Security

Evidara holds the kind of records an African SME depends on: sales, inventory, customer and debtor details, invoices, payment references, uploaded proof of payment, settlements, reconciliations, and the business health and trust reports generated from them. This page explains, in plain English, how the platform is designed to protect that information.

Business records remain owner-controlled. Evidence is not automatically shared with lenders, suppliers, or other third parties. If Evidara introduces sharing features in the future, they will require explicit customer consent and appropriate access controls. We support secure authentication and protect access to account data.

We use careful wording on this page on purpose. Where security depends on a provider, we say so. Where work is still in progress, we say so. We are building toward formal audits and certifications.

Accounts are protected by email-and-password sign-in, with optional Google sign-in via OAuth. Password hashing and session handling are managed by our authentication provider (Supabase).

We recommend using a strong, unique password for Evidara, signing out of shared devices, and not sharing your login with anyone. If you notice activity on your account that you do not recognise, contact us straight away.

Evidara supports time-based one-time password (TOTP) multi-factor authentication for sign-in. Once enabled from your account settings, you are asked for a code from an authenticator app (such as Google Authenticator, 1Password, or Authy) in addition to your password.

We strongly recommend enabling 2FA for any account that holds business records, debtor data, or proof uploads.

Each Evidara account is intended to see only its own business records. Database access is designed around row-level security policies in Supabase, so that a user's queries are scoped to that user's data at the database layer, not only in the application.

Service keys that can read across the database are kept server-side only. They are never shipped to the browser and are not used in client-side code.

Traffic between your browser and Evidara is served over HTTPS in production. The same applies to traffic between the platform and our providers (Supabase and Stripe).

Storage encryption at rest, network-level protections, regional redundancy, and platform-level DDoS mitigation are provided by our infrastructure providers (Supabase and Vercel) under their own security programs.

A list of current subprocessors is available on our Subprocessors page.

We maintain backup and recovery procedures designed to reduce the risk of accidental data loss. Recovery objectives may vary depending on the nature of an incident and operational constraints.

Administrative access to production systems is restricted to a small number of authorised people. Secrets and service keys are kept in secure secret storage and are never shipped to the browser. We aim to follow the principle of least privilege when granting internal access and to remove access promptly when it is no longer needed.

Sensitive account activity — such as sign-ins, multi-factor authentication events, and certain record changes — is recorded in audit logs that we retain for security and investigation purposes.

Business health and trust reports generated by Evidara include a deterministic content hash. The hash is designed so that a recipient (for example a lender or supplier) can compare their copy of a report against the version recorded inside Evidara, and detect changes to the underlying numbers. This is intended as a tamper-evident control, not a substitute for independent audit or assurance.

Proof Vault is the part of Evidara where you store proof uploads — receipts, EcoCash and OneMoney confirmations, deposit slips, supplier invoices, and photographs of paperwork — attached to the sales, expenses, and reconciliations they support.

Uploads are stored in our infrastructure provider's object storage and are designed to be visible only to your account and any authorised users you explicitly grant access to. Files served from Proof Vault are delivered over HTTPS, and access is scoped at the database layer using row-level security policies.

Subscription payments are handled by Stripe. Card details are entered into Stripe's own forms and do not pass through Evidara servers. Stripe operates as a PCI DSS Level 1 service provider, which is their published status — not a certification held by Evidara.

Payment methods recorded inside the app (such as “cash”, “EcoCash”, “OneMoney”, “bank transfer”, or reference numbers and uploaded proof) are stored as your own business records and are not sent to advertisers. Evidara records payment information for bookkeeping; it does not process merchant customer payments, hold balances, provide payouts, or act as an acquirer, wallet, payment facilitator, or merchant of record.

To keep your account safe:

• Use a strong, unique password for your Evidara account.
• Do not share your password with staff or family.
• Sign out of shared or borrowed devices when you are done.
• Keep the email address linked to your account secure — password resets go there.
• Report anything suspicious to us as soon as you can.

If Evidara becomes aware of a security incident affecting user data, we will investigate, contain the issue, and notify affected users or relevant authorities without undue delay, or as required by applicable law.

Notification timing and details depend on the nature of the incident, applicable law, and the facts available during the investigation.

If you are a security researcher or user and believe you have found a security problem in Evidara, please report it to us privately before sharing it publicly. We will review reports and respond as capacity allows.

Security reports can be sent to security@evidara.org. Please include the affected URL, steps to reproduce the issue, the potential impact, and your contact details. We aim to acknowledge security reports within 5 business days.

We support good-faith security research. We will not pursue legal action against researchers who act in good faith, avoid accessing data that does not belong to them, avoid disrupting the service, and provide us with a reasonable opportunity to investigate and address the issue.

While testing, please do not access, modify, delete, or exfiltrate data that does not belong to you. Please do not disrupt the service, run destructive tests, or attempt social engineering.

Note that we do not currently operate a paid bug bounty program, and we do not offer monetary rewards or a fixed service-level agreement for responses.

Evidara is available across all 55 African Union countries for merchant signup, onboarding, and local-currency record keeping where a valid ISO 4217 recording currency exists. Expanding record keeping to 55 countries does not mean cross-tenant data access. Each merchant account remains strictly isolated from every other.

• Tenant isolation and RLS remain central. Row-level security policies in Supabase continue to scope every query to the authenticated merchant's own data at the database layer.
• Merchant data is not externally shared by default. 55-country availability does not open any external data-sharing path.
• No lender access is active. No lender login, lender API, or lender response path is live.
• No partner access is active. No third-party partner integration or data-sharing path is live.
• No consent or disclosure runtime is active. No consent capture, consent revocation, or disclosure delivery path is live.
• No external protocol, network, or routing path is active. No external interoperability protocol, recipient discovery network, routing network, third-party protocol integration, or external network disclosure path is active or approved.
• Evidara records payment labels — it does not process payments. Payment methods in business records are labels for bookkeeping only. Evidara does not process merchant customer payments, hold balances, provide payouts, or act as an acquirer, wallet, payment facilitator, or merchant of record.
• Stripe subscription billing is separate from merchant business records. Stripe is used for Evidara subscription billing. The merchant's business recording currency is independent from how the merchant pays Evidara.

We list the security features that are not yet available so customers can make an informed decision before signing up.

• Hardware security key (WebAuthn) as a second factor — TOTP is supported today.
• Expanded customer-visible audit history beyond sign-in and key account events.
• Customer-managed data residency by region.

We are building Evidara to support trustworthy business records, responsible data handling, and report integrity. Our roadmap includes independent security review, legal review, data protection assessment, and stronger report-integrity controls as the platform grows.

• External security audit — Planned. An independent review of the platform's security posture.
• Legal review — Planned. Qualified legal review of our Terms, Privacy Policy, data retention rules, and report wording.
• Data protection assessment — Planned. Covers export, deletion, consent, retention, and archive workflows.
• Monthly internal security checks — Ongoing. Routine reviews of access controls, dependency updates, and incident drills.
• Report integrity and tamper-evident verification review —Ongoing. Continual review of the hash and verify-URL flow used by Business Health Reports.

Roadmap items may evolve based on product growth, partner requirements, and legal guidance. We do not publish exact target dates on this page to avoid creating expectations we cannot reliably meet.

This page describes how the platform is designed to handle data. No internet-based service can promise to be completely secure, and we do not claim any specific certification (such as SOC 2, ISO 27001, or PCI DSS) on our own behalf. Where a provider holds a certification, we name the provider.