Our approach
Pitch decks and evaluation results are sensitive, so security is built into how EvalLense works rather than bolted on. We aim for private handling of submitted materials, controlled access to workspaces, and decisions that stay under human control. This page summarizes the technical and organizational measures we use; it is informational and not a contractual commitment.
Data protection
Data is encrypted in transit using TLS. Data is hosted with reputable cloud infrastructure providers and protected by access controls. Sensitive details such as pitch decks and account data are handled only as needed to run the Service, as described in our Privacy Policy.
Authentication and access control
Access to the Service is authenticated and scoped to the minimum each user needs:
- Sign‑in is handled by a managed authentication provider with sessions kept in
httpOnlycookies; we support email and password (with verification) and Google OAuth. - Each project is isolated at the database level, so an organizer can access only their own projects and submissions (row‑level‑security on every query).
- Administrative operations are gated behind explicit permission checks, and privileged access follows least‑privilege principles.
Secrets and keys
Service‑side credentials — including database service keys and AI‑provider keys — are stored and used only on the server and are never shipped to the browser or exposed in client code.
Private workspaces
Each evaluation batch lives in a controlled workspace available only to authorized reviewers. Public submission pages are reachable only when an organizer explicitly publishes a project; otherwise they return “not found.” Reports are accessed through the organizer’s authenticated workspace.
Evaluation integrity
Submitted deck content is treated as evidence to analyze, not as instructions to follow, so hidden or adversarial text in a deck cannot rewrite the evaluation rules. The numeric layer is deterministic and the AI score is advisory, with a human making the final decision. More detail is on our Prompt Injection Safety and Security & Privacy pages.
Certifications and audits
EvalLense does not currently hold formal third‑party security certifications (such as SOC 2 or ISO 27001). As the product matures, we expect to formalize additional controls and will update this page accordingly. [Status to be confirmed.]
Responsible disclosure
If you believe you have found a security vulnerability, please report it to security@evallense.com with enough detail to reproduce the issue. Please give us reasonable time to investigate and remediate before public disclosure, and avoid accessing or modifying data that is not yours. We appreciate good‑faith research.
No absolute guarantee
No product or transmission method is perfectly secure. While we work to protect your information, we cannot guarantee absolute security. Your use of the Service is also subject to our Terms of Service.
Updates to this page
We may update this page as our practices evolve. The “Last updated” date above reflects the latest revision.
Questions about this page? Contact legal@evallense.com.