SOC 2 audited. ISO 27001 certified. GDPR compliant. Evergrowth is built for teams that take data seriously — because we do too.
Request a security reviewNot just logos on a page. Here’s what each one actually requires.
Independent third-party audit of security controls. Covers access controls, change management, risk mitigation, and system monitoring.
International standard for information security management systems. Requires documented policies, risk assessments, and continuous improvement.
EU regulation for personal data protection. Covers lawful data processing, right to access, right to deletion, and data portability.
Specific answers, not vague promises.
All data is protected using encryption both during transmission and while stored. Access is restricted through unique user IDs and role-based permissions.
Your CRM data, research outputs, and agent activity are never used to train or fine-tune any language model. Not ours, not our providers'.
Each customer workspace is logically isolated. Your data is never accessible to other customers or shared across workspaces.
AI agents only process what they need: full name, job title, email, phone, and LinkedIn profile. Processing is limited to contacts matching your approved ICP and buyer personas.
When you cancel, your data is returned or deleted at your choice. If no request is made, all personal data is permanently deleted within 30 calendar days.
All access and processing activities are logged and monitored. Evergrowth maintains secure development practices, vulnerability management, and documented incident response procedures.
The plumbing behind the agents matters as much as the policies on top.
Every request enters through a signed JWT (frontend) or API key (service-to-service). The token carries the requesting user’s organisation UUID, which scopes all downstream access.
Workloads run on managed Kubernetes with KMS-encrypted secrets and cluster-level audit logging. Persistent stores use managed Postgres with KMS encryption at rest and Multi-AZ availability for primary databases.
The agent service holds no customer business records of its own. It orchestrates LLM calls and forwards validated outputs to authenticated downstream systems where the customer chooses to persist them.
System prompts are loaded from a controlled registry. Customer-supplied content and third-party web content enter the model only through delimited user-message blocks, never concatenated into the system prompt.
You’re trusting AI agents with your CRM data and prospect research. Here’s exactly how that works.
Agents reason via enterprise endpoints from major providers — including Microsoft, AWS, OpenAI, Google, and Groq — all under contractual no-training and no-retention terms. No consumer endpoints, and no providers in non-aligned jurisdictions.
System prompts are authored, peer-reviewed, and versioned in a controlled registry. New versions only reach customers after staging review. No silent prompt or model swaps.
Every agent response is bound to a typed schema. Outputs that fail validation are rejected, so an injected directive cannot reach a downstream system as free-form text.
Each agent type has a hand-picked tool set — web search, scraping, internal lookup. No code execution, no filesystem, no shell, no arbitrary network. Writes to customer systems go through separate authenticated paths.
Vector retrieval and embeddings are scoped per workspace and never shared across tenants. A query inside one customer environment cannot surface another customer’s data.
Every agent run produces a structured trace — prompt version, tool calls, inputs, outputs, latency, and token usage. Errors are captured in a monitored pipeline so reasoning is reconstructible after the fact.
Reviewers want to know how Evergrowth maps to OWASP and the EU AI Act. These four cards cover the most common questions; the full mapping is available under NDA.
System instructions are server-side and versioned. Third-party content — web pages, CRM records, search results — is treated strictly as data inside delimited blocks. Outputs are bound to typed schemas. Maps to OWASP LLM01 + LLM05.
Enterprise endpoints only, contractual no-training and no-retention. Each task receives the minimum context required to complete it. Maps to OWASP LLM02.
Narrow tool sets per agent. No code execution, filesystem, or shell access. Writes to customer systems go through separate authenticated paths. Maps to OWASP LLM06.
Foundation models are consumed via reviewed enterprise providers. Evergrowth does not train or fine-tune them, and never trains on customer data. Maps to OWASP LLM03 + LLM04.
Evergrowth’s agents perform B2B research, qualification, and copy generation. They do not make decisions in the high-risk domains listed in Annex III of the EU AI Act (employment, credit scoring, law enforcement, education access). A human reviews any action that affects external parties, and outputs are produced with provenance and reasoning visible to the user, supporting Article 52 transparency obligations.
Evergrowth complies with data protection regulations across the EU, US, UK, and Canada.
Full compliance with Regulation (EU) 2016/679. Evergrowth acts as data processor under a formal DPA. Standard Contractual Clauses (SCCs) used for any transfers outside the EEA/UK.
Compliant with CCPA/CPRA, VCDPA, CPA, CTDPA, and UCPA. Evergrowth acts as a service provider or processor. Your data is never sold or shared as defined under these laws.
Compliant with PIPEDA and Quebec’s Law 25. Breach notification, access rights, and appropriate safeguards all covered.
Where multiple frameworks apply simultaneously, the more protective standard for data subjects governs. Always.
Need a deeper look? Customers can request a technical data-flow walkthrough or a live Q&A with our CTO and compliance lead under NDA, in addition to the SOC 2 and ISO 27001 reports.