Security & Compliance
Built to the standards UK venues require
We take tenant isolation seriously, ensuring that every operational environment remains strictly segregated and secure. Our platform is engineered to meet the highest standards of UK and EU data protection, providing the transparency and rigour required by major venues and insurers.
Data Residency
All customer data is hosted and processed exclusively within the AWS London region (eu-west-2). We maintain strict data sovereignty with no cross-border transfers to third countries, ensuring compliance with local regulatory requirements.
Backup Schedule
Daily encrypted
Retention Policy
30-day window
Capacity · 9 / 12 zones active
How we protect your data
Tenant isolation
Server-derived tenant ID on every query. Complete data segregation at the persistence layer.
Encryption
AES-256 at rest using AWS KMS, and TLS 1.3 in transit with perfect forward secrecy.
Append-only audit log
Every state change immutable; anonymise sensitive data, never delete audit records.
Multi-factor authentication
TOTP MFA mandatory for all administrative access. Single Sign-On (SSO) integration available.
Role-based access control
Explicit @Roles on every endpoint. Principle of least privilege enforced across the stack.
Photo handling
Direct-to-S3 presigned URLs for upload. EXIF data automatically stripped for privacy.
EvoPoint is registered with the Information Commissioner's Office (ICO) under registration number ZA123456. Our Data Protection Agreement (DPA) is available upon request for all enterprise customers.
We undergo annual independent security audits. Our SOC 2 Type II report is currently in the observation phase, with the final report expected in Q3 2026.
Report a vulnerability
If you believe you've discovered a security vulnerability in our platform, please contact us at security@evopoint.com.
Download PGP public key