Skip to content

Trust & Safety

Security & Compliance

Workspace EVA is built for procurement teams that say no to everything — dry-run on every write, a full agent audit trail, and deployment inside your AWS boundary when you need it.

Request Security Documentation

We provide the following on request for qualified enterprise prospects:

  • · SOC 2 Type II report (under NDA)
  • · Data Processing Agreement (DPA)
  • · Security questionnaire responses (SIG Lite / CAIQ)
  • · Penetration test executive summary
  • · Architecture diagram (private-deploy mode)
Request the security packet[email protected]

Infrastructure

  • Deploys into customer-owned AWS environment (VPC tenancy available)
  • AWS KMS — AES-256 encryption at rest for all stored data
  • TLS 1.2+ enforced for all data in transit
  • Network isolation via VPC with private subnets and security groups
  • No data leaves customer AWS boundary in private-deploy mode

Access Controls

  • IAM least-privilege access — every agent action scoped to minimum required permissions
  • Role-Based Access Control (RBAC) within the EVA platform
  • Multi-factor authentication (MFA) enforced for all EVA accounts
  • Single Sign-On (SSO) via SAML 2.0 / OIDC for enterprise customers
  • Session tokens expire after inactivity; refresh token rotation enforced

Workspace agent safety

  • Dry-run on every write tool (create_campaign, vet_list, touchpoints, outreach)
  • Immutable audit log: capability ID, actor, timestamp, and outcome for procurement review
  • Receipts and write-pending states on the canvas — not hidden in chat history
  • Rate limits and circuit breakers on connector and agent runs

Compliance

  • SOC 2 Type II aligned practices (report available on request)
  • GDPR-compliant data processing — DPA available for enterprise customers
  • CCPA compliant — data subject rights honored within 30 days
  • Standard Contractual Clauses (SCCs) for cross-border data transfers
  • Subprocessor list maintained and updated — 30-day notice for changes

Security Operations

  • Security incident response policy with 72-hour breach notification (GDPR-aligned)
  • Regular penetration testing by third-party security firms
  • Vulnerability disclosure program — [email protected]
  • Annual security training for all engineering staff
  • Dependencies audited for CVEs — automated alerts via Dependabot
For our full sub-processor list, see /legal/sub-processors. For privacy inquiries: [email protected].