Skip to content
Evalgist
Evalgist

Security

Security at Evalgist

Evalgist combines company-wide operational controls with product-specific safeguards. This page describes controls that are currently in use. It does not claim a certification or independent audit of Evalgist.

Shared account and operational controls

Clerk handles authentication and sessions for the shared Evalgist account. Clerk states in its Data Processing Addendum that personal data is strongly encrypted in transit and at rest.

Evalgist uses 1Password Business as the canonical source for owned credentials. Deployment platforms receive credentials only where required to operate a service. Repository dependencies are installed with a seven-day release-age quarantine, an explicit install-script allowlist, and package-store integrity checks.

Product analytics use PostHog's EU endpoint and carry typed workflow metadata only, not file bytes, extracted resume text, or candidate personal data. Error monitoring uses Sentry's EU endpoint, with Session Replay disabled.

Evalgist Shortlist controls

Shortlist product data is stored in a dedicated Supabase project in AWS eu-west-1 (Ireland). Supabase states that hosted data is encrypted at rest and in transit. User-scoped tables use Postgres Row Level Security policies tied to the authenticated account. Explicit administrative access is handled separately.

Storage residency and AI processing are separate. Analysis uses Anthropic models, and scanned PDFs may use Mistral OCR. Both are routed through OpenRouter with zero-data-retention routing enabled. AI processing is not described as EU-only.

Extracted resume text is deleted after analysis. Original uploaded files are retained for a 14-day recovery window and then deleted automatically. Evidence-backed results and evidence quotes remain until the customer deletes the relevant shortlist or account.

The current provider list, processing purposes, locations, and residency statements are published in the Subprocessors register. Product roles and retention are described in the Shortlist Privacy Policy and Data Processing Agreement.

Report a vulnerability

Send suspected security vulnerabilities to security@evalgist.ai. Include the affected product or URL, reproduction steps, likely impact, and supporting evidence. Do not include candidate documents, credentials, or more personal data than the report requires.

We review reports privately and coordinate investigation and remediation with affected providers where necessary. We do not publish a response deadline, remediation deadline, safe-harbour programme, or bug-bounty commitment.