Privacy

Your data never leaves your organisation — only context does.

This page describes how Evodira is built to handle your information. It explains the architecture, not just a policy: where data lives, what leaves a device, who can see what, and how long anything is kept. Where something is a design posture rather than a completed certification, we say so plainly.

Last updated · 13 June 2026

01

The core principle

Evodira is a knowledge-continuity platform, not a cloud search engine. Conventional enterprise search ingests and indexes your documents in a vendor cloud so it can rank them. Evodira does the opposite: it computes over a typed claim → evidence → ACL provenance graph that runs inside your boundary.

The practical consequence is simple. Your raw files — the documents, messages, tickets, and recordings that contain sensitive content — do not need to leave the place they already live in order to be useful. Only context does: typed claims and the redacted quotes that support them.

02

Redaction before the model

For sensitive or regulated content, an on-device local agent processes evidence locally. It extracts and redacts on the device, before any model sees the content. What synchronises onward is claim-level knowledge and redacted quotes — never the raw source file.

This ordering matters. Redaction happens first, so the material a model processes is already minimised. The original document stays on the device or inside your data plane; it is not uploaded to a central index to make the product work.

03

Data residency you control

You choose where Evodira runs. The recommended deployment for sensitive organisations is hybrid: a managed control plane for administration and policy, plus a customer-owned data plane in your VPC where evidence, indexes, retrieval, and the local agent live. For regulated, sovereign, or air-gapped environments, the full stack can run on-premises, with model routing to private or open-weight models.

In every profile, the data plane that holds your content is one you can place and govern according to your own residency requirements.

04

Permissions travel with the data

Every connector preserves the source system’s permissions, and every claim carries its access-control list (ACL). Retrieval applies permissions first, before anything is read or synthesised, so an answer is only ever built from evidence the person asking is allowed to see. Sensitive knowledge stays scoped to the people already entitled to it.

05

Two human gates

Nothing a model produces becomes authoritative on its own. Evodira has two points where a human is explicitly in control:

Gate one — verification. Extracted claims are routed to a human reviewer with their confidence score and sources attached. Knowledge is published only when a reviewer verifies it, under the approval rules your installation sets. Weak or contested claims can be returned, flagged, or rejected.

Gate two — automatic actions. Where the system could act or publish without review, that is a setting your administrators control, and any such gate is surfaced for human attention rather than run silently. The default is human oversight, not automatic action.

06

Verifiable provenance, not opaque scores

Each answer ships a tamper-evident certificate over its claim → evidence → ACL chain. You can check that certificate independently. Instead of asking you to trust a relevance score, Evodira gives you an artefact you can audit — useful for your own review, incident analysis, and compliance evidence.

07

Retention and deletion

Retention is configured per installation. Evidence, claims, audit records, and certificates are kept for as long as your retention policy requires and no longer. When a source is updated or contradicted, its history is preserved rather than silently overwritten, so the audit trail remains intact — within the retention window you set.

Because content lives in a data plane you control, deletion and export are operations you can perform against your own infrastructure. We will document the exact mechanics for your deployment profile during onboarding.

08

What we are honest about

Evodira is an early-stage product. We describe our privacy architecture and posture here, not a list of completed third-party audits. We are building toward SOC 2 and GDPR alignment and tracking EU AI Act readiness ahead of the 2 August 2026 obligations. We will share the current state of documentation and any attestations directly with you during a pilot, rather than overstating them on a marketing page.

Questions about any of this? Write to us at hello@evodira.com. We will share current documentation and attestations during a pilot.