Trust Center
Security, Privacy &
Compliance at EvaluationsHub.
Compliance at EvaluationsHub.
Everything a procurement leader, legal team or CISO needs to evaluate EvaluationsHub as a trusted vendor — in one place.
ISO 27001 Certified
GDPR Compliant — EU Data Residency
AWS EU Paris — Encrypted at Rest & in Transit
All systems operational.
View Status Page →
Certifications & Compliance
Where we stand today.
We pursue the certifications your legal and procurement team requires — not as a checkbox, but as a baseline.
ISO 27001
Information security management system certified. Covers the full EvaluationsHub platform including infrastructure, data processing and access controls.
GDPR Compliant
Full GDPR compliance. EU-based data processing with no cross-border transfer outside the EEA. DPA available to sign online.
CSRD / ESG Ready
Built to support CSRD supply chain due diligence. ESG module tracks Scope 3 indicators, certifications and compliance evidence per supplier.
2FA on All Accounts
Two-factor authentication enforced by default for all users and admin accounts. Mandatory for every login — no optional toggle.
NVIDIA Inception Member
Member of the NVIDIA Inception AI accelerator programme with access to enterprise-grade AI infrastructure standards and technical oversight.
Technical Security Controls
What protects your data.
The security controls applied at infrastructure, application and organisational level — running continuously.
AWS EU Paris Infrastructure
All data hosted on AWS in the EU Paris region. No data ever leaves the European Economic Area. Geo-redundant backups run daily.
Encryption at Rest & in Transit
All data encrypted at rest with AES-256. All data in transit uses TLS 1.2+ with HTTPS enforced across every endpoint and API call.
AWS WAF — Web Application Firewall
All user-facing endpoints protected by AWS WAF, blocking injection attacks, DDoS vectors and malicious traffic before reaching the application layer.
Role-Based Access Control
Granular RBAC across all modules. Users only see data their role permits. Separate permissions for procurement managers, evaluators, supplier portal users and admins.
Full Audit Trail
Every user action, evaluation change, CAPA update and document access is logged with timestamp, user identity and IP. Logs are immutable and exportable.
Daily Backups & Point-in-Time Recovery
Automated daily backups with geo-redundant storage. Point-in-time recovery available. RTO and RPO defined in SLA agreements with Enterprise customers.
Penetration Testing
Regular third-party penetration tests conducted against the application and infrastructure. Results available under NDA to Enterprise customers on request.
Responsible Disclosure Policy
We maintain an open responsible disclosure policy. Verified security researchers who report valid vulnerabilities are acknowledged throughout remediation.
Multi-Tenant Data Isolation
Every customer's data is logically isolated in a dedicated tenant namespace. Cross-tenant data access is architecturally prevented at the database and application layer.
Your data stays in Europe. Always.
All customer data is processed and stored on AWS in the EU Paris region. We do not transfer, mirror or replicate data outside the EEA — not for AI processing, not for analytics, not for support tooling.
Data residency: EU Paris — contractually guaranteed
No transfer to third countries without explicit written consent
Your data is never used to train AI models
Data deletion upon contract termination — within 30 days, certified
GDPR Article 28 DPA available — sign online or negotiated version for Enterprise
Data portability — full export available at any time in standard formats
EU-only
Data residency — AWS Paris. Contractually guaranteed.
AES-256
Encryption standard for all data at rest.
Daily
Automated geo-redundant backups with point-in-time recovery.
30 days
Maximum data deletion window post contract termination.
Legal Documents
Everything your legal team needs.
Standard documents are available below. Enterprise customers can request negotiated versions of the DPA and NDA.
Data Processing Agreement (DPA)
GDPR Article 28 compliant DPA — read and sign directly online via Zoho Sign. Negotiated version available for Enterprise accounts.
Read & Sign DPA
Non-Disclosure Agreement (NDA)
Mutual NDA — sign online directly. Available for prospect evaluations and enterprise pilots.
Sign NDA Online
Privacy Policy
Full privacy policy covering data collection, processing, retention and your rights under GDPR.
View Privacy Policy
Terms of Service
Standard subscription terms governing use of the platform, SLAs and support obligations.
View Terms
Security Summary
One-page security overview for fast vendor qualification — controls, certifications and architecture summary.
Request Document
Security Questionnaire
Pre-completed CAIQ/VSAQ-style questionnaire for enterprise procurement qualification processes.
Request Questionnaire
Sub-processors
Who processes your data on our behalf.
We maintain a complete and up-to-date list of all sub-processors with access to customer data.
Questions for your legal or security team?
We respond to security questionnaires, DPA requests and compliance inquiries within 48 hours.
DPA · NDA · Security summary · ISO 27001 certificate · Pen test results (Enterprise, under NDA)
