User Evaluation
Start free

Security at User Evaluation

The standards your
security team cares about.

SOC 2 Type II, ISO 27001, ISO 42001, GDPR, HIPAA. Zero AI training on your data. The confidentiality bar that big research teams have to hit, hit.

Request our security pack

Compliance

Five standards.
Five clean reports.

ISO 42001

ISO 42001 certified. Our AI governance framework documents how we build and operate AI features.

ISO 27001

ISO 27001 certified. The international standard for information security management.

SOC 2 Type II

SOC 2 Type II audited annually for how we store and access your data.

GDPR

GDPR compliant. EU privacy rules apply to every workspace by default.

HIPAA

HIPAA-compliant policies and controls for protected health information.

How we handle your data

Four commitments
that don’t change with the plan.

Zero AI training on your data

Your Customer Data is never used to train any AI model, ours or anyone else's. PII is masked before any LLM request leaves our infrastructure.

Encrypted at rest and in transit

TLS in transit, AES-256 at rest. Database, object storage, and message queues are all encrypted with rotated keys.

SSO, SCIM, and audit logs

SAML SSO and SCIM provisioning on Plus. Every workspace action is recorded with actor, target, and timestamp.

US-hosted, with EU region available

Production runs on US infrastructure by default. EU-resident processing on request for teams with data-residency requirements.

Your data does not train AI models.

Not ours. Not the LLM provider’s. Not anyone’s. We use commercial AI providers with zero-retention agreements and route every request through our own PII-masking layer first.

Before the request leaves

Names, emails, phone numbers, and account identifiers are stripped from prompts. The agent receives placeholders; the response is re-hydrated on our side.

After the response comes back

No request, prompt, or response is logged for model training. The LLM provider deletes inference data on a 30-day rolling window.

Day-to-day practice

What we do, on a normal week.

  • Annual third-party penetration tests on the full app and API
  • Quarterly internal vulnerability scans, patched on a 7-day SLA
  • Background-checked engineers; least-privilege production access
  • Incident response runbook with 30-minute paging SLA
  • 30-day delivery log on every webhook; signed with HMAC-SHA256
  • Data deletion within 30 days of workspace cancellation

US by default. EU on request.

Production runs on US infrastructure by default. EU-resident processing is available for customers with data-residency requirements. Talk to us about your specific contract clauses; we ship most of them as-is.

A modern data-centre cold aisle, a long row of server racks receding to a vanishing point with thin status LEDs glowing.

Talk to security.

Cert PDFs, the latest pen-test summary, and a vendor questionnaire are one email away.

Email securityRead the privacy policy