Aevah deploys on your cloud infrastructure. Your data stays in your environment. Every metric is traceable to its source. Every AI output is auditable. This document covers data architecture, access controls, AI governance, compliance posture, and operational security for security, legal, and IT stakeholders conducting due diligence.
Aevah deploys entirely within the client's own cloud infrastructure. The platform runs on Snowflake, Databricks, and dbt resources provisioned in the client's own cloud account. There is no Aevah-owned data pipeline, no third-party data transfer, and no persistent Aevah infrastructure that remains in the client environment after the deployment engagement ends.
Access to the Aevah intelligence layer is governed by the same access control frameworks the client already uses for their cloud data environment. There is no separate Aevah user directory, no shadow credential system, and no access that bypasses the client's existing identity and access management layer.
Every number produced by the Aevah intelligence layer is traceable from its source data through every transformation step to the output your team sees. Governance is structural, not procedural: lineage is enforced at the data layer, not maintained in external documentation that can fall out of sync.
Aevah's compliance program is actively maturing. The table below reflects current status for each compliance domain. For detailed documentation supporting your vendor security review, contact your Aevah representative.
| Domain | Posture | Status |
|---|---|---|
| SOC 2 Type II | Audit in progress. Controls documented and under observation period. | In Progress |
| GDPR Data Handling | GDPR-aware architecture: no EU personal data leaves EU-region client environments. Data processing agreements available on request. | Active |
| Data Residency | All client data remains in client-owned cloud account and region. No cross-border transfer by Aevah. | Active |
| AI Model Training | Client data is explicitly excluded from any shared model training. Contractually enforceable. | Active |
| Penetration Testing | Annual third-party pen testing of Aevah platform components. Reports available under NDA. | Active |
| Vendor Risk Assessment | Standard security questionnaire responses available. Custom assessments accommodated. | Active |
| Zero Trust Architecture | Network access design in progress for client-facing deployment tooling. | Planned |
We accommodate security questionnaires, architecture walkthroughs, and compliance documentation requests as a standard part of the evaluation process. Book a session with our team to get the documentation you need and have your specific questions answered directly.
Book Security Review →Deploys on Snowflake · dbt · Databricks · Your cloud, your data, your control