Security & Compliance

Data Encryption & Protection

• In Transit Encryption (TLS 1.2+)
  • All data exchanges between your browser, our application, and third-party services (QuickBooks, Xero, AWS) are encrypted using Transport Layer Security. This prevents eavesdropping or tampering while data is moving across the internet.

• At Rest Encryption (AES-256)
  • Sensitive information—transaction logs, AI outputs, authentication tokens—is stored in encrypted databases and object storage. We employ Advanced Encryption Standard (AES-256) keys managed by a secure key management system, ensuring that stored data remains unreadable without proper authorization.

• Tokenization & Secrets Management
  • We never store raw passwords or API credentials. Instead, OAuth tokens for QuickBooks/Xero and any encryption keys are kept in a secure secrets vault that rotates keys on a regular schedule.

At Evellere Solutions, safeguarding your clients’ financial data is our top priority. We combine industry-leading best practices, rigorous processes, and enterprise-grade technology to ensure confidentiality, integrity, and availability—without exposing sensitive implementation details.

• OAuth 2.0 for Third-Party Integrations
  • QuickBooks and Xero authorizations follow the industry standard OAuth 2.0 flow. Your team grants EvellereAI only the minimum scopes it needs (read transactions, read accounts), and no direct login credentials are ever stored on our servers.

• Role-Based Access Controls (RBAC)
  • Within EvellereAI, user permissions are segmented by role (e.g., Admin, Accountant, Client Viewer). Each role has strictly defined privileges—such as who can view AI forecasts versus who can adjust reconciliation rules.

• Multi-Factor Authentication (MFA)
  • All user logins supporting administrative functions require MFA (e.g., time-based one-time passwords) to add an extra layer of verification beyond just username and password.

• Isolated Compute Environments
  • We deploy code in isolated, containerized environments to minimize the “blast radius” of any potential exploit. Each service (web frontend, API, AI engine) runs in its own sandbox, preventing cross-service contamination.

• Firewalls & Network Segmentation
  • Network traffic is restricted by a least-privilege firewall policy. Only necessary ports (e.g., HTTPS on port 443) are open to the public internet; all internal database or AI compute nodes reside in private subnets.

• Regular Vulnerability Scanning & Patch Management
  • Automated vulnerability scans (static and dynamic) run against our application stack on a biweekly schedule. High-severity issues trigger immediate patching, while medium-severity findings are addressed within 30 days.

• Real-Time Monitoring & Alerts
  • We employ a centralized monitoring system that tracks application performance, unusual access patterns (e.g., multiple failed logins), and resource anomalies. Any suspicious activity—such as a sudden spike in outbound traffic—generates a high-priority alert to our Security Operations team.

• Immutable Audit Logs
  • All critical events—user logins, data exports, AI model executions, and administrative changes—are recorded in an append-only log. These logs are time-stamped, digitally signed, and retained for a rolling 12-month period for forensic analysis if needed.

• Incident Response Plan
  • We maintain a documented, regularly tested incident response playbook. In the event of a suspected breach, our team follows a four-phase process: Detect, Contain, Eradicate, and Restore, with post-incident reviews to strengthen future defenses.

• SOC-2 & ISO 27001 Alignment
  • Our overall security framework maps to SOC-2 Type II and ISO 27001 control families (Access Control, Change Management, Risk Assessment). While we are not a publicly audited service provider, our policies embody these standards: encrypted backups, documented security policies, regular risk assessments, and ongoing employee training.

• Data Residency & Privacy
  • All customer data is stored in data centers within the United States. We do not transfer or store personal financial data outside these regions, helping you meet any industry-specific compliance requirements or local data residency laws.

• Periodic Third-Party Penetration Tests
  • We engage an independent security firm annually to conduct external penetration tests. Findings are categorized by severity, and critical vulnerabilities are remediated within 48 hours.

• Secure Coding Practices
  • Our engineering team follows an OWASP-informed checklist: input validation, output encoding, principle of least privilege, and proper session management. All code merges require a peer review that includes security sign-off before deployment.

• Automated CI/CD Pipelines
  • Every code change runs through automated security and quality gates—static application security testing (SAST), dependency scanning, and unit/integration tests—before it ever reaches production.

• Environment Hardening & Configuration Management
  • Production servers are hardened against unnecessary services. Configuration drift is minimized through infrastructure-as-code scripts, ensuring that every environment (Dev, QA, Prod) maintains consistent security baselines.

• Maintain Strong, Unique Passwords
  • We recommend using a password manager and enabling MFA on your user account to prevent unauthorized access.

• Review User Roles Regularly
  • Periodically verify that only current employees or contractors hold administrative or elevated permissions.

• Secure Your Own Devices
  • Logging in from a secure network (avoid public Wi-Fi), keeping operating systems and antivirus software up to date, and locking screens when away will help protect your credentials.

Your Data, Our Promise

Evellere Solutions is committed to maintaining the highest security standards without compromising usability. We continually review our controls, adopt emerging best practices, and engage experts to ensure your firm’s financial information remains protected—enabling you to focus on growing your business with confidence.

Access Control & Authentication

Infrastructure & Network Security

Monitoring, Logging & Incident Response

Compliance & Third-Party Standards

Secure Development Lifecycle

Best Practices for Users