Security Practices

Security is foundational to everything we build. Here is how we protect your data and infrastructure.

Last updated: April 2026

Infrastructure Security

Isolated Infrastructure

Dedicated servers on Hetzner Cloud with full-disk encryption and private networking.

Encryption

AES-256-GCM at rest, TLS 1.3 in transit. All API keys encrypted with envelope encryption (BYOK supported).

Access Control

Role-based access with principle of least privilege. SSH key-only access, no password auth.

Monitoring

24/7 automated health checks every 30 seconds. Sentry error tracking. Docker container monitoring.

Application Security

  • Row-level security (RLS) enforced at the database layer via Supabase policies.
  • HMAC-SHA256 tamper-proof audit logging for all data mutations.
  • Per-route rate limiting with Redis-backed distributed tracking.
  • CSRF protection, Content Security Policy, and strict HTTP security headers.
  • OAuth 2.0 / SAML SSO with enforced MFA for enterprise accounts.
  • Automated secret scanning (TruffleHog) and vulnerability scanning (Trivy, CodeQL) in CI/CD.

Data Protection

We follow GDPR, SOC 2 Type II, and ISO 27001 principles:

  • Automated daily backups (pg_dump at 2 AM UTC) with weekly full backup verification.
  • Data residency controls — choose where your data is stored.
  • Right to erasure — full data deletion within 30 days of request.
  • No training on customer data. Your prompts and evaluations are never used to train models.

Related

Responsible Disclosure Policy

Incident Response Plan

Trust Center

Service Level Agreement

Security reports: [email protected]

Security Practices — EvalGuard | EvalGuard