Security & Compliance Overview

This page is a security summary from the decision-maker's perspective. For technical detail, see Deploy · Defense in Depth.

6-Layer Defense at a Glance

┌──────────────────────────────────────────────┐
│  Layer 6 · Compliance  MLPS · GDPR · ISO 27001 │
├──────────────────────────────────────────────┤
│  Layer 5 · Audit       Tamper-proof logs       │
├──────────────────────────────────────────────┤
│  Layer 4 · Data        At-rest · field-level   │
├──────────────────────────────────────────────┤
│  Layer 3 · Access      RBAC + ACL              │
├──────────────────────────────────────────────┤
│  Layer 2 · Auth        SSO + email + strong PW │
├──────────────────────────────────────────────┤
│  Layer 1 · Network     HTTPS / TLS · DDoS      │
└──────────────────────────────────────────────┘

What Each Layer Does

Layer	Implementation	Owner
Network	End-to-end HTTPS / TLS 1.3 · DDoS protection · IP allowlist (optional)	SaaS: Evose · Private: Customer
Auth	SSO (LDAP / AD / OAuth) · Email login · Strong password policy	Shared
Access	RBAC (role) + ACL (resource) + workspace isolation + least privilege	Configured by customer admin
Data	AES-256 at rest · field-level credential encryption · workspace logical isolation (SaaS) / physical isolation (Private)	SaaS: Evose · Private: Customer
Audit	Full operation logs · tamper-proof · long retention · external SIEM integration	Provided by Evose
Compliance	Mapped to MLPS · GDPR · ISO 27001 control families	Shared

Data Ownership

Deployment	Where data lives	Who can access
SaaS	Evose platform, logical isolation + AES-256	Only your organization's members + necessary Evose ops staff (under NDA)
Private	Customer's own infrastructure	Only the customer's own personnel; Evose has no access to data

Credential Management

API keys, third-party account passwords, OAuth tokens, and other sensitive credentials:

Field-level encrypted storage
Visibility controlled by two-layer RBAC + ACL
Every use enters the audit log
Rotation and revocation supported

→ Credential Management

Compliance Support

MLPS (China's Multi-Level Protection Scheme)

Supports MLPS Level 2 and Level 3 requirements: identity authentication, access control, security audit, data integrity, and data confidentiality.

Data subject rights: access / rectification / erasure / portability
Records of processing: full audit trail
Data minimization: workspace isolation + field-level permissions
Data localization: private deployment can specify the data center

ISO 27001 (Information Security Management)

Control families covered: access control, cryptography, operations security, communications security, change management.

→ Full Compliance Checklist

Penetration Testing & Vulnerability Response

Third-party penetration testing: at least annually
Vulnerability disclosure: report privately via security@evose.ai
Response SLA: Critical 24h · High 72h · Medium 7d

Whose Compliance Requirements Fit

Industry	Deployments we've seen	Key compliance
Finance	Private	MLPS Level 3 · Data localization
Healthcare	Private	MLPS Level 3 · GDPR (cross-border) · HIPAA (U.S.)
Manufacturing	Both	ISO 27001 · Trade secret protection
Government & SOEs	Private	MLPS Level 3 and above
Internet	SaaS	GDPR · ISO 27001

Next Steps

Decision-makers → SaaS vs Private for concrete differences
IT / security leads → Deploy · 6-Layer Defense in Depth → Compliance Checklist
App builders → Credential Management · Resource Policy ACL

Security & Compliance Overview

On this page