Procurement & Vendor Diligence Packet
Last updated: June 2026 · Version 1.0 · For prospective enterprise customers
This page consolidates what an enterprise procurement, information-security, and legal team needs to evaluate EVE AI Core as a vendor: a pre-answered security questionnaire, our sub-processor list, the data-flow architecture, compliance mappings, contract documents, and a step-by-step onboarding checklist. Where a control or certification is not yet in place, this page says so plainly.
How to use this packet
Most diligence questions are answered inline below. For artifacts that we share under NDA — the named sub-processor list, our most recent third-party reports as they become available, penetration-test summaries, and a countersigned MSA/DPA — email [email protected] (commercial) or [email protected] (security). We can typically return a completed CAIQ/SIG-lite within five business days.
1. Vendor & entity facts
2. Documents in this packet
The following are published and linkable today. Negotiated or NDA-gated documents are noted.
3. Security questionnaire (pre-answered)
Answers reflect EVE AI Core's current posture. Certifications still in progress are labeled honestly — we do not represent a control as achieved until it is.
Data protection
| Control | Status | Detail |
|---|---|---|
| Encryption in transit | In place | TLS 1.2+/1.3 for all client and inter-service traffic. |
| Encryption at rest | In place | AES-256 for stored data, including audit-log persistence. |
| Tenant isolation | In place | Per-tenant governance state and audit chains; isolation enforced at the application and data layers. |
| Data residency | In place | Primary hosting in the United States. Customer VPC, Private Cloud, and On-Prem deployments keep data in the customer's chosen region/boundary. |
| Data deletion / right to erasure | In place | Customer-initiated deletion across memory layers; HMAC-signed, hash-chained deletion receipts evidence erasure. |
Access & identity
| Control | Status | Detail |
|---|---|---|
| Authentication | In place | JWT-based sessions; scoped API keys for programmatic access. |
| Multi-factor authentication | In place | TOTP-based MFA available for accounts; recommended for administrative access. |
| Role-based access control | In place | Five roles (Viewer, Operator, Approver, Admin, Platform Admin) with least-privilege enforcement and tenant scoping. |
| Secrets management | In place | Managed secrets store; no reliance on environment defaults for production secrets. |
| Audit logging | In place | Tamper-evident, hash-chained, cryptographically signed (HMAC / Ed25519) decision and administrative event records; 7-year retention available. |
Operations & resilience
| Control | Status | Detail |
|---|---|---|
| Backups & recovery | In place | Automated backups with documented rotation; restoration procedures maintained. |
| Monitoring & alerting | In place | Uptime, latency, and error monitoring; customer-visible status at /status. |
| Incident response | In place | Documented incident-response process; severity classification (P1–P4) defined in the SLA. |
| Breach notification | In place | Notification without undue delay and within 72 hours of becoming aware (see DPA §9). |
| Vulnerability disclosure | In place | Coordinated disclosure to [email protected]. |
| Independent penetration testing | On request / scheduled | Summaries shared under NDA as they are completed; scope and cadence discussed during diligence. |
Certifications & attestations
| Framework | Status | Detail |
|---|---|---|
| SOC 2 Type II | In progress | Controls aligned; attestation not yet issued. We will not represent it as complete until the report exists. |
| ISO/IEC 27001 | Planned | On the compliance roadmap; not yet initiated for certification. |
| GDPR / UK GDPR | Addressed | Processor terms, SCCs, and breach process in the DPA. |
| CCPA / CPRA | Addressed | Covered by the DPA and Privacy Policy. |
Honest status: SOC 2 Type II is in progress and ISO 27001 is planned. If your procurement gate requires a completed attestation today, tell us — we will scope a path and timeline rather than overstate readiness.
4. Sub-processors
EVE engages a limited set of sub-processors to operate the Services. Categories and regions are below; an up-to-date named list is available under NDA on request. Optional third-party LLM providers act as sub-processors only for requests the customer elects to route to them (or where the customer supplies its own keys).
| Category | Purpose | Region |
|---|---|---|
| Cloud infrastructure / hosting | Compute, storage, and network hosting | United States |
| Managed data stores | Operational databases, caching, audit-log persistence | United States |
| Transactional email / notifications | Account, security, and billing notifications | United States |
| Payment processing | Subscription billing and invoicing | United States |
| Error monitoring / observability | Service reliability and incident response | United States |
Source of truth: DPA §6. Named list on request at [email protected].
5. Data flow & architecture
EVE is a deterministic governance control plane: a proposed action is evaluated against versioned policy before execution, a signed decision-evidence record is produced, and that record is appended to a tenant-bound, hash-chained audit log. The full visual data-flow diagram — including where customer data enters, what is and isn't retained, and how evidence is generated — is on the Architecture & Data Flow page.
- Inputs: the proposed action plus the decision context fields the customer chooses to send. The customer controls field minimization.
- Governance: deterministic pre-execution evaluation against the customer's policy version (e.g.
lending_v1), returning ALLOWED / BLOCKED / MODIFIED. - Evidence: a signed Decision Certificate bound to the policy version and tenant, independently verifiable offline at /verify and /agent-proof.
- Retention: tamper-evident audit chain; retention configurable up to 7 years; deletion produces signed receipts.
6. Compliance mappings
EVE produces the evidence and controls that map to common regulatory obligations. These are mappings to obligations, not legal advice or a certification of compliance for your specific program.
7. Vendor onboarding checklist
A typical path from first diligence to production:
- Intake & NDA — mutual NDA so we can share named sub-processors, test summaries, and draft contracts.
- Security review — we return a completed CAIQ/SIG-lite and answer your questionnaire; security team reviews this packet, the Security Overview, and Architecture.
- Legal review — redline the MSA, DPA, and SLA; agree liability, residency, and term.
- Deployment decision — choose SaaS, Customer VPC, Private Cloud, or On-Prem (see deployment models) based on data-residency and isolation needs.
- Pilot — scope one real workflow via the Design Partner Program; produce live signed evidence on your data.
- Production — countersign, provision, and roll out with agreed SLAs and support.
Start diligence
Send your security questionnaire or procurement requirements to [email protected], or reach the security team directly at [email protected]. Prefer to evaluate hands-on first? Begin with the Design Partner Program or request a demo.