Trust Center

Security, Privacy, and Data Use

Evolusis outlines how data is processed and managed within the platform, designed specifically for security, privacy, and procurement stakeholders, with a clear focus on practical implementation over marketing claims.

Last updated: March 25, 2026 · privacy@evolusis.com

Security & Privacy

Evolusis Trust Center

Evolusis supports enterprise learning and coaching with voice-based role-play, chat, and session analytics. This Trust Center describes the product's data handling, security controls, and privacy practices based on the current application and services.

Scope & Commitments

What this page covers and how to interpret it

Product Scope
Covers the Evolusis web application, first-party APIs, and supporting services referenced by the product frontend.
Contractual Priority
Your contract and DPA govern legal obligations. This page is a transparent operational summary.
Customer Control
Enterprise admins control access, user provisioning, and organization-level configuration through the admin console.
Verification
We provide security questionnaires, DPA, and attestations on request for due diligence.

Compliance Status

What we can evidence today and what is in progress

Data Processing Agreement (DPA)Supported

Standard DPA available for enterprise customers. Covers sub-processor disclosure, security measures, incident notification, and deletion workflows.

Vendor Security Review SupportSupported

We respond to SIG Lite, CAIQ, and custom questionnaires. Pen test summaries available under NDA.

~
ISO/IEC 27001 & SOC 2In Progress

Security controls are aligned with common control frameworks. Formal certifications are in progress and will be shared when issued.

Regional Data Protection LawsOn Request

We support customer compliance requirements (e.g., GDPR/DPDP) via contract addenda and data processing controls.

Access Control

Who can access what — inside your tenant and internally at Evolusis

Token-Based AuthenticationLive

Product APIs require bearer tokens issued at login. No public API calls are made without authentication.

Role-Scoped ViewsSupported

Learners view their own sessions; admins and managers have organization-scoped access in the UI.

OAuth Login SupportSupported

Google and Microsoft OAuth login flows are supported for enterprise SSO integrations.

~
Centralized Access ReviewsIn Progress

Periodic access review and least-privilege checks are part of our security program.

Encryption

Data protection in transit and at rest

🔄
TLS for API TrafficSupported

Product traffic is served over HTTPS/TLS in production environments to protect data in transit.

💾
Encrypted Storage (Provider-Level)Supported

We use managed infrastructure that provides encryption at rest and key management capabilities.

🔐
Password HashingSupported

Passwords are never stored in plaintext. Authentication uses standard hashing practices and token-based session handling.

Network Security

Infrastructure-level controls protecting perimeter and internal traffic

☁️
Managed Cloud InfrastructureSupported

The product is hosted on managed cloud services that provide physical security and availability controls.

🛡️
Rate Limiting & Abuse ControlsSupported

Public-facing API endpoints apply protective limits to reduce abuse and automated attacks.

📡
Monitoring & AlertingSupported

Operational monitoring is used to detect errors and anomalous activity across core services.

Endpoint Security

Controls on devices used by Evolusis employees

💻
Managed DevicesSupported

Company-managed devices are used to access production systems.

🛡️
Endpoint ProtectionSupported

Baseline endpoint protection and device security policies are part of our internal program.

Secure Development (SDLC)

How security is embedded in our engineering process

👥
Code ReviewSupported

Changes go through peer review prior to deployment.

📦
Dependency ManagementSupported

Third-party dependencies are monitored and updated as part of regular maintenance.

🔑
Secrets HandlingSupported

Sensitive credentials are managed outside of source control.

🔍
Security TestingIn Progress

Security testing and reviews are integrated into release processes.

Vulnerability Management

How we find, triage, and remediate security vulnerabilities

📢
Responsible DisclosureSupported

Report vulnerabilities to security@evolusis.com. We triage and respond on a best-effort basis.

🔄
Dependency MonitoringSupported

We monitor for known vulnerabilities in dependencies and remediate based on severity.

📋
Regular ReviewsIn Progress

Security configuration and access reviews are performed periodically.

Incident Response

Our process from detection to customer notification

1
Detection & TriageT+0

Anomalies from monitoring, user reports, or automated scanning are immediately assigned a severity (P0–P3) and an incident owner. All potential incidents treated seriously until confirmed otherwise.

2
ContainmentT+2hrs (P0/P1)

Affected system, credential, or data pathway isolated to prevent further exposure. For P0/P1, this may include temporary service restrictions. Engineering lead and founder paged immediately.

3
Investigation & Root CauseT+24hrs

Forensic log review to establish scope, timeline, and root cause. We identify what data was accessed, by whom, and for how long. Drives the notification scope and remediation plan.

4
Customer NotificationT+72hrs (DPDP)

Affected enterprise customers notified within 72 hours of confirmed incident, consistent with DPDP obligations. Includes confirmed scope, data types affected, actions taken, and next steps.

5
Remediation & Post-MortemT+7 days

Root cause fixed. Written post-mortem completed for all P0/P1 incidents. Lessons incorporated into security policies. Post-mortem summaries available to enterprise customers on request.

Data We Process

Data types used by the product and why they exist

Data TypeCategoryPurposeNotes
Name, email, password hashIdentityAccount creation, login, recoveryUsed for authentication
OAuth provider dataIdentitySingle sign-on loginProvider-linked metadata
Profile fields (name, phone, role)ProfileUser profile and supportEditable by user/admin
Chat messages & conversation IDsSession ContentRole-play coaching and continuityStored for session access
Voice recordings & transcriptsVoiceReal-time coaching and feedbackSubject to admin controls
Session summaries & scoresAnalyticsProgress tracking and reportingOrganization-level reporting
Contact form submissionsSupportCustomer support and inquiriesSupport workflow
Admin content (blogs, pages)ContentPublic content managementPublished content only

For detailed retention schedules and deletion workflows, contact privacy@evolusis.com. Enterprise admins can request exports or deletion for organizational data.

AI & Voice Data Processing

How Evo's AI coaching engine handles sensitive session data

🎙️
Voice-to-Text ProcessingSupported

Voice data is transcribed to enable coaching. Audio and transcripts are handled as session data for the learner and organization.

🚫
No Model Training by DefaultSupported

Customer session data is not used to train models unless explicitly agreed in writing.

🔒
No Biometric ProfilingSupported

The product does not derive biometric identifiers or voiceprints from audio.

🧠
Prompt MinimizationSupported

Session prompts are limited to context required for coaching output.

Sub-Processors

Third-party services that process customer data on our behalf

Sub-ProcessorPurposeData ProcessedLocation
Cloud InfrastructureHostingCustomer data at rest and in transitRegion by contract
AI Model ProviderAI CoachingRole-play transcripts and promptsRegion by contract
Speech-to-Text ProviderTranscriptionVoice recordings for transcriptionRegion by contract
Email ProviderNotificationsEmail addresses and notification contentRegion by contract
Analytics (Internal)Product AnalyticsUsage events (de-identified where possible)Region by contract

Full sub-processor details, locations, and DPA addenda are available on request.

Frequently Asked Questions

Common questions from security and procurement teams