EvidentROI is built for CFOs who handle sensitive financial data. Here's exactly how we keep it secure.
EvidentROI uses Supabase with PostgreSQL Row Level Security (RLS) enforced at the database level. Every query is filtered by your authenticated user ID before any data is returned — not in application code, but in the database itself. This means even a bug in our application code cannot return another user's data.
Your agents, ROI calculations, snapshots, audit logs, and vendor overrides are scoped to your account exclusively. No shared tables, no cross-account data exposure.
All data transmitted between your browser and EvidentROI is encrypted via TLS/HTTPS. There is no unencrypted HTTP access — all HTTP traffic is redirected to HTTPS automatically.
Data stored in our database (Supabase/PostgreSQL) is encrypted at rest using AES-256. File uploads including company logos are stored in encrypted object storage with access controlled by signed URLs.
All payments are processed by Stripe, a PCI DSS Level 1 certified payment processor. EvidentROI never receives, transmits, or stores credit card numbers, CVVs, or bank details. Stripe handles all payment data directly in their secure environment.
Your subscription status is managed via Stripe's API using only non-sensitive identifiers. If you cancel, your payment method is removed from Stripe's systems per their retention policy.
Morgan, our AI financial advisor, is powered by Anthropic's Claude API. Requests are proxied through a dedicated backend server hosted on Railway — your Anthropic API key is never exposed to the browser or to users.
Anthropic's API does not use your inputs to train their models by default. Your financial data and queries sent to Morgan are not retained by Anthropic beyond the standard API processing window. See Anthropic's privacy policy for details.
Both evidentroi.com and our backend API are monitored 24/7 by UptimeRobot with alerting on any downtime event. You can view our live status page at any time:
stats.uptimerobot.com/qvtsNz4Ldm
Our frontend is served via Netlify's global CDN with automatic failover. The backend runs on Railway with isolated container infrastructure.
If you cancel your EvidentROI subscription, your account data — including all agents, ROI snapshots, audit logs, and uploaded files — is retained for 30 days to allow for reactivation or data export. After 30 days, all data is permanently deleted from our systems.
You can request immediate deletion of your data at any time by emailing help@evidentroi.com. We will process deletion requests within 5 business days.
User authentication is handled by Supabase Auth, which uses industry-standard JWT tokens with short expiration windows. Email verification is required on signup — unverified accounts cannot access the application.
Passwords are hashed using bcrypt and are never stored in plaintext. EvidentROI staff cannot view or recover your password.