Skip to main content

Security & Data Handling

How EvalGate protects your data throughout the evaluation lifecycle.

Encryption

  • All data encrypted in transit via TLS
  • Secrets encrypted at rest using provider-managed encryption
  • API keys stored as SHA-256 hashes — never in plaintext
  • Provider keys encrypted using AES-256 via application-managed encryption keys

Data Retention

  • Account data retained for 90 days after deletion
  • Trace data: 90 days (free tier), 1 year (paid tiers)
  • Evaluation results: duration of subscription + 90 days
  • Share links: configurable expiry with a 7-day default

PII Protection

  • Automatic PII redaction in shared exports — emails, SSNs, phone numbers, credit cards, and API keys
  • Redaction enabled by default; opt-out available for org admins
  • Export size limits (10 MB) to prevent bulk data extraction

Audit Trail

  • Full audit trail for critical mutations
  • Immutable audit log entries
  • Admin-only read access to audit logs

Access Control

  • Multi-tenant architecture with organization-scoped data isolation
  • Role-based access control: viewer, member, admin, owner
  • Scope-based API key authorization with wildcard rejection

Compliance Framework Support

  • Governance policy templates available: BASIC, SOC2, GDPR, HIPAA, FINRA_4511, PCI_DSS

These are policy templates for evaluation governance, not certifications.

Runs on infrastructure providers that support SOC 2 reports (available on request).

Rate Limiting

  • Tier-based rate limiting: 30–10,000 requests/min depending on plan
  • Redis-backed sliding window algorithm