New whitepaper: The $10M Mistake Hidden in Your Traceability Matrix

Read now
EverCurrent
Trust Center

Security at EverCurrent

Hardware teams trust EverCurrent with sensitive engineering data, designs, and program knowledge. This page details how we protect your data and systems, the certifications we hold, and the practices that keep them current.

AICPA SOC 2 Type IIITAR Compliant

Last updated: July 6, 2026

SOC 2 Type II

Independently audited controls across security, availability, and confidentiality.

ITAR aligned

Controls and access boundaries designed to support ITAR-regulated hardware programs.

Encrypted everywhere

TLS 1.2+ in transit and AES-256 at rest across all customer data stores.

GDPR & CCPA

Privacy-by-design practices with DPAs, data subject rights, and regional safeguards.

Security overview

EverCurrent, Inc. (“EverCurrent”) builds an AI-native platform of record for hardware product organizations. Because our customers entrust us with proprietary designs, engineering records, and program knowledge, security and confidentiality are foundational to everything we build.

We take a defense-in-depth approach: multiple, independent layers of administrative, technical, and physical controls so that no single failure compromises customer data. Our program is designed around industry frameworks including SOC 2, and it is continuously monitored, independently audited, and reviewed by leadership.

  • Least-privilege access to all systems and customer data.
  • Encryption of data in transit and at rest by default.
  • Continuous monitoring, logging, and automated alerting.
  • Secure-by-design software development lifecycle.
  • Independent third-party audits and penetration testing.

Compliance & certifications

We maintain a compliance program benchmarked against the frameworks that matter most to hardware and manufacturing organizations. Documentation is available to prospects and customers under NDA through our security team.

SOC 2 Type II

Independently audited against the AICPA Trust Services Criteria for security, availability, and confidentiality. Reports available under NDA.

ITAR

Access boundaries, US-person controls, and data-residency practices designed to support customers operating under ITAR obligations.

GDPR

Data Processing Agreements, lawful bases for processing, Standard Contractual Clauses, and support for data subject rights.

CCPA / CPRA

Consumer rights to access, delete, and opt out. We do not sell personal information.

To request our SOC 2 report, penetration test summary, or completed security questionnaire, contact security@evercurrent.ai.

Data encryption

All customer data is encrypted in transit and at rest using industry-standard, strong cryptography. Encryption keys are managed by our cloud providers’ managed key services with strict access controls and rotation.

In transit

  • TLS 1.2+ for all client and API connections
  • HSTS enforced across our web properties
  • Encrypted service-to-service traffic within our network

At rest

  • AES-256 encryption for databases and object storage
  • Encrypted backups and snapshots
  • Managed key services with rotation and access logging

Secrets, API tokens, and OAuth credentials are encrypted, stored in a dedicated secrets manager, and never committed to source control.

Infrastructure security

EverCurrent runs on enterprise-grade cloud infrastructure operated by Amazon Web Services (AWS), with data primarily hosted in the United States. We inherit the physical, environmental, and network security controls of these providers and layer our own controls on top.

  • Network segmentation with private subnets and tightly scoped security groups.
  • Firewalls and default-deny inbound rules; no direct public database access.
  • Web Application Firewall and DDoS protection at the network edge.
  • Infrastructure defined as code, peer-reviewed, and version-controlled.
  • Isolated production, staging, and development environments.
  • Centralized, tamper-resistant logging for infrastructure and application events.

Our providers maintain their own SOC 2, ISO 27001, and related certifications for the data centers and platforms we build on.

Access control

Access to systems and customer data is granted on a least-privilege, need-to-know basis and is reviewed regularly. Production access is limited to a small number of authorized personnel.

  • Single sign-on (SSO) and mandatory multi-factor authentication (MFA) for internal systems.
  • Role-based access control (RBAC) scoped to job responsibilities.
  • Just-in-time and time-bound access for sensitive production operations.
  • Periodic access reviews and prompt de-provisioning upon role change or offboarding.
  • Encrypted OAuth tokens for third-party integrations; only minimum required scopes requested.
  • All privileged actions are logged and monitored.

Secure development practices

Security is built into our software development lifecycle rather than added afterward. Every change is reviewed and tested before it reaches production.

  • Mandatory peer code review for all changes to production code.
  • Automated CI/CD pipelines with required checks before deployment.
  • Static analysis (SAST) and dependency/vulnerability scanning on every build.
  • Software composition analysis to detect vulnerable third-party packages.
  • Secrets scanning to prevent credentials from entering source control.
  • Separation of duties between development and production deployment.
  • Secure coding guidelines aligned with OWASP best practices.

AI & data handling

EverCurrent uses AI to gather context, manage change, and surface risk. We are deliberate about how customer data interacts with AI systems.

  • Customer data is not used to train foundation models operated by third-party providers.
  • AI processing occurs only for the features you enable, and only on the data required.
  • Enterprise agreements with model providers restrict retention and secondary use.
  • Connecting an integration (e.g., Google) does not by itself send your data to AI providers.
  • Data minimization: we send only the portions of data necessary for a given inference.

For full detail on data usage and third-party models, see our Privacy Policy.

Monitoring & vulnerability management

We continuously monitor our environment and proactively test our defenses to find and fix weaknesses before they can be exploited.

  • Centralized logging and continuous monitoring with automated alerting.
  • Regular internal vulnerability scanning of infrastructure and applications.
  • Third-party penetration testing performed at least annually.
  • Risk-based remediation SLAs prioritized by severity.
  • Dependency and patch management to keep systems up to date.

Incident response

We maintain a documented incident response plan with clearly defined roles, communication paths, and escalation procedures. The plan is tested periodically so the team can respond quickly and effectively.

  • Defined severity levels, on-call ownership, and escalation paths.
  • Containment, eradication, and recovery procedures with post-incident review.
  • Timely customer notification consistent with contractual and legal obligations.
  • Root-cause analysis and corrective actions after material incidents.

To report a suspected security incident, email security@evercurrent.ai.

Availability & business continuity

EverCurrent is engineered for resilience so your teams can rely on it. We use redundant, highly available cloud infrastructure and maintain tested backup and recovery processes.

  • Automated, encrypted backups with periodic restoration testing.
  • Redundancy across availability zones to tolerate component failures.
  • Documented business continuity and disaster recovery plans.
  • Defined recovery objectives (RPO/RTO) aligned to service commitments.

People & vendor security

Strong technology is backed by strong practices for our people and the vendors we rely on.

  • Background checks for employees where permitted by law.
  • Confidentiality agreements for all personnel and contractors.
  • Security and privacy awareness training at onboarding and annually.
  • Managed, hardened endpoints with disk encryption and screen locks.
  • Security review and due diligence of subprocessors and critical vendors.
  • Data Processing Agreements in place with vendors handling customer data.

Data privacy & subprocessors

Privacy and security work together. We are transparent about the data we process, why we process it, and the subprocessors that help us deliver the service. We do not sell personal information.

  • Data minimization and purpose limitation across the platform.
  • Support for data subject access, correction, and deletion requests.
  • Standard Contractual Clauses for international data transfers.
  • A maintained list of subprocessors available on request.

See our Privacy Policy and Terms of Service for complete details.

Responsible disclosure

We welcome reports from security researchers and the community. If you believe you have found a vulnerability in an EverCurrent product or system, please report it responsibly and give us a reasonable opportunity to investigate and remediate before public disclosure.

Report vulnerabilities to security@evercurrent.ai. Please include enough detail to reproduce the issue. We commit to acknowledging valid reports and will not pursue action against good-faith research that respects user privacy and avoids service disruption.

Ownership & staying current

This Security page is owned and maintained by the EverCurrent Security & Compliance function, in partnership with Engineering and Legal. We review it regularly and after any material change to our practices, audits, or certifications so that it reflects our most recent posture.

Contact our security team

For security questionnaires, our SOC 2 report, penetration test summaries, DPAs, or the subprocessor list:

Email: security@evercurrent.ai

General inquiries: info@evercurrent.ai

EverCurrent, Inc. · 66 Franklin Street, Suite 300 · Oakland, California 94607

Last updated: July 6, 2026