Enterprise-Grade Protection

Security you can
build your hiring on

eVA Agent is built with security as a first-class requirement , not an afterthought. Your candidate data is protected at every layer.

Last reviewed: May 2025

Certifications & Compliance

ISO 27001 Certified
Our information security management system meets international standards for data protection and risk management.
GDPR Compliant
Full compliance with EU General Data Protection Regulation , lawful processing, data minimisation, and rights fulfilment.
SOC 2 Ready
Our controls align with SOC 2 Type II requirements across security, availability, and confidentiality trust principles.
99.9% Uptime SLA
Contractual uptime guarantees backed by redundant infrastructure, automatic failover, and 24/7 monitoring.

Data Encryption

All data processed by eVA Agent is encrypted both in transit and at rest:

  • In transit: TLS 1.2+ enforced across all API endpoints, dashboard connections, and webhook deliveries. No HTTP connections are permitted.
  • At rest: AES-256 encryption is applied to all stored candidate data, interview recordings, and assessment results.
  • Database: Encrypted at the storage layer with separate key management, rotated on a defined schedule.
  • Backups: All backups are encrypted using the same standards as primary data and stored in geographically separate regions.

Infrastructure & Hosting

eVA Agent runs on enterprise-grade cloud infrastructure with the following security controls in place:

  • Hosted on AWS with data residency in India (ap-south-1) for Indian clients
  • Virtual Private Cloud (VPC) isolation for all production services
  • Web Application Firewall (WAF) protecting all public-facing endpoints
  • DDoS protection active at the network and application layer
  • Automated vulnerability scanning on every deployment
  • Intrusion detection and real-time alerting on anomalous behaviour

Access Controls

We follow the principle of least privilege across all internal systems and customer-facing interfaces:

  • Role-based access control (RBAC) with granular permission levels for all customer accounts
  • Multi-factor authentication (MFA) required for all staff with access to production systems
  • Single Sign-On (SSO) support for enterprise customers via SAML 2.0 and OAuth 2.0
  • All internal access is logged and audited with 90-day log retention
  • Privileged access management (PAM) for infrastructure-level operations

Data Retention & Deletion

We retain candidate data only for as long as required to provide the service and meet legal obligations:

  • Active candidate records are retained for the duration of your subscription plus 90 days
  • Interview recordings are retained for 12 months unless you specify a shorter period
  • On account termination, all data is purged within 30 days upon written request
  • Candidates can request deletion of their own data at any time via our data subject request process

Vulnerability Disclosure

We take security reports seriously and ask that any suspected vulnerabilities are disclosed responsibly. If you believe you have found a security issue in eVA Agent, please contact us at security@helopep.com before public disclosure. We aim to respond within 48 hours and will work with you on a coordinated disclosure timeline.

For security inquiries, contact security@helopep.com. For general data protection questions, contact privacy@helopep.com.