Security

Evidara holds the kind of records a Zimbabwean business depends on: sales, inventory, customer details, debts, invoices, payment references, uploaded proof of payment, settlements, and reconciliations. This page explains, in plain English, how the platform is designed to protect that information.

We use careful wording on this page on purpose. Where security depends on a provider, we say so. Where work is still in progress, we say so.

Accounts are protected by email-and-password sign-in, with optional Google sign-in via OAuth. Password hashing and session handling are managed by our authentication provider (Supabase).

We recommend using a strong, unique password for Evidara, signing out of shared devices, and not sharing your login with anyone. If you notice activity on your account that you do not recognise, contact us straight away.

Each Evidara account is intended to see only its own business records. Database access is designed around row-level security policies in Supabase, so that a user's queries are scoped to that user's data at the database layer, not only in the application.

Service keys that can read across the database are kept server-side only. They are never shipped to the browser and are not used in client-side code.

Traffic between your browser and Evidara is served over HTTPS in production. The same applies to traffic between the platform and our providers (Supabase and Stripe).

Storage encryption at rest, network-level protections, regional redundancy, and platform-level DDoS mitigation are provided by our infrastructure providers (Supabase and Vercel) under their own security programs.

Subscription payments are handled by Stripe. Card details are entered into Stripe's own forms and do not pass through Evidara servers. Stripe operates as a PCI DSS Level 1 service provider, which is their published status — not a certification held by Evidara.

Payment methods recorded inside the app (such as “cash”, “EcoCash”, “OneMoney”, “bank transfer”, or reference numbers and uploaded proof) are stored as your own business records and are not sent to advertisers.

To keep your account safe:

• Use a strong, unique password for your Evidara account.
• Do not share your password with staff or family.
• Sign out of shared or borrowed devices when you are done.
• Keep the email address linked to your account secure — password resets go there.
• Report anything suspicious to us as soon as you can.

If you believe you have found a security problem in Evidara, please tell us privately before sharing it publicly. We take reports seriously and aim to respond quickly.

Email support@evidara.org with a clear description of the issue, how to reproduce it, and the potential impact. Please do not access other users' data, run denial-of-service tests against the service, or disclose the issue publicly until we have had a chance to address it.

We list the security features that are not yet available so customers can make an informed decision before signing up.

• Multi-factor authentication (TOTP) for account sign-in.
• Expanded audit history for sensitive account changes.

We are building Evidara to support trustworthy business records, responsible data handling, and report integrity. Our roadmap includes independent security review, legal review, data protection assessment, and stronger report-integrity controls as the platform grows.

• External security audit — Planned. An independent review of the platform's security posture.
• Legal review — Planned. Qualified legal review of our Terms, Privacy Policy, data retention rules, and report wording.
• Data protection assessment — Planned. Covers export, deletion, consent, retention, and archive workflows.
• Monthly internal security checks — Ongoing. Routine reviews of access controls, dependency updates, and incident drills.
• Report integrity and tamper-evident verification review— Ongoing. Continual review of the hash and verify-URL flow used by Business Health Reports.

Roadmap items may evolve based on product growth, partner requirements, and legal guidance. We do not publish exact target dates on this page to avoid creating expectations we cannot reliably meet.

This page describes how the platform is designed to handle data. No internet-based service can promise to be completely secure, and we do not claim any specific certification (such as SOC 2, ISO 27001, or PCI DSS) on our own behalf. Where a provider holds a certification, we name the provider.