Security

eVamb Technologies operates customer-data-handling products. This page describes how we secure that data — encryption posture, access controls, monitoring, incident response, and how to report a vulnerability.

1 · Encryption

• In transit — TLS 1.3 on all public endpoints. HSTS preload. No plaintext fallbacks.
• At rest — AES-256 on all customer data at the storage layer. Database fields containing personally-identifying patient information (Connext Doctors) are end-to-end encrypted with per-clinic keys.
• Backups — same encryption posture as production. 30-day rolling retention.

2 · Access controls

• Least-privilege engineering access. Production database access requires hardware MFA + audit-logged session.
• All access to Connext Doctors patient records is logged with timestamp, IP, user, and stated reason. Reviewed quarterly.
• Federated identity for the engineering team (SAML SSO + mandatory MFA).

3 · Monitoring

• Centralised logging across application, infrastructure, and security events. 90-day hot retention, 1-year cold.
• Anomaly detection on authentication, data exfiltration patterns, and privileged actions.
• On-call rotation 24/7 for production incidents.

4 · Software supply chain

• Dependency scanning (Snyk-class) on every commit; critical vulnerabilities block deploy.
• SBOM generated per release. Signed artefacts.
• Quarterly third-party penetration test on production surfaces.

5 · Incident response

If we detect or are credibly notified of a security incident affecting customer data: (1) contain within 4 hours; (2) notify affected customers within 72 hours (or sooner where law requires); (3) publish a post-mortem within 30 days. The lab carries the pager.

6 · Compliance posture

• PIPEDA — Canada (active).
• PHIPA — Ontario (Connext Doctors, active).
• HIPAA-aware — US (Connext Doctors, Business Associate role).
• GDPR / UK GDPR — EU/EEA/UK (active).
• CCPA/CPRA — California (active).
• Law 25 — Quebec (active).
• SOC 2 Type II — observation period started Q1 2026; report expected Q4 2026.

7 · Vulnerability disclosure

If you've found a security issue, please email security@evamb.com with a description and reproduction steps. We acknowledge within 24 hours, triage within 5 business days, and credit reporters in our security changelog (with your permission).

Please do not: publicly disclose before we've shipped a fix; test against production accounts that aren't yours; or attempt denial-of-service. We will not pursue legal action against good-faith researchers acting within these bounds.

8 · Sub-processors

A current list of named sub-processors is available on request from privacy@evamb.com. Each operates under a Data Processing Agreement.

← Back to the lab