Security is a core requirement for Evari, not an afterthought. Your data — including your clients' insurance information — is protected at every layer of the platform.
Encryption
- In transit — all data is encrypted using TLS 1.2 or higher
- At rest — all stored data is encrypted using AES-256
- Credentials — integration credentials and API keys are stored in an encrypted secrets vault, never in plain text
Data isolation
Each customer's data is fully isolated. Your documents, configurations, and transaction history are not accessible to any other organisation on the platform.
What data does an assistant access?
Assistants only access the data you explicitly authorise through integrations. For example, if your assistant reads email attachments, it only processes emails in the inbox you connect — it cannot access other email accounts or systems you have not authorised.
Assistants cannot escalate their own permissions.
Does Evari staff have access to my data?
Our engineering and support teams have access controls in place that limit who can access customer data and under what circumstances. Access is logged and audited. We do not access your data unless you explicitly request support that requires it.
Compliance
Evari maintains compliance with:
- GDPR — for customers in the EU and UK
- SOC 2 Type II — see Is Evari SOC 2 compliant? for details
- Australian Privacy Act — for Australian customers
Security concerns
If you discover a potential security vulnerability, please contact us at security@evari.tech. See our security disclosure policy for full details.
No. Evari does not use your documents, submissions, or any customer data to train AI models for other customers or for general model improvement.
What this means in practice
When your assistant processes a broker submission or policy document, that document is used only to complete the task at hand. It is not fed into any training pipeline. It is not shared with any other organisation. It is not used to improve the underlying AI model.
Underlying model providers
The Evari platform uses AI models from leading providers (including Anthropic and others) to power assistant reasoning. These providers have contractual commitments that data processed via their enterprise APIs is not used for model training. We only use enterprise API agreements, not consumer-grade access.
Your data belongs to you
All data you bring to the platform — documents, configurations, transaction history — belongs to you. We process it on your behalf. When you cancel, your data is retained for 30 days and then deleted unless you request earlier deletion.
Audit trail
All data access by assistants is logged. You can request a full access log for your account at any time by contacting your account manager.
Yes. Evari maintains SOC 2 Type II compliance. This means an independent auditor has assessed our security controls against the Trust Services Criteria — covering security, availability, and confidentiality — and confirmed they operate effectively over time.
What SOC 2 Type II means
SOC 2 Type II is a third-party audit of how a company manages data security. Unlike SOC 2 Type I (which is a point-in-time snapshot), Type II assesses controls over a period of at least six months, confirming they are consistently applied.
Requesting the report
Our SOC 2 report is available to customers and prospective customers under NDA. If you need a copy for your own compliance review, contact your account manager or email security@evari.tech.
Insurance industry context
Many insurance brokers and MGAs operate under regulatory oversight from APRA, FCA, or ASIC, which increasingly require evidence of supply chain security controls. Our SOC 2 Type II report is designed to support your own compliance obligations.
If you have specific questions about how Evari's security posture meets your regulatory requirements, contact us and we will arrange a technical discussion.
Other compliance frameworks
In addition to SOC 2, Evari complies with:
- GDPR (EU and UK customers)
- Australian Privacy Act (Australian customers)
We are actively working toward additional certifications as our customer base expands to new markets.
By default, data is processed and stored in the region closest to your organisation to minimise latency and meet local data residency expectations.
Default regions
- Australian and New Zealand customers — data is stored in Australia (AWS ap-southeast-2)
- UK customers — data is stored in the UK (AWS eu-west-2)
- US customers — data is stored in the United States (AWS us-east-1)
What "data" means here
Data residency applies to:
- Documents processed by your assistants (submissions, PDFs, emails, attachments)
- Your assistant configurations and workflow rules
- Transaction logs and audit trails
- Integration credentials (stored encrypted)
AI model inference (the actual reasoning step) may use compute in a different region depending on the model provider. This is standard for cloud AI services and does not result in persistent data storage outside your home region.
Custom data residency
If you have specific data residency requirements — for example, needing all data to remain within the EU or within Australia — contact your account manager before signing up. We can confirm whether your requirements can be met and, for enterprise customers, discuss dedicated infrastructure options.
Regulatory context
Australian customers subject to the Privacy Act and APRA CPS 234 requirements should note that our default Australian data residency is designed with these obligations in mind. If you have a specific compliance question, contact security@evari.tech.