Security & Trust
Vendor accountability data is sensitive: contracts, evaluations, and performance records tied to real people and real sites. Here's how the product is built to protect it.
Our legal commitments, encryption specifics, breach notification, data retention, and sub-processor safeguards, are documented in our Privacy Policy and Terms of Service, including our service availability commitment in Terms Section 10. This page covers the parts of our security architecture that are specific to how the product is built.
Access & permissions
Inside the product, Admin and User roles determine what each team member can see and change, and every account gets an activity log of evaluations, contract updates, and permission changes. Review-only users can rate vendor work without gaining broader account access, so you can extend rating access without extending admin risk.
Vendor access, or the lack of it
Vendors never log into Evalystar. There's no vendor portal and no vendor account to provision, secure, or revoke. Your team rates completed work from inside your own account; the vendor's attack surface on your data is zero, because they never have access to begin with.
Questions
For security questionnaires, a DPA, or sub-processor details, write to legal@evalystar.com and we'll get back to you within five business days.