Security enforced at the database layer, not the application layer.
Where your data lives
EvalFlow runs on Supabase, built on AWS infrastructure with SOC 2 Type 2 certification. Every database operation is scoped to your organization before it executes.
Cloud Infrastructure
Hosted on Supabase (AWS). SOC 2 Type 2 certified infrastructure with automatic backups and point-in-time recovery.
Database
PostgreSQL with row-level security enforced on every table containing user data. The database itself rejects unauthorized queries.
Encryption
TLS 1.2+ for all data in transit. AES-256 encryption at rest via AWS. All API keys and third-party credentials stored as server-side secrets — never exposed to frontend code.
Serverless Functions
All backend logic runs in isolated serverless functions. Each invocation authenticates the caller via JWT before executing. No persistent server state between requests.
02 — Tenant Isolation
Your data is invisible to every other customer
EvalFlow uses a multi-tenant architecture where every database table enforces tenant isolation at the PostgreSQL level. Even if application code contained a bug, the database itself would reject any cross-tenant data access.
How it works
- Every table containing user data includes a tenant identifier scoped to your organization
- PostgreSQL security policies verify the authenticated user's organization on every SELECT, INSERT, UPDATE, and DELETE operation
- The tenant check runs as a database-level security function — application code cannot override or bypass it
- Hundreds of security policy clauses enforced across all data tables and modules
- If a query attempts to access data outside the caller's organization, PostgreSQL returns zero rows — not an error, just silence
This is not application-level filtering with a WHERE clause. This is the database refusing to return data that doesn't belong to you, regardless of what the application requests.
03 — Access Control
Three-tier role hierarchy, enforced by PostgreSQL
Access control is not managed in application code. Role permissions are enforced by database security functions that cannot be bypassed by the frontend, API, or any integration.
| Role | Data Visibility | Enforcement |
|---|---|---|
| Administrator | Full organization data across all modules | Database-level role check |
| Manager | Own data + recursive reporting tree (direct and indirect reports only) | Database function with indexed recursive lookup |
| Employee | Own data only | Row-level security matching authenticated user |
Module-level access controls
- Feedback & Reviews: Employees see their own. Managers see their reports'. Admins see all.
- Goals & OKRs: Same three-tier visibility. No cross-team data leakage.
- Pulse Surveys: Individual responses visible only to the respondent. Managers and admins see aggregated analytics only — never individual answers.
- Private Feedback: Visible only to the giver and recipient. Not even admins can access content flagged as private.
- Talent Grid & Workforce Analytics: Restricted to administrators only.
- AI Assistant: Operates within the same three-tier access model. It can only surface data the requesting user is already authorized to see.
Enterprise-grade identity management
Authentication supports everything from small teams using email and password to enterprise organizations requiring SSO with SAML or OIDC.
Enterprise SSO
SAML and OIDC support via a dedicated enterprise SSO provider. Admin self-service portal for SSO configuration. Automatic domain-based detection at login.
Multi-Factor Auth
TOTP-based 2FA (authenticator app). Company-level controls: optional or enforced globally. Required for sensitive operations like password resets.
Session Security
JWT-based authentication with short-lived tokens. No session data stored in cookies. Every API call re-validates the user's identity and authorization level.
05 — AI & Data Governance
How we use AI without compromising your data
EvalFlow's AI features — including the HR Copilot, review generation, and analytics — are core to the product. Here's exactly how your data is handled.
Data processing guarantees
- No training on your data. Your organization's data is never used to train, fine-tune, or improve any AI model — ours or any third party's.
- No data retention by AI providers. AI processing is handled via API providers that do not retain, store, or use submitted data for model training. Prompts are processed and discarded.
- Same access rules apply. The AI assistant operates under the same three-tier access control as the rest of the application. A manager's AI query cannot surface data outside their reporting tree.
- Tamper-proof audit logging. Every AI interaction is logged to a dedicated audit table. These logs are written via a privileged server process — users cannot modify or delete their own AI audit trail.
- Server-side only. AI model API keys are stored as server-side secrets. No AI calls are made from the browser. Your data never passes through the frontend on its way to an AI provider.
06 — Integration Security
Third-party connections
EvalFlow integrates with workplace tools using industry-standard authentication protocols. All integration credentials are stored server-side.
|
Integration
|
Auth Protocol
|
Data Flow
|
|---|---|---|
|
Slack
|
OAuth 2.0
|
Sends notifications to designated channels. Does not read message history.
|
|
Microsoft Teams
|
OAuth 2.0 + Bot Framework
|
Sends notifications. Does not access files, chats, or calendar data.
|
|
Stripe
|
API Key + Webhook Signatures
|
Billing operations only. Webhook payloads verified via signature.
|
|
Email (SendGrid)
|
API Key (server-side)
|
Transactional emails only (review invitations, notifications).
|
Your data, your control
Data deletion
Upon contract termination, all organization data is permanently deleted from our systems including backups. We confirm deletion in writing upon request.
Infrascture backups
Automated database backups with daily recovery, managed by Supabase on AWS infrastructure.
08 — Compliance
What we certify today and what's planned
We believe transparency about our compliance posture is more useful than vague claims. Here's exactly where we stand.
|
Standard
|
Status
|
Detail
|
|---|---|---|
|
Infrastructure SOC 2 Type 2
|
● Active
|
Supabase (our hosting and database provider) maintains SOC 2 Type 2 certification on AWS infrastructure
|
|
Encryption in transit
|
● Active
|
TLS 1.2+ on all endpoints, enforced at the infrastructure level
|
|
Encryption at rest
|
● Active
|
AES-256 via AWS, covering all database storage and backups
|
|
EvalFlow SOC 2 Type 1
|
◐ Planned
|
Application-level SOC 2 Type 1 audit on our roadmap
|
We're happy to complete your organization's security questionnaire or schedule a call with your IT team to walk through our architecture in detail. Reach out through our contact form.
What IT teams ask us
Does EvalFlow has its owner SOC 2 Certification?
Our infrastructure provider (Supabase/AWS) maintains SOC 2 Type 2 certification. EvalFlow's application-level SOC 2 Type 1 audit is on our roadmap. In the meantime, our security architecture — database-level tenant isolation, row-level security on every table, and server-side credential management — provides controls that many SOC 2 certified applications implement at the weaker application layer. We're happy to walk your team through the technical details.
Can another customer's admin see our data?
No. Tenant isolation is enforced at the PostgreSQL level. Every query — whether from the UI, API, or AI assistant — is scoped to the authenticated user's organization by the database itself. There is no application-level toggle or admin override that could expose cross-tenant data.
Is our data used to train AI models?
No. Your data is never used for AI model training by EvalFlow or any third-party provider. Our AI providers do not retain or train on data submitted through their APIs. The AI assistant accesses your data in real time within the same access control boundaries as the logged-in user, and all interactions are audit-logged.
Can you fill out our security questionnaire?
Yes. Use the contact form to request it, and we'll return it completed, typically within one week. We also offer a live architecture walkthrough with your IT team if that's more efficient.
Do you support SSO with our identity provider?
Yes. EvalFlow supports enterprise SSO via SAML 2.0 and OIDC. We're compatible with Okta, Azure AD, Google Workspace, OneLogin, and any SAML/OIDC-compliant identity provider. SSO enforcement can be enabled per organization to prevent local password authentication.
Where is our data physically stored?
EvalFlow's infrastructure runs on AWS in the United States.
What happens to our data if we cancel?
Upon cancellation, all organization data is permanently deleted from our systems within 60 days, including backups. Contact us if you need a data export before deletion or written confirmation of deletion.
Who at EvalFlow can access our data?
Production database access is restricted to essential personnel and requires elevated authentication. Direct database access is used only for infrastructure maintenance and support operations — never for browsing customer data. All production access is logged.