Trust & Security

Your data is yours.
We protect it like it.

EvidentROI is built for CFOs who handle sensitive financial data. Here's exactly how we keep it secure.

Security at a glance
Row-level data isolation
HTTPS everywhere
No card data stored
API key isolation
99.9% uptime monitoring
30-day data deletion
Encrypted at rest
Encrypted in transit
🔒
Row-level security — your data is invisible to other users

EvidentROI uses Supabase with PostgreSQL Row Level Security (RLS) enforced at the database level. Every query is filtered by your authenticated user ID before any data is returned — not in application code, but in the database itself. This means even a bug in our application code cannot return another user's data.

Your agents, ROI calculations, snapshots, audit logs, and vendor overrides are scoped to your account exclusively. No shared tables, no cross-account data exposure.


🔐
Encrypted in transit and at rest

All data transmitted between your browser and EvidentROI is encrypted via TLS/HTTPS. There is no unencrypted HTTP access — all HTTP traffic is redirected to HTTPS automatically.

Data stored in our database (Supabase/PostgreSQL) is encrypted at rest using AES-256. File uploads including company logos are stored in encrypted object storage with access controlled by signed URLs.


💳
We never see or store your payment details

All payments are processed by Stripe, a PCI DSS Level 1 certified payment processor. EvidentROI never receives, transmits, or stores credit card numbers, CVVs, or bank details. Stripe handles all payment data directly in their secure environment.

Your subscription status is managed via Stripe's API using only non-sensitive identifiers. If you cancel, your payment method is removed from Stripe's systems per their retention policy.


🤖
Morgan AI runs through an isolated backend — your queries don't train AI models

Morgan, our AI financial advisor, is powered by Anthropic's Claude API. Requests are proxied through a dedicated backend server hosted on Railway — your Anthropic API key is never exposed to the browser or to users.

Anthropic's API does not use your inputs to train their models by default. Your financial data and queries sent to Morgan are not retained by Anthropic beyond the standard API processing window. See Anthropic's privacy policy for details.


📊
99.9% uptime target with active monitoring

Both evidentroi.com and our backend API are monitored 24/7 by UptimeRobot with alerting on any downtime event. You can view our live status page at any time:

stats.uptimerobot.com/qvtsNz4Ldm

Our frontend is served via Netlify's global CDN with automatic failover. The backend runs on Railway with isolated container infrastructure.


🗑️
Your data is deleted within 30 days of account closure

If you cancel your EvidentROI subscription, your account data — including all agents, ROI snapshots, audit logs, and uploaded files — is retained for 30 days to allow for reactivation or data export. After 30 days, all data is permanently deleted from our systems.

You can request immediate deletion of your data at any time by emailing help@evidentroi.com. We will process deletion requests within 5 business days.


🛡️
Secure authentication with email verification

User authentication is handled by Supabase Auth, which uses industry-standard JWT tokens with short expiration windows. Email verification is required on signup — unverified accounts cannot access the application.

Passwords are hashed using bcrypt and are never stored in plaintext. EvidentROI staff cannot view or recover your password.

Security questions or concerns?
We respond to all security inquiries within one business day.
help@evidentroi.com