Security & Compliance
Public-co posture from day one.
EVIO is publicly traded on the OTC Current tier. The compliance apparatus that takes private LLC competitors 12–24 months and $250K+ to assemble is already in place.
Public-company status
| Ticker | OTC: EVIO |
| State of incorporation | Colorado |
| Headquarters | Henderson, Nevada |
| Reporting status | OTC Current (not an SEC registrant) |
| Disclosure cadence | Per OTC Markets disclosure requirements (OTC Current); annual + quarterly reports + audited financials |
| Audit-log retention | Indefinite for compliance — per-agent action history exportable on request |
Application security
| Transport | TLS 1.2+ everywhere via Cloudflare; HSTS enabled |
| API keys | SHA-256 hashed at rest; plaintext shown once at creation |
| Per-agent scoping | Recommended over org-wide keys; pause/revoke with 1-second propagation |
| Rate limits | 60 / 600 / 6,000 req/min for Indie / Studio / Pro; configurable per agent |
| Webhook signatures | HMAC-SHA256 on all outbound; Stripe + Clerk inbound verified before any DB write |
| Two-factor auth | Required for org owners; recommended for all users |
| Audit log | Every admin action logged with actor (user OR agent), target, metadata |
| Secrets management | Doppler — never in code, never in git |
| PII storage | Email + name (Clerk) + Stripe customer ID. No SSNs, no payment-card data on EVIO infra. |
SLA targets
During closed alpha, EVIO does not publish a contractual SLA. Internal targets:
| Metric | Target (alpha) | GA target |
|---|---|---|
| Uptime | 99.5% | 99.9% |
| p50 latency (mock data) | < 200 ms | < 200 ms |
| p95 latency (mock data) | < 600 ms | < 800 ms |
| Webhook delivery (first attempt) | < 60 s | < 30 s |
| Status page | status.evioinc.com | — |
Subprocessors
EVIO uses the following subprocessors. Full list maintained at /api/legal/privacy.
| Auth & org management | Clerk |
| Billing | Stripe |
| Database | Supabase (Postgres) |
| Edge / WAF / CDN | Cloudflare |
| Cache & rate limit | Upstash Redis & QStash |
| Behavioral warehouse | MotherDuck |
| Logs & metrics | Better Stack |
| Errors | Sentry |
| Secrets | Doppler |
| Hosting | Vercel (web), Fly.io (API) |
| Documentation | Mintlify |
Year-2 roadmap
- Vanta-managed SOC 2 Type II preparation
- SSO / SAML for Enterprise customers
- Customer-managed encryption keys (BYOK) for Enterprise
- Skyfire / KYA decentralized agent identity
Forward-looking statement
This page contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934. Statements about future SLA targets, certifications, and product capabilities are not guarantees of future performance.