Everything your IT department will ask. Answered upfront.
This page exists so you don't have to forward seventeen emails to get procurement sign-off. We provide structured technical evidence for every security claim.
Your IP is never used to train a model. Processing is ephemeral.
Documents uploaded to evidion are analyzed within an isolated inference pipeline and deleted after the session. We have a contractual Zero-Training Policy — your engineering documents cannot be used to retrain any foundational model, including the underlying models we build on.
Your data never leaves the EU. All processing runs on Azure.
All document storage and processing runs on Azure West Europe. AI inference operates under Standard Contractual Clauses (SCCs) per GDPR Art. 46(2)(c). If your organization requires a different EU region or a dedicated private cloud environment, that is a deployment option we can scope together.
The AI drafts. Your engineer approves. Full audit trail.
Every output evidion generates is marked as AI-generated and requires explicit engineer sign-off before it becomes a deliverable. The activity log records who uploaded which document, when generation was triggered, and who approved the output. In a certification audit, the trail shows human accountability at every decision point — because that is the only legally defensible model in your industry.
Shared Responsibility Model
evidion runs on a shared responsibility model. This is not unique to us — it is the same model that governs how Airbus, Rolls-Royce, and every major aerospace supplier uses cloud infrastructure. The principle is straightforward: GCP and Azure own the physical and network layer. evidion owns the application and data layer. You own your documents and your sign-off.
| Layer | What this covers | Owner |
|---|---|---|
| Physical infrastructure | Data centers, hardware, power, physical access | [GCP / AZURE] |
| Network security | DDoS mitigation, firewall rules, VPC isolation | [GCP / AZURE] |
| Platform & runtime | OS patching, container security, hypervisor | [GCP / AZURE] |
| Application security | Authentication, access control, code security, prompt injection defense | [EVIDION] |
| Data encryption | Encryption in transit (TLS 1.3) and at rest (AES-256), customer-scoped keys | [EVIDION + CLOUD] |
| AI model & outputs | Prompt security, output validation, zero-training enforcement | [EVIDION] |
| Your documents & IP | What you upload, internal user access management, upload compliance | [CLIENT / YOU] |
| Compliance sign-off | Internal audit, certification submission, regulatory approval | [CLIENT / YOU] |
Practical implication: ISO 27001, SOC2 Type II, and C5 certifications held by GCP and Azure apply directly to the infrastructure your data runs on.
Logical isolation: why your data can't reach a competitor
Will our proprietary system architecture end up training a model that our competitors can query?
The answer is structural, not policy-based.
evidion uses RAG — Retrieval Augmented Generation. Your documents are indexed in an isolated vector store scoped to your organization. When the AI generates an output, it retrieves context from your documents only.
That context exists in memory for the duration of the call and is discarded afterward. It is never written into model weights. It cannot propagate to another customer's context. The distinction between in-context retrieval and fine-tuning is the technical guarantee — not a contractual promise we ask you to take on faith.
Security Tier Consultation
Still not sure which tier fits your organization's security posture? The consultation below takes two minutes and ends with a specific recommendation — not a generic sales call.
01.What best describes your organization?
Have specific documentation requirements?
Enter your professional email below. We'll send you a pre-completed standard security questionnaire (SIG-Lite / CAIQ) and our detailed architecture diagrams.