Security overview
EverCurrent, Inc. (“EverCurrent”) builds an AI-native platform of record for hardware product organizations. Because our customers entrust us with proprietary designs, engineering records, and program knowledge, security and confidentiality are foundational to everything we build.
We take a defense-in-depth approach: multiple, independent layers of administrative, technical, and physical controls so that no single failure compromises customer data. Our program is designed around industry frameworks including SOC 2, and it is continuously monitored, independently audited, and reviewed by leadership.
- Least-privilege access to all systems and customer data.
- Encryption of data in transit and at rest by default.
- Continuous monitoring, logging, and automated alerting.
- Secure-by-design software development lifecycle.
- Independent third-party audits and penetration testing.
Compliance & certifications
We maintain a compliance program benchmarked against the frameworks that matter most to hardware and manufacturing organizations. Documentation is available to prospects and customers under NDA through our security team.
SOC 2 Type II
Independently audited against the AICPA Trust Services Criteria for security, availability, and confidentiality. Reports available under NDA.
ITAR
Access boundaries, US-person controls, and data-residency practices designed to support customers operating under ITAR obligations.
GDPR
Data Processing Agreements, lawful bases for processing, Standard Contractual Clauses, and support for data subject rights.
CCPA / CPRA
Consumer rights to access, delete, and opt out. We do not sell personal information.
To request our SOC 2 report, penetration test summary, or completed security questionnaire, contact security@evercurrent.ai.
Data encryption
All customer data is encrypted in transit and at rest using industry-standard, strong cryptography. Encryption keys are managed by our cloud providers’ managed key services with strict access controls and rotation.
In transit
- TLS 1.2+ for all client and API connections
- HSTS enforced across our web properties
- Encrypted service-to-service traffic within our network
At rest
- AES-256 encryption for databases and object storage
- Encrypted backups and snapshots
- Managed key services with rotation and access logging
Secrets, API tokens, and OAuth credentials are encrypted, stored in a dedicated secrets manager, and never committed to source control.
Infrastructure security
EverCurrent runs on enterprise-grade cloud infrastructure operated by Amazon Web Services (AWS), with data primarily hosted in the United States. We inherit the physical, environmental, and network security controls of these providers and layer our own controls on top.
- Network segmentation with private subnets and tightly scoped security groups.
- Firewalls and default-deny inbound rules; no direct public database access.
- Web Application Firewall and DDoS protection at the network edge.
- Infrastructure defined as code, peer-reviewed, and version-controlled.
- Isolated production, staging, and development environments.
- Centralized, tamper-resistant logging for infrastructure and application events.
Our providers maintain their own SOC 2, ISO 27001, and related certifications for the data centers and platforms we build on.
Access control
Access to systems and customer data is granted on a least-privilege, need-to-know basis and is reviewed regularly. Production access is limited to a small number of authorized personnel.
- Single sign-on (SSO) and mandatory multi-factor authentication (MFA) for internal systems.
- Role-based access control (RBAC) scoped to job responsibilities.
- Just-in-time and time-bound access for sensitive production operations.
- Periodic access reviews and prompt de-provisioning upon role change or offboarding.
- Encrypted OAuth tokens for third-party integrations; only minimum required scopes requested.
- All privileged actions are logged and monitored.
Secure development practices
Security is built into our software development lifecycle rather than added afterward. Every change is reviewed and tested before it reaches production.
- Mandatory peer code review for all changes to production code.
- Automated CI/CD pipelines with required checks before deployment.
- Static analysis (SAST) and dependency/vulnerability scanning on every build.
- Software composition analysis to detect vulnerable third-party packages.
- Secrets scanning to prevent credentials from entering source control.
- Separation of duties between development and production deployment.
- Secure coding guidelines aligned with OWASP best practices.
AI & data handling
EverCurrent uses AI to gather context, manage change, and surface risk. We are deliberate about how customer data interacts with AI systems.
- Customer data is not used to train foundation models operated by third-party providers.
- AI processing occurs only for the features you enable, and only on the data required.
- Enterprise agreements with model providers restrict retention and secondary use.
- Connecting an integration (e.g., Google) does not by itself send your data to AI providers.
- Data minimization: we send only the portions of data necessary for a given inference.
For full detail on data usage and third-party models, see our Privacy Policy.
Monitoring & vulnerability management
We continuously monitor our environment and proactively test our defenses to find and fix weaknesses before they can be exploited.
- Centralized logging and continuous monitoring with automated alerting.
- Regular internal vulnerability scanning of infrastructure and applications.
- Third-party penetration testing performed at least annually.
- Risk-based remediation SLAs prioritized by severity.
- Dependency and patch management to keep systems up to date.
Incident response
We maintain a documented incident response plan with clearly defined roles, communication paths, and escalation procedures. The plan is tested periodically so the team can respond quickly and effectively.
- Defined severity levels, on-call ownership, and escalation paths.
- Containment, eradication, and recovery procedures with post-incident review.
- Timely customer notification consistent with contractual and legal obligations.
- Root-cause analysis and corrective actions after material incidents.
To report a suspected security incident, email security@evercurrent.ai.
Availability & business continuity
EverCurrent is engineered for resilience so your teams can rely on it. We use redundant, highly available cloud infrastructure and maintain tested backup and recovery processes.
- Automated, encrypted backups with periodic restoration testing.
- Redundancy across availability zones to tolerate component failures.
- Documented business continuity and disaster recovery plans.
- Defined recovery objectives (RPO/RTO) aligned to service commitments.
People & vendor security
Strong technology is backed by strong practices for our people and the vendors we rely on.
- Background checks for employees where permitted by law.
- Confidentiality agreements for all personnel and contractors.
- Security and privacy awareness training at onboarding and annually.
- Managed, hardened endpoints with disk encryption and screen locks.
- Security review and due diligence of subprocessors and critical vendors.
- Data Processing Agreements in place with vendors handling customer data.
Data privacy & subprocessors
Privacy and security work together. We are transparent about the data we process, why we process it, and the subprocessors that help us deliver the service. We do not sell personal information.
- Data minimization and purpose limitation across the platform.
- Support for data subject access, correction, and deletion requests.
- Standard Contractual Clauses for international data transfers.
- A maintained list of subprocessors available on request.
See our Privacy Policy and Terms of Service for complete details.
Responsible disclosure
We welcome reports from security researchers and the community. If you believe you have found a vulnerability in an EverCurrent product or system, please report it responsibly and give us a reasonable opportunity to investigate and remediate before public disclosure.
Report vulnerabilities to security@evercurrent.ai. Please include enough detail to reproduce the issue. We commit to acknowledging valid reports and will not pursue action against good-faith research that respects user privacy and avoids service disruption.
Ownership & staying current
This Security page is owned and maintained by the EverCurrent Security & Compliance function, in partnership with Engineering and Legal. We review it regularly and after any material change to our practices, audits, or certifications so that it reflects our most recent posture.
Contact our security team
For security questionnaires, our SOC 2 report, penetration test summaries, DPAs, or the subprocessor list:
Email: security@evercurrent.ai
General inquiries: info@evercurrent.ai
EverCurrent, Inc. · 66 Franklin Street, Suite 300 · Oakland, California 94607
Last updated: July 6, 2026

