Skip to main content
Skip to content
Request guided proof access
Trust Center

Security, certification readiness, and AI governance — stated honestly.

Evalio is preparing ISO/IEC 27001-aligned and SOC 2 readiness controls. No external audit has been completed. This page documents what is implemented, what evidence is being prepared, and what cannot yet be claimed.

Security overview

Evalio's security posture rests on tenant-isolated workspaces, server-side authorization, sealed audit registers, and human-governed AI boundaries. Controls are documented in the register below; certification status is shown without inflated claims.

Confidentiality

Data is scoped to the workspace that owns it. Cross-workspace access requires an elevated, logged platform role.

Integrity

Sensitive actions are sealed to a register row history. Admin overrides record the actor, target, and reason.

Availability

Service runs on managed infrastructure with provider-level backups; recovery procedures are being tested.

Human governance

AI prepares evidence; consultants review; clients decide. AI never assigns pay, grade, promotion, or legal status.

Data protection posture

Data is encrypted in transit (TLS) and at rest by the managed database. Personal data categories, retention periods, and deletion rules are documented in the retention register on this page.

Access control

Access is enforced by roles, scopes, and module verbs. Permissions are checked server-side via row-level security; client-side checks are presentational only. Access reviews are documented on a quarterly cadence.

Tenant isolation

Each workspace is logically segregated. Workspace membership is required to read or write workspace-scoped tables. Cross-workspace access is restricted to platform owner, admin, or governance roles, and every override is recorded.

Audit logging

Sensitive register changes write to a sealed history table. Admin enforcement actions are recorded separately with actor, target, and reason. Logs are scoped by role; raw access requires a platform-level role.

AI governance

AI does not decide pay, grade, promotion, commission, entitlement, legal status, or actuarial certainty.
AI does not expose protected methodology, weights, thresholds, or model mechanics.
AI logs only safe summaries — never raw protected evidence.
AI outputs always require human review before they enter a sealed decision record.
Sensitive evidence must not be pasted into AI surfaces unless the source-rights holder has permitted it.

Source-rights discipline

Salary surveys and external benchmarks are used strictly under each source's licence. Source-rights flags travel with every output. Proprietary values are never re-published; previews show qualitative state, not raw figures.

Incident response readiness

Detection, escalation, containment, and post-mortem procedures are documented and being formalised. The severity scale and response SLAs are under review prior to publication.

Business continuity readiness

The continuity plan is being prepared with named owners and tested recovery steps. The first tabletop exercise is scheduled.

Certification readiness

Evalio is not currently certified against ISO/IEC 27001, SOC 2, GDPR, or any other framework. The states below describe internal readiness — not external attestation.

ISO/IEC 27001 readiness
Readiness in progress
Information security management system covering the Evalio platform and operations.
Control inventory established; evidence collection in progress; no external audit completed.
External audit: External audit not yet completed
Next: Complete control evidence and select certification body.
SOC 2 readiness
Readiness in progress
Trust Services Criteria: Security, Availability, Confidentiality, Processing Integrity, and Privacy.
Readiness mapping in progress; no Type I or Type II report exists.
External audit: External audit not yet completed
Next: Complete readiness assessment before engaging an auditor.
Data privacy readiness
Readiness in progress
GDPR-aligned handling for EU/UK personal data; data subject request procedure under preparation.
Privacy notice and PII categories drafted; DPA templates under review.
External audit: External audit not yet completed
Next: Publish data subject request procedure and finalise DPA template.
AI governance readiness
Under review
Documented boundaries: AI prepares evidence; humans decide. No autonomous pay or grade decisions.
Companion mode registry and boundary copy enforced product-wide.
External audit: External audit not yet completed
Next: External AI governance review not yet scheduled.
Vendor risk readiness
Evidence required
Subprocessor inventory and data access classification.
Baseline list pending governance approval.
External audit: External audit not yet completed
Next: Approve subprocessor register and DPA references.

Security control register

One row per control area. Status, evidence, owner, review state, and next action are stated explicitly. No control is marked complete without documented evidence.

Control areaObjectiveStatusEvidence requiredOwnerReviewNext action
Access controlLeast-privilege access enforced via roles, scopes, and module verbs.In progressRole/permission matrix export; periodic access review records.Platform adminIn reviewDocument quarterly access review cadence.
AuthenticationIdentity verified through company-domain sign-in; generic providers blocked.In progressAuth provider configuration; password policy; HIBP check status.Platform adminIn reviewEnable leaked-password protection in production.
AuthorizationPermissions enforced server-side via row-level security and module verb checks.ImplementedRLS policy export; module verb tests.Platform adminReviewedSchedule next quarterly RLS regression.
Tenant isolationWorkspace data is segregated; cross-workspace access requires elevated platform role.ImplementedWorkspace membership policies; segregation tests.Platform adminReviewedRe-run tenant isolation tests after schema changes.
Data retentionRetention windows defined per data category with documented deletion rules.Evidence requiredRetention policy register; deletion job logs.GovernancePendingApprove baseline retention policies.
Audit logsSensitive actions sealed to register row history; admin overrides logged separately.ImplementedRegister row history; admin override log entries.Platform adminReviewedConfirm log retention duration.
EncryptionData encrypted in transit (TLS) and at rest by the managed database.ImplementedProvider attestations; TLS configuration record.Platform adminReviewedDocument key management ownership.
Backup and recoveryManaged backups with documented RPO and RTO targets.Evidence requiredBackup schedule; restoration test record.Platform adminPendingRun a documented restore drill.
Incident responseDocumented detection, escalation, containment, and post-mortem flow.In progressIncident runbook; on-call rotation; severity matrix.Platform adminIn reviewPublish severity scale and SLA targets.
Vendor / subprocessor managementSubprocessor inventory maintained with data access classification.Evidence requiredSubprocessor register; DPA references.GovernancePendingConfirm baseline subprocessor list and categories.
Secure developmentCode review, automated checks, and dependency scanning before release.In progressCI policy; dependency scan results; review records.Platform adminIn reviewDefine minimum review and scan policy.
Change managementSchema and release changes are gated through migrations and review.ImplementedMigration history; release approver register.Platform adminReviewedConfirm production release approver assignment.
AI governanceAI prepares evidence; humans decide. AI never decides pay, grade, promotion, entitlement, or legal status.ImplementedCompanion mode registry; boundary copy on every AI surface.GovernanceReviewedRefresh AI boundary copy on each module addition.
PrivacyPersonal data handling documented, scoped, and reviewable.In progressPrivacy notice; PII categories register; data subject request procedure.GovernanceIn reviewPublish data subject request procedure.
Business continuityService continuity plan with named owners and tested recovery steps.Evidence requiredBusiness continuity plan document; tabletop exercise record.Platform adminPendingSchedule first business continuity tabletop exercise.

Subprocessors

Categories of vendors that may process data on Evalio's behalf. Specific vendor identification and DPA references are confirmed under enterprise engagements.

SubprocessorCategoryData accessStatus
Managed database providerDatabase hostingApplication dataapproved
Application hosting platformCompute / edge runtimeApplication trafficapproved
Email delivery providerTransactional emailRecipient metadataunder review
Object storage providerFile storageWorkspace artifactsproposed
Error monitoring providerObservabilityError metadataproposed
Analytics providerProduct analyticsUsage metadataproposed

Data retention

Data categoryRetention periodDeletion ruleReview state
Authentication logs12 monthsRolling deletion after window expires.in review
Audit register historyWorkspace lifetime + 7 yearsSealed; deletion only on documented request.in review
Workspace artifactsWorkspace lifetimeDeleted on workspace closure request.in review
Personal contact data24 months from last contactAnonymised on request or at end of period.draft
Misuse signals30 days rollingAggregated to enforcement state then dropped.in review
Backups35 days rollingProvider-managed snapshot rotation.draft

Launch readiness summary

What is implemented

Tenant isolation, server-side authorization (RLS), sealed audit history, admin override logging, encryption in transit and at rest, governed AI boundaries, change management via migrations.

What evidence is being prepared

Quarterly access reviews, restoration drill, incident severity scale and SLA, secure-development policy, data subject request procedure, business continuity tabletop.

What requires external audit

ISO/IEC 27001 certification, SOC 2 Type I/II reports, formal privacy attestations. None of these are currently complete.

What cannot be claimed yet

Evalio is NOT ISO certified, NOT SOC 2 certified, NOT GDPR certified, and has NOT completed any independent security audit. Any claim to the contrary should be reported to security@evalio.

For enterprise reviews, contact your Evalio sponsor for the latest control evidence package. Privacy · Terms · AI Governance

Start with one decision you need to explain.

Bring one role, structure, cycle, or workforce scenario into a guided conversation and see what a governed Evalio output could look like.

Evalio

Connecting Total Rewards and workforce decisions into evidence, dashboards, executive reports, consultant review, and governed decision records.

Public previews use mock or public-safe examples.

Public preview boundaries

Public previews are illustrative and may use mock or public-safe examples. Evalio outputs are designed to support structured review and decision preparation. They are not legal, tax, regulatory, actuarial, financial, or final compensation advice.

AI helps prepare the work. Consultants review sensitive judgment. Your team decides. Evalio records the rationale.

Evalio’s methodology, output architecture, review logic, and platform materials are proprietary. Public previews do not disclose protected scoring, weights, thresholds, formulas, grade mapping logic, AI prompts, or methodology mechanics.

Use of public pages or sandbox previews does not create a consulting, advisory, fiduciary, employment, compensation, legal, tax, or actuarial relationship with Evalio unless separately agreed in writing.

Evalio is a governed Total Rewards and workforce intelligence operating environment. Public-estate market and benchmark figures are indicative and illustrative; live values inside a workspace are bounded by client source rights.

© 2026 Evalio. All rights reserved.
Governed decision support for reward and workforce decisions.