Global brands trust us to keep their sensitive data secure. This is not something we take lightly. With enterprise security features and regular audits of our applications and networks, we ensure customer and business data is always protected. Enabling our customers to continue with their day-to-day business knowing that the information they trust us with is safe, secure and protected.
 | Cyber Essentials PLUS Certified Cyber Essentials Plus is a UK government-backed certification scheme that helps organizations demonstrate their operational security against common cyber attacks. Cyber Essentials Plus includes all the requirements of Cyber Essentials, plus additional verification steps. These include: A full network audit, A comprehensive vulnerability assessment, and Internal and external penetration testing |
 | ISO27001:2013 Certified EvaluAgent is ISO27001:2013 certified. ISO 27001 sets out a framework for all organisations to establish, implement, operate, monitor, review, maintain and continually improve an ISMS (information security management system). |
Audit Logs
EvaluAgent has a comprehensive audit feature that logs and stores every change, every action and every event, including the deletion of data, for easy auditing and root cause analysis.
Access to the Audit Log report is restricted to those users with appropriate permissions.
Multi-Factor Authentication
EvaluAgent customers can choose to use multi-factor authentication for their access to accounts by either using SAML to integrate with their own identity management system, or you can have an email sent to the user during the login process for them to confirm a 6 digit, one-time pin.
EvaluAgent enforces multi-factor authentication on it’s employees for access to all systems containing customer and other sensitive data.
Role-Based Access Control (RBAC)
Use our built-in Role and Permissions editor to create fine grained access controls to suit your requirements.
Locations
EvaluAgent leverages Amazon Web Services network of data centers across the globe, including Europe, USA and Australia regions. Customers can choose to locate their service data in a specific region.
Facilities & On-Site Security
EvaluAgent is hosted within Amazon Web Service global infrastructure. Access to data centers is closely monitored by AWS Security Operations Centers. AWS continually watch for unauthorized entry, using video surveillance, intrusion detection and access log monitoring systems. Entrances are secured with devices that sound alarms if a door is forced or held open.
Monitoring
All of our production systems are monitored constantly. We use anomaly detection to alert us of anything that’s happening which is out of the normal state of operation. Production systems are only administered by EvaluAgent staff. Physical security, power and internet connectivity are monitored by our infrastructure provider, Amazon Web Services.
Protection
Our network is protected by redundant firewalls, load balancers, secure HTTPS transport over public networks and regular audits by third party security experts.
Architecture
We implement multiple security zones in our network architecture. Sensitive systems, such as database servers, are protected in our most trusted zones. Other systems are housed in zones applicable to their sensitivity, risk and function.
Network Vulnerability Scanning
Network security scanning gives us in-depth insight for out-of-compliance and/or potentially vulnerable systems.
Third-party Penetration Tests
We perform internal testing in an automated and manual fashion. Bi-annually, EvaluAgent employs third-party security experts to perform a broad penetration test across the EvaluAgent production network and infrastructure.
Logical Access
Access to the EvaluAgent production network is restricted to a strict, need-to-know basis, that utilises the least privilege and is frequently audited and monitored. Employees accessing the EvaluAgent production network are required to use multiple factors of authentication.
Intrusion Detection and Prevention
All of our network ingress and egress are monitored 24/7, with automatic alerts set for any abnormal values and incidents differ from our pre-defined thresholds.
Security Incident Response
Our employees are fully trained in our security response protocols including escalation paths and appropriate communication channels. In the case of a system alert, events are escalated to our teams providing operations, security and engineering support.
Encryption at Rest
All customers of EvaluAgent benefit from the protections of encryption at rest, using AES-256 for storage of attachments held in Amazon S3 and data stored within our Amazon RDS instances.
Encryption in Transit
Communications between you and EvaluAgent servers are encrypted via industry best-practices HTTPS and Transport Layer Security (TLS) over public networks. TLS is also supported for encryption of emails. We use a minimum of TLS1.2
Uptime
EvaluAgent uses the latest technology and systems to monitor and report on information that includes system availability details, scheduled maintenance, service incident history and relevant security events.
Redundancy
EvaluAgent is deployed across multiple availability zones and multiple instances within each zone to eliminate single points of failure. Our strict backup procedures ensure Service Data is actively replicated across primary and secondary DR systems and facilities.
Disaster Recovery
Our Disaster Recovery program ensures that our services remain available or easily recoverable in the case of a disaster. We have built a redundant technical environment and have created Disaster Recovery plans which are regularly tested.
Security Training
Annually, our engineers participate in secure code training covering the OWASP Top 10 security flaws, common attack vectors and EvaluAgent security controls. Our engineers also attend conferences and training by third parties such as AWS on Security Best Practices.
Quality Assurance
As part of every release, our team reviews and tests our code base to identify, test and triage possible security vulnerabilities in the code. This is in addition to any third party testing and automated testing.
Separate Environments
Test and staging environments are separated physically and logically from the Production environment. No actual Service Data is used in the development or test environments.
Security Controls
EvaluAgent utilise framework security controls to limit exposure to OWASP Top 10 security flaws. These include controls that reduce our exposure to Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS) and SQL Injection, amongst others.
Dynamic Vulnerability Scanning
We use a number of third-party, qualified security tools to continuously dynamically scan our applications against the OWASP Top 10 security flaws.
Static Code Analysis
The source code repositories for EvaluAgent are continuously scanned for security issues via our integrated static analysis tooling.
Security Penetration Testing
In addition to an extensive internal scanning and testing program, each quarter EvaluAgent employs third-party security experts to perform detailed penetration tests on our applications and infrastructure.
Configurable Password Policy
EvaluAgent provides the following levels of password security: low, medium and high, as well as allowing you to set custom password rules. Only users with the appropriate permission can change the password security level.
Secure Credential Storage
EvaluAgent follows security best practices for credential storage by never storing passwords in human readable format and only as the result of a secure, salted, one-way hash.
API Security & Authentication
The EvaluAgent application and API is SSL-only and you must be an authenticated user to make API requests.
Access Privileges & Roles
Access to data within EvaluAgent is governed by access rights and can be configured to define granular access privileges. EvaluAgent provides a standard set of permissions to get you started and you totally customise and/or disable these initial set of permissions if required. Learn more about access levels.
IP Restrictions
EvaluAgent can be configured to only allow access from specific IP address ranges you define.
Attachments
With EvaluAgent you can upload attachments to contacts, such as call recordings, email transcriptions, chat conversations etc. Users must be signed in to EvaluAgent and have the appropriate permissions set to allow access to attachments and a further permission to be able to upload attachments.
Transmission Security
All communications with EvaluAgent servers are encrypted using industry standard HTTPS over public networks. This ensures that all traffic between you and EvaluAgent is secure during transit. Additionally for email, our product supports Transport Layer Security (TLS), a protocol that encrypts and delivers email securely, mitigating eavesdropping and spoofing between mail servers.
Email Signing (DKIM/DMARC)
EvaluAgent utilises DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) for signing outbound emails.
For all of our sub-processors we have SCC’s in place. This list was last reviewed on 13th September 2024.
| Provider Name | Purpose | Location |
| Amazon Web Services | Hosting Provider | Customers can choose between; Europe (Dublin) Australia (Sydney) USA (North Virginia) |
| Datadog | Monitoring of application performance, infrastructure and security purposes | Europe |
| Google Cloud | We use Google Cloud for the purposes of text redaction using their Data Loss Prevention service. | Europe |
| Microsoft Azure | Used to host on-premise, machine learning models using the Microsoft OpenAI Service. | Customers can choose between; UK USA Australia |
| Pendo | Pendo is a third-party analytics provider that EvaluAgent uses to capture how users interact with our services. EvaluAgent uses this information to analyse and improve the our products. | Europe |
| Pusher | Provision of real-time messaging features that power our in-app notifications | UK USA |
| Sentry | Provision of error-tracking software that monitors our application to spot “bugs”, which are then fixed by EvaluAgent’s engineering teams. This is essential to make sure that EvaluAgent services are running correctly and that we provide services of the required quality. For that purpose, we need to share the personal data generated in the EvaluAgent system and allow these tools to process them. | USA |
| Zendesk | Support Ticket Management | Europe |
