Security
Compliance
MLPS · GDPR · ISO 27001 · industry compliance
Evose actively supports the following compliance frameworks.
Framework Support Matrix
| Framework | Status | Private bonus |
|---|---|---|
| MLPS Level 2 | ✓ | — |
| MLPS Level 3 | ✓ | Data localization + physical isolation |
| GDPR | ✓ | Data center can be specified |
| ISO 27001 | ✓ | — |
| SOC 2 Type II | Roadmap | — |
| HIPAA | Path-ready (Private + setup) | Private only |
| PCI DSS | Path-ready (Private + setup) | Private only |
MLPS (Multi-Level Protection Scheme)
For mainland China deployments.
Level 2
| Control | Evose meets it |
|---|---|
| Identity authentication | SSO + strong password + lockout |
| Access control | RBAC + ACL |
| Security audit | Full operation audit + tamper-proof |
| Data integrity | Encrypted transport · checksums |
| Data confidentiality | TLS · DB encryption |
Level 3
In addition to Level 2:
| Control | Measure |
|---|---|
| Intrusion prevention | WAF · IDS / IPS |
| Malicious code | File-upload scanning |
| Centralized control | SIEM integration · alerting |
| Data backup | Cross-region DR + RPO/RTO drills |
GDPR
6 Key Compliance Areas
| Requirement | Evose implementation |
|---|---|
| Lawfulness | DPA (Data Processing Agreement) template provided |
| Data minimization | Only essential business fields are collected |
| Purpose limitation | Defined uses; no secondary processing |
| Data subject rights | Access / rectification / erasure / portability / restriction |
| Data security | Encryption + access control + audit |
| Data localization | Private deployment can specify the data center |
Cross-Border Transfer
Cross-border only when using a SaaS LLM. Recommended approaches:
- Pick vendors with EU nodes (Azure EU / Anthropic EU)
- Self-hosted models (no egress at all)
- Configure SCCs (Standard Contractual Clauses)
ISO 27001
Control family mapping (partial):
| Family | Evose implementation |
|---|---|
| A.5 Security policy | Security policy + desktop policy |
| A.8 Asset management | Resource inventory + classification |
| A.9 Access control | RBAC + ACL + resource policy |
| A.10 Cryptography | TLS + AES-256 + field-level encryption |
| A.12 Operations security | Change management + backup + monitoring |
| A.13 Communications security | TLS · network segmentation |
| A.16 Incident management | Audit + vulnerability response SLA |
HIPAA (U.S. Healthcare)
Under Private:
- Data physically isolated (own GPU running Embedding / LLM)
- Full audit (who looked at which PHI)
- Encrypted transport + at-rest encryption
- BAA (Business Associate Agreement) template
PCI DSS
Evose does not directly process card payments (SaaS billing is handled by professional gateways). If your business involves card data, strongly recommend:
- Don't put card data in Agents / Workflows / knowledge bases
- Use a tool to call a licensed gateway (Stripe / UnionPay) so the gateway tokenizes before data enters Evose
Data Processing Agreement (DPA)
In SaaS mode, Evose is the Processor; you are the Controller. Provided:
- DPA template (signable)
- Sub-processor list (model vendors, CDN, monitoring)
- Cross-border SCCs (EU customers)
Third-Party Audit
- Penetration testing report (annual)
- ISO 27001 certificate (estimated 2026 Q3)
- SOC 2 report (roadmap)
Next Steps
- 6-layer defense → Defense in depth
- Data isolation → Data isolation