How we protect your data
Security & Data
Evidentia is built for regulated professionals who are accountable for the records they create. We take the security and integrity of your data with the same seriousness you bring to your governance obligations.
Data Residency
Your data is stored within the European Union.
- Database: Supabase, hosted in Ireland (eu-west-1)
- Application: Vercel global CDN
- Email: Resend (EU region)
Primary data storage is within the EEA.
Encryption
All data is encrypted in transit using TLS 1.2 or higher.
Data at rest is encrypted by Supabase's infrastructure.
Authentication tokens are never stored in plain text.
Access Controls
Row-level security (RLS) is enforced at the database level — users can only access data belonging to their organisation.
Every API endpoint requires authentication.
No cross-organisation data access is possible.
Cryptographic Integrity
Every governance record is sealed with a SHA-256 cryptographic hash at the moment of creation.
Records are linked in a tamper-evident chain — any modification to a record after creation would break the chain and be immediately detectable.
This is by design — immutability is a core feature, not a constraint.
Sub-Processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication | EU (Ireland) |
| Vercel | Application infrastructure | Global CDN |
| Resend | Transactional email | EU |
Breach Notification
In the event of a personal data breach affecting your data, we will notify you without undue delay and in accordance with our obligations under UK GDPR.
ICO Registration
Evidentia Group Ltd is registered with the Information Commissioner's Office (ICO). ICO Reg: [pending]
Data Processing Agreement
For platform customers, a Data Processing Agreement is available setting out our obligations as data processor.
View DPA→
Full agreement
Evidentia Group Ltd (trading as "Evidentia")
1
Parties and Roles
Parties and Roles. Customer equals Data Controller. Evidentia equals Data Processor.
2
Scope and Subject Matter
Scope and Subject Matter. This Agreement governs the processing of personal data by Evidentia on behalf of the Customer in connection with the Evidentia platform.
3
Nature and Purpose of Processing
Nature and Purpose of Processing. Processing includes storage of governance records, recording of participants and actions, and retrieval and display of structured evidence records.
4
Categories of Data Subjects and Data
Categories of Data Subjects and Data. Data subjects may include employees, directors, contractors, and governance participants. Data may include names, roles, contact details, and participation in governance activities.
5
Data Residency and Hosting
Data Residency and Hosting. Evidentia utilises Supabase hosted within the European Union Ireland region and Vercel global application infrastructure. Data is primarily stored within the EEA.
6
International Transfers
International Transfers. Where personal data is transferred outside the UK or EEA, Evidentia shall ensure appropriate safeguards are in place including UK International Data Transfer Agreement, UK Addendum to the EU Standard Contractual Clauses, and adequacy decisions where applicable.
7
Processor Obligations
Processor Obligations. Evidentia shall process data only on documented instructions, ensure confidentiality of authorised personnel, implement appropriate technical and organisational measures, assist with data subject rights requests, notify the Customer of personal data breaches without undue delay, and maintain records of processing activities where required.
8
Sub-Processors
Sub-Processors. Approved sub-processors include Supabase, Vercel, and Resend. Evidentia shall remain responsible for sub-processor compliance.
9
Security
Security. Evidentia shall implement appropriate technical and organisational measures including access controls, infrastructure security, and encryption where appropriate.
10
Data Subject Rights
Data Subject Rights. Evidentia shall assist the Customer in responding to requests from data subjects.
11
Breach Notification
Breach Notification. Evidentia shall notify the Customer without undue delay upon becoming aware of a personal data breach.
12
Deletion and Retention
Deletion and Retention. Upon termination, personal data shall be deleted or returned at the Customer's instruction. However, due to the immutable nature of certain governance records, deletion may not apply to all stored data.
13
Audit Rights
Audit Rights. Evidentia shall make available information reasonably necessary to demonstrate compliance.
14
Duration
Duration. This Agreement remains in effect for the duration of processing.
Questions
For any security or data questions: hello@evidentia.ltd