How Evermuse Keeps Your Research Data Private and Secure

At Evermuse, protecting your research data is a core product requirement—not an afterthought. We combine strong authentication, strict authorization, encrypted infrastructure, and a disciplined Secure SDLC to keep your information private and secure. For our formal policy, see the Evermuse Secure Development Policy.

Authentication and Session Security

Federated sign-in: Secure Google and Microsoft sign-in, validated server‑side. We never trust client tokens alone.
Token security: Access tokens are verified and refreshed server‑side; delivery is controlled via secure headers or HttpOnly cookies (with Secure and SameSite policies) depending on environment.
Defense against CSRF/XSS: Cookie configuration and server validation reduce common web attack surfaces.

Authorization and Tenant Isolation

Workspace‑level access control: Every sensitive request verifies that the authenticated user belongs to the workspace in question.
Server‑enforced checks: Authorization runs on the server for consistency and to prevent client bypass.

Data Access: Backend‑Only via DAOs

No direct client database access: All reads/writes happen strictly on the backend through dedicated DAOs, enabling auditability and consistency.
Atomic operations: We use batched writes where appropriate to ensure data integrity across multi‑document changes.

Data Protection in Transit and at Rest

Encryption everywhere: Data is encrypted at rest (managed by our cloud providers) and in transit (TLS) end‑to‑end.
Time‑bound file access: Private files are delivered with short‑lived, signed URLs so access is limited and traceable.
Scoped storage access: Storage rules require authentication for private paths, with minimal, intentional public surfaces (e.g., logos).

Secrets and Configuration Management

Environment‑based secrets: Credentials and API keys are never hardcoded; they’re provided securely via environment variables.
Least privilege: Access is minimized to what’s necessary for each service and each tenant (workspace).

Auditing and Accountability

Usage and activity logs: We log key workspace activities to support billing accuracy, operational debugging, and anomaly detection.
Operational visibility: Structured logging helps us spot and respond to unusual patterns quickly.

Secure SDLC: Built‑in Security

Clear roles and training: A Security Lead coordinates vulnerability intake and remediation; all team members receive secure‑development orientation and updates.
Security requirements and threat modeling: We define security requirements early, review high‑risk areas (auth, APIs, storage), and iterate as features evolve.
Code review, SAST, and SCA: Peer reviews and automated scanning during development; critical issues are remediated before release, others are tracked and scheduled.
DAST on deployed apps: We test running systems with industry‑standard tools and fix issues quickly.
Annual third‑party pentests: Independent experts validate our controls and help us improve.

Vulnerability and Incident Management

Continuous scanning and patching: We proactively monitor dependencies and prioritize security updates.
Incident response: We rapidly assess, contain, notify, and remediate, followed by post‑incident reviews to strengthen defenses.

Third‑Party Integrations

Assessed providers: We evaluate the security posture of third‑party APIs and services before integration.
Scoped data sharing and key hygiene: Only the minimum data is shared; all keys are managed securely via environment variables.

Privacy by Design

Data classification and controls: Confidential data—such as transcripts and AI outputs—is guarded by authentication, tenant isolation, and short‑lived access links.
Minimal data retention: We collect and retain only what’s needed to deliver product value.

Change Management and Continuous Improvement

Version control and review: Significant changes are reviewed with security in mind and tracked via Git.
Policy updates and learning: We regularly revisit our policies and implementations as best practices and threats evolve.

📄 Learn More

To learn more, read the Evermuse Secure Development Policy.

Authentication and Session Security

Federated sign-in: Secure Google and Microsoft sign-in, validated server‑side. We never trust client tokens alone.

Token security: Access tokens are verified and refreshed server‑side; delivery is controlled via secure headers or HttpOnly cookies (with Secure and SameSite policies) depending on environment.

Defense against CSRF/XSS: Cookie configuration and server validation reduce common web attack surfaces.

Data Protection in Transit and at Rest

Encryption everywhere: Data is encrypted at rest (managed by our cloud providers) and in transit (TLS) end‑to‑end.

Time‑bound file access: Private files are delivered with short‑lived, signed URLs so access is limited and traceable.

Scoped storage access: Storage rules require authentication for private paths, with minimal, intentional public surfaces (e.g., logos).

Secure SDLC: Built‑in Security

Clear roles and training: A Security Lead coordinates vulnerability intake and remediation; all team members receive secure‑development orientation and updates.

Security requirements and threat modeling: We define security requirements early, review high‑risk areas (auth, APIs, storage), and iterate as features evolve.

Code review, SAST, and SCA: Peer reviews and automated scanning during development; critical issues are remediated before release, others are tracked and scheduled.

DAST on deployed apps: We test running systems with industry‑standard tools and fix issues quickly.

Annual third‑party pentests: Independent experts validate our controls and help us improve.

Change Management and Continuous Improvement

Version control and review: Significant changes are reviewed with security in mind and tracked via Git.

Policy updates and learning: We regularly revisit our policies and implementations as best practices and threats evolve.