EvalFlow is built with tenant isolation as a core database-level control, not just a front-end or application filter.
Where your data lives
EvalFlow runs on Supabase infrastructure, built on AWS. Supabase maintains SOC 2 Type 2 compliance for its platform and underlying cloud operations.
Customer data is scoped by organization and protected through PostgreSQL row-level security, authenticated user context, and server-side authorization controls before data is returned to the application.
Cloud Infrastructure
Hosted on Supabase (AWS). SOC 2 Type 2 certified infrastructure with automatic backups.
Database
PostgreSQL with row-level security enforced on every table containing user data. The database itself rejects unauthorized queries.
Encryption
TLS 1.2+ for all data in transit. AES-256 encryption at rest via AWS. All API keys and third-party credentials stored as server-side secrets — never exposed to frontend code.
Serverless Functions
All backend logic runs in isolated serverless functions. Each invocation authenticates the caller via JWT before executing. No persistent server state between requests.
02 — Tenant Isolation
Your data is separated from every other customer
EvalFlow uses a multi-tenant architecture designed to keep each organization’s data separated and protected. Customer data is scoped by organization and protected through PostgreSQL row-level security policies, application-level authorization checks, and server-side controls for privileged workflows.
How it works
- Customer-data tables are scoped to the organization they belong to.
- PostgreSQL row-level security policies help ensure users can only access records associated with their authorized organization.
- User-facing backend functions verify the caller’s identity and organization before performing privileged actions.
- Scheduled jobs, webhooks, and integration workflows use server-side authorization patterns appropriate to their purpose.
- Tenant isolation is enforced across EvalFlow’s core modules, including people data, performance workflows, feedback, recognition, objectives, reviews, surveys, and administrative settings.
This means tenant separation is not treated as a simple front-end filter. EvalFlow combines database-level security, authenticated access, and server-side authorization so each customer’s workspace remains logically separated from other organizations.
03 — Access Control
Role-based access designed for employees, managers, and administrators
EvalFlow uses role-based access controls to help ensure users only access the information they are authorized to view. Permissions are enforced through a combination of database security policies, authenticated user context, and server-side authorization checks for privileged workflows.
| Role | Data Visibility | Enforcement |
|---|---|---|
| Administrator | Organization-level visibility across authorized modules and settings | Role checks, row-level security, and server-side controls |
| Manager | Own data and authorized visibility into direct or indirect reports, where applicable | Reporting-line access checks and database-level policies |
| Employee | Own profile, assigned work, feedback, reviews, tasks, surveys, and records they are authorized to access | Authenticated-user matching and row-level security |
Module-level access controls
- Feedback & Reviews: Employees see their own records. Managers see authorized records for their teams. Administrators can access organization-level review workflows where permitted.
- Objectives & OKRs: Visibility is scoped by organization, role, ownership, and reporting relationships.
- Pulse Surveys: Pulse survey reporting is designed to protect employee confidentiality. Individual responses are not exposed in manager dashboards; survey insights are presented through authorized, aggregated views.
- Private Feedback: Private feedback is restricted to the users involved and is not surfaced broadly across the organization.
- Talent Grid & Workforce Analytics: Access is limited to authorized administrators and leadership roles based on company permissions.
- AI Assistant: EvalFlow’s AI features operate within the same access-control model and are designed to surface only information the requesting user is authorized to view.
Enterprise-grade identity management
EvalFlow supports secure authentication for both growing teams and larger organizations, including email and password login, two-factor authentication, and enterprise single sign-on options such as SAML or OIDC where configured.
Enterprise SSO
SAML and OIDC support via a dedicated enterprise SSO provider. Admin self-service portal for SSO configuration. Automatic domain-based detection at login.
Multi-Factor Auth
TOTP-based 2FA (authenticator app). Company-level controls: optional or enforced globally. Required for sensitive operations like password resets.
Session Security
JWT-based authentication with short-lived tokens. No session data stored in cookies. Every API call re-validates the user's identity and authorization level.
05 — AI & Data Governance
How we use AI while protecting customer data
EvalFlow’s AI features — including the HR Copilot, review assistance, and analytics — are designed to operate within the same security, access-control, and tenant-isolation model as the rest of the platform.
Data governance principles
- Customer data is not used to train EvalFlow models. EvalFlow does not use your organization’s data to train, fine-tune, or improve customer-specific AI models.
- AI processing is handled through API providers. When AI features are used, relevant context may be sent securely to AI API providers for processing under their applicable API data-use and retention terms.
- Same access rules apply. EvalFlow’s AI assistant operates within the same role-based access model as the application. AI responses are designed to surface only information the requesting user is authorized to access.
- AI activity is logged. AI interactions are recorded through server-side logging so authorized administrators can review usage and support governance, troubleshooting, and accountability.
- Server-side API key handling. AI provider keys are stored as server-side secrets. EvalFlow does not expose AI provider credentials in the browser.
06 — Integration Security
Secure third-party connections
EvalFlow connects with workplace, HRIS, billing, and communication tools using secure authentication methods and server-side credential handling. Integration access is limited to the permissions required for each connected workflow.
| Integration | Auth Method | Data Flow |
|---|---|---|
| Slack | OAuth 2.0 | Used to send authorized EvalFlow notifications to selected Slack destinations based on the permissions granted during setup. |
| Microsoft Teams | Microsoft identity / app authorization | Used to deliver EvalFlow notifications and workflow updates to authorized Teams destinations. |
| HRIS Connections | Provider authorization / secure connector | Used to sync employee, department, job, and reporting-line data needed for performance workflows. |
| Stripe | API key + webhook signatures | Used for billing and subscription workflows. Stripe webhook events are verified server-side. |
| Server-side API key | Used for transactional emails such as invitations, reminders, notifications, and account-related messages. |
Integration credentials and secrets are handled server-side and are not exposed in the browser. EvalFlow limits integrations to the data and actions needed to support each connected workflow.
Your data, your control
Data deletion
Upon contract termination, customers may request deletion of their organization data. EvalFlow completes deletion from active systems and applicable backups within 90 days, subject to legal, security, and backup-retention requirements. Written confirmation is available upon request.
Infrascture backups
EvalFlow relies on automated database backup and recovery capabilities managed by Supabase on AWS infrastructure. Backups are designed to support service recovery and business continuity, with recovery processes available for database-level incidents.
08 — Compliance
What we support today and what is planned
We believe transparency about our security and compliance posture is more useful than vague claims. Here is where EvalFlow stands today.
| Standard | Status | Detail |
|---|---|---|
| Infrastructure SOC 2 Type 2 | ● Active | EvalFlow is hosted on Supabase infrastructure, which maintains SOC 2 Type 2 compliance for its platform and underlying cloud operations. |
| Encryption in transit | ● Active | Customer connections are protected using modern TLS encryption for data transmitted between users, EvalFlow, and supported service providers. |
| Encryption at rest | ● Active | Data at rest is protected through encryption capabilities provided by Supabase and its underlying AWS infrastructure. |
| Data privacy readiness | ● Active | EvalFlow supports security and privacy practices aligned with modern data protection expectations, including tenant isolation, access controls, deletion workflows, and customer security questionnaires. |
| EvalFlow SOC 2 | ◐ Planned | Application-level SOC 2 readiness and audit work is on EvalFlow’s roadmap as the platform continues to scale with larger customers. |
We are happy to complete your organization’s security questionnaire or schedule a call with your IT team to walk through our architecture, controls, and data flows in more detail. Reach out through our contact form.
What IT teams ask us
Does EvalFlow has its owner SOC 2 Certification?
Our infrastructure provider (Supabase/AWS) maintains SOC 2 Type 2 certification. EvalFlow's application-level SOC 2 Type 1 audit is on our roadmap. In the meantime, our security architecture — database-level tenant isolation, row-level security on every table, and server-side credential management — provides controls that many SOC 2 certified applications implement at the weaker application layer. We're happy to walk your team through the technical details.
Can another customer's admin see our data?
No. Tenant isolation is enforced at the PostgreSQL level. Every query — whether from the UI, API, or AI assistant — is scoped to the authenticated user's organization by the database itself. There is no application-level toggle or admin override that could expose cross-tenant data.
Is our data used to train AI models?
No. Your data is never used for AI model training by EvalFlow or any third-party provider. Our AI providers do not retain or train on data submitted through their APIs. The AI assistant accesses your data in real time within the same access control boundaries as the logged-in user, and all interactions are audit-logged.
Can you fill out our security questionnaire?
Yes. Use the contact form to request it, and we'll return it completed, typically within one week. We also offer a live architecture walkthrough with your IT team if that's more efficient.
Do you support SSO with our identity provider?
Yes. EvalFlow supports enterprise SSO via SAML 2.0 and OIDC. We're compatible with Okta, Azure AD, Google Workspace, OneLogin, and any SAML/OIDC-compliant identity provider. SSO enforcement can be enabled per organization to prevent local password authentication.
Where is our data physically stored?
EvalFlow's infrastructure runs on AWS in the United States.
What happens to our data if we cancel?
Upon cancellation, all organization data is permanently deleted from our systems within 60 days, including backups. Contact us if you need a data export before deletion or written confirmation of deletion.
Who at EvalFlow can access our data?
Production database access is restricted to essential personnel and requires elevated authentication. Direct database access is used only for infrastructure maintenance and support operations — never for browsing customer data. All production access is logged.