shared with agents, and operational details are never disclosed to third parties except as required by law or with your explicit consent.

6. Sub-Processors

EVA uses a limited number of trusted sub-processors to deliver the service. Each sub-processor is vetted for security and data protection compliance and is bound by a data processing agreement. The current sub-processor list is available on request by emailing hello@eva.fyi.

7. Incident Response

In the event of a data breach or security incident affecting your personal data, EVA will:

  • Notify affected members within 72 hours of becoming aware of the incident, where required by GDPR
  • Provide a clear description of the nature of the breach, data affected, and steps taken
  • Report to the relevant supervisory authority (Swiss FDPIC and/or applicable EU DPA) as required
  • Conduct a post-incident review and implement remediation measures

8. Business Continuity

EVA maintains documented business continuity and disaster recovery plans. Backups are encrypted, geographically distributed, and tested quarterly. Our recovery time objective (RTO) for core service components is under 4 hours.

9. Responsible Disclosure

If you discover a potential security vulnerability in the EVA platform, please report it responsibly to hello@eva.fyi with the subject line "Security Disclosure". We commit to acknowledging your report within 48 hours and keeping you informed of remediation progress. We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.

10. Contact

Security and compliance enquiries: hello@eva.fyi