Security

Security is the architecture, not a feature bolted on after.

Evodira is designed so the safest path is the default one. This page sets out the controls built into the platform and our compliance posture. We frame readiness honestly — as design and direction, not as audits we have not yet completed.

Last updated · 13 June 2026

01

Boundary-resident by design

The provenance graph, indexes, and retrieval run inside your boundary — a customer-owned data plane in your VPC, or fully on-premises. There is no central cloud index of your raw documents for an attacker to reach, because the product is not built around one. This removes an entire class of exposure that ranked-search products carry by construction.

02

On-device redaction

The local agent runs on the device or inside the data plane and redacts sensitive content before any model processes it. Only claims and redacted quotes synchronise onward. Raw files are not shipped to a central service to make features work.

03

Permission-first retrieval

Access controls are enforced before retrieval, not after. Every claim carries its ACL, and an answer is assembled only from evidence the requester is entitled to see. Permission checks are part of the data model, so they cannot be skipped by a query path.

04

Signed requests and device audit

The local agent signs its requests and keeps a tamper-evident local audit trail. Where evidence moves between a device, an edge relay, and the data plane, hops are signed, so the chain of custody is verifiable rather than assumed.

05

Tamper-evident certificates

Every published answer ships a Merkle certificate over its claim → evidence → ACL chain. You can verify it independently. This gives your security and audit teams a concrete artefact to check — provenance you can prove, not a score you have to believe.

06

Human approval gates

Model output never becomes authoritative knowledge without passing the verification queue, where a human reviewer approves it under your installation’s rules. Where automatic actions are possible, they are a setting your administrators control and are surfaced for attention, not run silently. The platform is built so the default posture is human oversight.

07

Audit trails

What was captured, structured, approved, retrieved, and acted upon is recorded and reviewable. Source history is preserved when evidence is updated or contradicted, so a reviewer can reconstruct how a piece of knowledge reached its current state.

08

Deployment profiles

Choose the profile your risk posture requires: managed SaaS for lower-sensitivity teams, hybrid with a customer-owned data plane as the recommended default for sensitive content, or on-premises — including air-gapped — with routing to private or open-weight models. Sensitive content and indexes live in the plane you own.

09

Compliance readiness — stated honestly

Evodira is built for SOC 2 and GDPR from the architecture up, with data residency, redaction, audit trails, and human approval as first-class controls. We are tracking EU AI Act readiness ahead of the 2 August 2026 obligations.

These statements describe our posture and direction, not certifications we claim to have already obtained. We will share the current state of our documentation, controls, and any attestations directly with you during a security review or pilot.

10

Reporting a vulnerability

If you believe you have found a security issue, please contact us at security@evodira.com. We take reports seriously and will work with you on responsible disclosure.

Questions about any of this? Write to us at hello@evodira.com. We will share current documentation and attestations during a pilot.