How we keep your data secure.

Passwords are hashed with bcrypt and never stored or logged in plaintext. Sign-in is handled by the Devise library, which is the most widely audited authentication framework in the Ruby ecosystem.

You can enable two-factor authentication (TOTP) on your account. It works with any authenticator app (1Password, Authy, Google Authenticator, etc.) and gives you single-use backup codes in case you lose your device.

Sessions expire after a period of inactivity, and you can sign out of all sessions from your account settings.

All traffic to evatype.com is served over TLS 1.2 or higher. HTTP requests are redirected to HTTPS, and we send HSTS headers so browsers refuse to connect over HTTP after a first visit.

Cloudflare sits in front of the application, terminating TLS at the edge with modern cipher suites and providing DDoS and WAF protection.

The database disk is encrypted at rest by our hosting provider. On top of that, we encrypt the most sensitive fields a second time at the application layer using Rails' built-in ActiveRecord encryption with AES-256-GCM:

• API credentials and OAuth tokens for every integration you connect (Webflow, Contentful, Google, and others)
• Refresh tokens and short-lived access tokens for connected accounts

The application-layer encryption keys are held outside the database so a database snapshot on its own cannot decrypt these fields.

Production runs on Amazon Web Services (AWS) EC2 with PostgreSQL as the primary database. Database storage uses encrypted EBS volumes, and the database is reachable only from the application servers over a private network.

AWS's underlying infrastructure is independently audited against SOC 2, ISO 27001, PCI DSS, and other major security standards. Cloudflare sits in front of the application, providing edge TLS, DDoS mitigation, and a web application firewall.

We connect to your systems via OAuth2 wherever the provider supports it. You authenticate with the provider directly. We never see your password.

We request the minimum scopes needed to do the job you asked us to do. You can disconnect any system from your account settings at any time. Tokens are revoked with the upstream provider and deleted from our database immediately.

We generate content using frontier AI models from Anthropic (Claude), OpenAI (GPT), and Google (Gemini). All three are accessed through their official commercial APIs.

Under each provider's commercial terms, the prompts and responses we send on your behalf are not used to train their underlying models. Each provider retains data for a short window (typically 30 days) for abuse monitoring and then deletes it.

We do not sell, share, or repurpose your content. The only thing we do with it is generate output for your account and store it so you can review, edit, and publish.

Every record in Evatype (workflows, content, integrations, generated drafts) is scoped to a single account at the database level. Pundit authorization policies enforce this scope on every controller action so users from one account can never read or write data belonging to another.

Production access is restricted to authorized personnel and gated by two-factor authentication on every upstream service (hosting, database, error tracking, and Anthropic).

Production credentials are stored in Rails' encrypted credentials file, decrypted only at runtime with a master key that is held outside the repository.

Application errors and unhandled exceptions are reported to Sentry and Rollbar. Request parameters that look sensitive (passwords, tokens, OTP codes, names, emails, IP addresses) are filtered out of logs and error reports before they leave the server.

Server access logs are retained by the hosting provider. Cloudflare rate-limits suspicious traffic at the edge.

The PostgreSQL database is backed up every hour. Backups are stored in Cloudflare R2, a separate cloud provider from our application hosting (AWS), so a regional outage at either provider cannot take both the live database and its backups offline at the same time.

Backups are encrypted at rest by R2 and the bucket they live in is private, with access restricted to a small number of credentials held outside the application.

Evatype is certified under the UK government's Cyber Essentials scheme, an annually renewed assurance that we meet the controls expected of a security-conscious modern business.

Evatype is operated by Pretty Graph Limited, registered with the UK Information Commissioner's Office as a data controller (registration ZA903155). You can verify the entry on the public ICO register.

Our handling of personal data is described in our Privacy Policy.

If you believe you have found a security vulnerability in Evatype, please email [email protected]. We aim to acknowledge all reports within one business day and will keep you updated as we investigate and remediate.

Please do not publicly disclose the issue until we have had a chance to address it. We will credit researchers who report issues responsibly.