EvaluAgent Security

Global brands trust us to keep their sensitive data secure. This is not something we take lightly. With enterprise security features and regular audits of our applications and networks, we ensure customer and business data is always protected. Enabling our customers to continue with their day-to-day business knowing that the information they trust us with is safe, secure and protected.

Data Center and Network Security

We ensure the confidentiality and integrity of customer data with industry best practices. EvaluAgent is hosted at SSAE-16, PCI DSS, and ISO 27001 compliant facilities.

Physical Security


EvaluAgent leverages Amazon Web Services network of data centers across the globe, including Europe, USA and Australia regions. Customers can choose to locate their service data in a specific region.

Facilities & On-Site Security

EvaluAgent is hosted within Amazon Web Service global infrastructure. Access to data centers is closely monitored by AWS Security Operations Centers. AWS continually watch for unauthorized entry, using video surveillance, intrusion detection and access log monitoring systems. Entrances are secured with devices that sound alarms if a door is forced or held open.


All of our production systems are monitored constantly. We use anomaly detection to alert us of anything that’s happening which is out of the normal state of operation. Production systems are only administered by EvaluAgent staff. Physical security, power and internet connectivity are monitored by our infrastructure provider, Amazon Web Services.

Network Security


Our network is protected by redundant firewalls, load balancers, secure HTTPS transport over public networks and regular audits by third party security experts.


We implement multiple security zones in our network architecture. Sensitive systems, such as database servers, are protected in our most trusted zones. Other systems are housed in zones applicable to their sensitivity, risk and function.

Network Vulnerability Scanning

Network security scanning gives us in-depth insight for out-of-compliance and/or potentially vulnerable systems.

Third-party Penetration Tests

We perform internal testing in an automated and manual fashion. Bi-annually, EvaluAgent employs third-party security experts to perform a broad penetration test across the EvaluAgent production network and infrastructure.

Logical Access

Access to the EvaluAgent production network is restricted to a strict, need-to-know basis, that utilises the least privilege and is frequently audited and monitored. Employees accessing the EvaluAgent production network are required to use multiple factors of authentication.

Intrusion Detection and Prevention

All of our network ingress and egress are monitored 24/7, with automatic alerts set for any abnormal values and incidents differ from our pre-defined thresholds.

Security Incident Response

Our employees are fully trained in our security response protocols including escalation paths and appropriate communication channels. In the case of a system alert, events are escalated to our teams providing operations, security and engineering support.


Encryption at Rest

All customers of EvaluAgent benefit from the protections of encryption at rest for storage of attachments held in Amazon S3 and data stored within our Amazon RDS instances.

Encryption in Transit

Communications between you and EvaluAgent servers are encrypted via industry best-practices HTTPS and Transport Layer Security (TLS) over public networks. TLS is also supported for encryption of emails.

Availability & Resilience


EvaluAgent uses the latest technology and systems to monitor and report on information that includes system availability details, scheduled maintenance, service incident history and relevant security events.


EvaluAgent is deployed across multiple availability zones and multiple instances within each zone to eliminate single points of failure. Our strict backup procedures ensure Service Data is actively replicated across primary and secondary DR systems and facilities.

Disaster Recovery

Our Disaster Recovery program ensures that our services remain available or easily recoverable in the case of a disaster. We have built a redundant technical environment and have created Disaster Recovery plans which are regularly tested.

Application Security

A Secure Software Development Lifecycle (SDLC)

Security Training

Annually, our engineers participate in secure code training covering the OWASP Top 10 security flaws, common attack vectors and EvaluAgent security controls. Our engineers also attend conferences and training by third parties such as AWS on Security Best Practices.

Quality Assurance

As part of every release, our team reviews and tests our code base to identify, test and triage possible security vulnerabilities in the code. This is in addition to any third party testing and automated testing.

Separate Environments

Test and staging environments are separated physically and logically from the Production environment. No actual Service Data is used in the development or test environments.

Security Controls

EvaluAgent utilise framework security controls to limit exposure to OWASP Top 10 security flaws. These include controls that reduce our exposure to Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS) and SQL Injection, amongst others.

Application Vulnerabilities

Dynamic Vulnerability Scanning

We use a number of third-party, qualified security tools to continuously dynamically scan our applications against the OWASP Top 10 security flaws.

Static Code Analysis

The source code repositories for EvaluAgent are continuously scanned for security issues via our integrated static analysis tooling.

Security Penetration Testing

In addition to an extensive internal scanning and testing program, each quarter EvaluAgent employs third-party security experts to perform detailed penetration tests on our applications and infrastructure.

Product Security

Authentication Security

Configurable Password Policy

EvaluAgent provides the following levels of password security: low, medium and high, as well as allowing you to set custom password rules. Only users with the appropriate permission can change the password security level.

Secure Credential Storage

EvaluAgent follows security best practices for credential storage by never storing passwords in human readable format and only as the result of a secure, salted, one-way hash.

API Security & Authentication

The EvaluAgent application and API is SSL-only and you must be an authenticated user to make API requests.

Additional Product Security Features

Access Privileges & Roles

Access to data within EvaluAgent is governed by access rights and can be configured to define granular access privileges. EvaluAgent provides a standard set of permissions to get you started and you totally customise and/or disable these initial set of permissions if required. Learn more about access levels.

IP Restrictions

EvaluAgent can be configured to only allow access from specific IP address ranges you define.


With EvaluAgent you can upload attachments to contacts, such as call recordings, email transcriptions, chat conversations etc. Users must be signed in to EvaluAgent and have the appropriate permissions set to allow access to attachments and a further permission to be able to upload attachments.

Transmission Security

All communications with EvaluAgent servers are encrypted using industry standard HTTPS over public networks. This ensures that all traffic between you and EvaluAgent is secure during transit. Additionally for email, our product supports Transport Layer Security (TLS), a protocol that encrypts and delivers email securely, mitigating eavesdropping and spoofing between mail servers.

Email Signing (DKIM/DMARC)

EvaluAgent utilises DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) for signing outbound emails.