Security and Governance Overview Book Security Review All Resources
Aevah.
Security and Governance
For CISO  ·  Legal  ·  IT Director  ·  Compliance

Security andGovernance Overview

Aevah deploys on your cloud infrastructure. Your data stays in your environment. Every metric is traceable to its source. Every AI output is auditable. This document covers data architecture, access controls, AI governance, compliance posture, and operational security for security, legal, and IT stakeholders conducting due diligence.

Audience CISO · Legal · IT Director · Compliance
Data Location Client-owned cloud only
Compliance SOC 2 Type II in progress
By Aevah · aevah.com
Zero
Client data that leaves the client's own cloud environment during or after deployment
Full
Lineage tracking on every metric, output, and recommendation from source to consumer
Zero
Client data used for Aevah model training or any purpose beyond the client's own deployment
Page 2 of 4
Data Architecture

Your data never leaves your environment.

Aevah deploys entirely within the client's own cloud infrastructure. The platform runs on Snowflake, Databricks, and dbt resources provisioned in the client's own cloud account. There is no Aevah-owned data pipeline, no third-party data transfer, and no persistent Aevah infrastructure that remains in the client environment after the deployment engagement ends.

01 Client Cloud Account Snowflake, Databricks, dbt. All provisioned and owned by the client.
02 Client Data Sources ERP, POS, trade systems. Ingested to client-owned storage only.
03 Aevah Semantic Layer Deployed to client infrastructure. Owned by client post-engagement.
04 AI and Analytics Models Run in client compute. Outputs stored in client environment only.
05 Aevah Access (Engagement Only) Scoped read access via client-managed credentials. Revoked at engagement close.
Data Residency Guarantee
No client data is transmitted to Aevah systems at any point during or after the engagement. Aevah does not operate a data lake, a model training pipeline, or any persistent infrastructure that ingests client data. The deployment is entirely within the client's own cloud account boundary.
Access Controls

Role-based, audit-logged, enterprise SSO compatible.

Access to the Aevah intelligence layer is governed by the same access control frameworks the client already uses for their cloud data environment. There is no separate Aevah user directory, no shadow credential system, and no access that bypasses the client's existing identity and access management layer.

Role-Based Access Control
Permissions defined at the role level and inherited by users. No individual-level permission grants that create audit complexity. Aligned with Snowflake and Databricks native RBAC models.
Enterprise SSO Integration
SAML 2.0 and OIDC compatible. Connects to Okta, Azure AD, Google Workspace, and other enterprise identity providers. Users authenticate through existing corporate identity, not a separate Aevah credential.
Full Audit Logging
Every query, metric access, and model output is logged to the client's own audit infrastructure. Log retention and format determined by the client. Aevah does not hold or receive copies of access logs.
Engagement-Scoped Aevah Access
Aevah team access during deployment is limited to a scoped service account with read-level permissions defined by the client. All access credentials are provisioned and controlled by the client and revoked at engagement close.
Page 3 of 4
Data Governance

Full lineage on every metric and output.

Every number produced by the Aevah intelligence layer is traceable from its source data through every transformation step to the output your team sees. Governance is structural, not procedural: lineage is enforced at the data layer, not maintained in external documentation that can fall out of sync.

Column-Level Lineage
Every metric traces back to the source column, transformation model, and ingestion timestamp. Auditors can follow any number to its origin without relying on tribal knowledge.
Governed Metric Definitions
One definition per KPI, version-controlled and deployed via dbt metrics. When the definition changes, every downstream consumer reflects the change and the change is logged with a reason and approver.
Data Quality Test Coverage
Automated tests run on every fact table before data is promoted to the semantic layer. Test failures halt promotion and alert the data engineering team. Untested data does not reach the business layer.
AI Governance

No black-box recommendations.

Model Output Audit Trails
Every AI recommendation includes the model version, input parameters, confidence range, and data lineage. Recommendations are not presented without this context attached.
Human-in-the-Loop Approval Workflows
AI outputs that inform material business decisions route through a configurable approval workflow before being acted on. The system does not execute on its own recommendations without designated human sign-off.
No Training on Client Data
Client data is used exclusively within the client's own deployment. Aevah does not use client data to train, fine-tune, or improve any shared model. Each deployment is fully isolated.
Compliance Posture

Where Aevah stands on compliance requirements.

Aevah's compliance program is actively maturing. The table below reflects current status for each compliance domain. For detailed documentation supporting your vendor security review, contact your Aevah representative.

Domain Posture Status
SOC 2 Type II Audit in progress. Controls documented and under observation period. In Progress
GDPR Data Handling GDPR-aware architecture: no EU personal data leaves EU-region client environments. Data processing agreements available on request. Active
Data Residency All client data remains in client-owned cloud account and region. No cross-border transfer by Aevah. Active
AI Model Training Client data is explicitly excluded from any shared model training. Contractually enforceable. Active
Penetration Testing Annual third-party pen testing of Aevah platform components. Reports available under NDA. Active
Vendor Risk Assessment Standard security questionnaire responses available. Custom assessments accommodated. Active
Zero Trust Architecture Network access design in progress for client-facing deployment tooling. Planned
Operational Security
No persistent Aevah infrastructure remains in the client environment after the deployment engagement concludes. All Aevah service account credentials are revoked, all Aevah-authored configurations are documented and owned by the client, and ongoing platform operation does not require Aevah access to the client environment.
Page 4 of 4
Security Review

Ready to complete your vendor security review?

We accommodate security questionnaires, architecture walkthroughs, and compliance documentation requests as a standard part of the evaluation process. Book a session with our team to get the documentation you need and have your specific questions answered directly.

Book Security Review

Deploys on Snowflake  ·  dbt  ·  Databricks  ·  Your cloud, your data, your control