Security

Data Encryption

All data is protected using industry-standard encryption protocols:

• In Transit: TLS 1.3 encryption for all data transmission between clients and our servers
• At Rest: AES-256 encryption for all stored data, including evidence files and metadata
• Key Management: Encryption keys are managed using hardware security modules (HSMs) and are never stored in plaintext
• Database Encryption: All databases are encrypted at the disk level with additional application-level encryption for sensitive fields

Access Controls and Authentication

Multi-Factor Authentication (MFA)

All user accounts require multi-factor authentication. We support:

• Time-based one-time passwords (TOTP)
• Hardware security keys (FIDO2/WebAuthn)
• SMS-based authentication (where permitted by policy)
• Biometric authentication on supported devices

Role-Based Access Control (RBAC)

Access to data and features is controlled through granular role-based permissions:

• Customizable roles aligned with organizational hierarchies
• Principle of least privilege enforced by default
• Separation of duties for sensitive operations
• Regular access reviews and certification processes

Session Management

Sessions are secured with:

• Secure, HTTP-only cookies
• Automatic session timeout after inactivity
• Concurrent session limits
• Device and location-based anomaly detection

Infrastructure Security

Cloud Infrastructure

Our services are hosted on enterprise-grade cloud infrastructure with:

• Multi-region redundancy for high availability
• Isolated network segments and private subnets
• Web application firewalls (WAF) and DDoS protection
• Intrusion detection and prevention systems (IDS/IPS)
• Regular security patching and updates

Network Security

Network security measures include:

• Virtual private networks (VPNs) for administrative access
• Network segmentation to limit lateral movement
• Regular network vulnerability scans
• Traffic monitoring and anomaly detection

Security Monitoring and Auditing

Continuous Monitoring

We maintain 24/7 security monitoring through:

• Security information and event management (SIEM) systems
• Real-time alerting for suspicious activities
• Automated threat detection and response
• Regular security log reviews and analysis

Audit Logging

Comprehensive audit logs are maintained for:

• All user authentication and authorization events
• Data access, modification, and deletion activities
• Administrative actions and configuration changes
• Evidence processing and analysis activities

Audit logs are immutable, tamper-evident, and retained in accordance with legal and regulatory requirements.

Incident Response

We maintain a comprehensive incident response plan that includes:

• Detection: Automated and manual detection of security incidents
• Response: Rapid containment and mitigation procedures
• Communication: Timely notification to affected customers and stakeholders
• Recovery: Restoration procedures and post-incident analysis
• Lessons Learned: Continuous improvement based on incident reviews

In the event of a security incident affecting your data, we will notify you within 72 hours or as required by applicable law, whichever is sooner.

Security Assessments and Testing

Penetration Testing

We conduct regular penetration testing by independent, third-party security firms:

• Annual comprehensive penetration tests
• Quarterly vulnerability assessments
• Continuous automated security scanning
• Bug bounty program for responsible disclosure

Code Security

Our development process includes:

• Static application security testing (SAST)
• Dynamic application security testing (DAST)
• Dependency vulnerability scanning
• Secure code review practices
• Regular security training for development teams

Employee Security

All EvidaraIQ employees undergo:

• Background checks and security clearances where required
• Regular security awareness training
• Confidentiality and non-disclosure agreements
• Principle of least privilege for system access
• Regular access reviews and certifications

Data Backup and Recovery

We maintain comprehensive backup and disaster recovery procedures:

• Automated daily backups with point-in-time recovery
• Encrypted backups stored in geographically distributed locations
• Regular backup restoration testing
• Documented recovery time objectives (RTO) and recovery point objectives (RPO)

Third-Party Security

We carefully vet all third-party service providers and vendors:

• Security assessments of vendors before engagement
• Contractual security requirements and data processing agreements
• Regular vendor security reviews and audits
• Monitoring of vendor security posture

Your Security Responsibilities

While we implement robust security measures, you also have responsibilities:

• Use strong, unique passwords and enable MFA
• Keep your account credentials confidential
• Regularly review account access and permissions
• Report suspected security incidents immediately
• Keep your devices and browsers updated
• Follow your organization's security policies

Security Certifications and Compliance

In addition to targeting SOC 2 Type II certification, we are planning compliance with:

• CJIS Security Policy: Designed to meet Criminal Justice Information Services security requirements
• FedRAMP: Working toward FedRAMP authorization for federal customers
• ISO 27001: Information security management system aligned with ISO standards
• GDPR: Compliance with European data protection regulations
• CCPA: Compliance with California privacy regulations

See our Compliance page for more detailed information.

Security Contact

For security-related inquiries, vulnerability reports, or security incidents, please contact: