Skip to content
Evarx
Security & compliance

Engineered for regulated medical work.

Compliance is not a checkbox — it's the substrate. Below is how Evarx handles your data, who can see what, and how you stay in control end to end.

Request our security pack Trust posture
Pillars

Six controls, applied everywhere.

Data residency

All Indian customers run in AWS Mumbai by default. VPC and on-prem options keep data fully under your control.

Encryption everywhere

TLS 1.3 in transit. AES-256 at rest with envelope encryption. Customer-managed keys (BYOK) supported.

PHI redaction

Automatic PHI detection at ingestion. Redacted variants used for retrieval; originals stay in your tenant.

Identity & access

SSO via SAML / OIDC. Fine-grained RBAC down to workflow nodes. Time-bound break-glass access.

Auditability

Every prompt, citation, and model output is logged with user, timestamp, and source span.

Threat & abuse

Prompt injection defenses, rate limiting, anomaly detection on agent outputs.

Data flow

How a request flows — and what never moves.

  1. 01

    Request

    User prompt + workflow context

  2. 02

    Redact

    PHI removed at the gateway

  3. 03

    Retrieve

    Hybrid index in your tenant

  4. 04

    Generate

    Engine you chose · in-region

  5. 05

    Log

    Trace + citations stored

No customer data is used to train shared base models. Ever. Custom fine-tunes use only your data, and the resulting weights are yours.

Compliance

The standards we map to.

We treat compliance as a continuously verified posture, not a poster on the wall.

  • DPDP Act 2023 — India data residency by default.
  • HIPAA-aligned controls (BAA available).
  • ISO 27001 — certification in progress (target: Q4 FY26).
  • SOC 2 Type II — under preparation.
  • Annual third-party penetration tests.
  • Documented incident response with 24-hour disclosure SLA.

Deployment options

  • Managed SaaS

    AWS Mumbai · single-tenant DB

  • Customer VPC

    Terraform-deployed into your AWS / Azure / GCP

  • On-prem · CPU

    Air-gappable Docker images for hospital networks

  • Hybrid

    Control plane SaaS + data plane in your perimeter

Need a security questionnaire response?

We respond to CAIQ, SIG, and HECVAT questionnaires within 5 business days.

Request the response pack

Legal artifacts on request

  • · Data Processing Agreement (DPA)
  • · Business Associate Agreement (BAA)
  • · Mutual NDA
  • · Sub-processor list
  • · Incident response policy
  • · Vulnerability disclosure policy
Request artifacts