Eviya User Data Security Whitepaper (Self-Audited)
Effective Date: June 21, 2025
Version: 1.1
Executive Summary
At Eviya, we believe everyone deserves access to daily emotional support. Our mission is to provide busy professionals with a private, personalized space for reflection and growth.
This self-audited security whitepaper outlines the measures Eviya has implemented to ensure the highest standards of data protection.
We have adopted a zero-knowledge architecture, end-to-end encryption, and best practices in secure application development to safeguard sensitive information.
Our approach aligns with internationally recognized security standards and guidelines, including GDPR, CCPA, UAE PDPL, and OWASP ASVS Level 1 recommendations.
0. AI Data Interaction & Zero-Knowledge Principles
- Privacy-Preserving AI Architecture:
- All AI interactions occur through a zero-knowledge architecture where the AI never has access to unencrypted user data.
- When the AI needs to reference user content (such as journal entries or chat history), this data is decrypted locally on the user's device.
- Only contextual information derived from the decrypted data is used for AI processing, not the raw content itself.
- This architecture ensures that even as the AI provides personalized support, it never compromises user privacy.
- Secure Context Handling:
- Context for AI responses is generated client-side after local decryption of encrypted data.
- The AI receives only the minimal necessary context to provide meaningful responses.
- No unencrypted user content is ever stored on our servers or accessible to the AI systems directly.
- Data Isolation:
- AI processing occurs in isolated environments with strict access controls.
- User data remains encrypted at all times on our servers, even during AI interactions.
- The AI model itself has no persistent memory of user conversations or journal entries between sessions.
1. Data Encryption
- End-to-End Encryption (E2EE):
- All user journal entries, mood logs, and chat conversations are encrypted on the client side before being transmitted to Eviya's servers.
- Encryption Standard:
- We use AES-256-GCM, a trusted encryption algorithm that ensures data confidentiality and integrity.
- Zero Knowledge:
- Eviya cannot access or decrypt user content. Only users retain the ability to decrypt their own wellness data.
- Encrypted Data Storage:
- Encrypted blobs are stored securely on trusted cloud infrastructure.
2. Encryption Key Management
- Client-Side Key Derivation:
- Encryption keys are generated dynamically on the user's device using strong cryptographic techniques (PBKDF2 with unique salt).
- No Server-Side Key Storage:
- Private encryption keys are never stored, transmitted, or accessible by Eviya servers.
- Key Rotation:
- Eviya supports secure key rotation processes, with background re-encryption of user data when keys are updated.
- Key Versioning:
- Every encrypted record is linked to its corresponding key version to ensure proper future decryption.
3. Authentication and Authorization
- Secure Authentication:
- User authentication is managed via Supabase Auth, employing secure token-based mechanisms.
- Row-Level Security (RLS):
- All database access is controlled at the row level to ensure users can only access their own encrypted records.
- Minimal Personal Data Collection:
- Only email addresses are stored in readable form. No unencrypted mood, journal, or chat data is retained.
4. Network and Application Security
- HTTPS/TLS Encryption:
- All communications between client and server are encrypted via HTTPS using TLS 1.2 and TLS 1.3 where supported.
- Service Worker Security:
- Service workers operate only on secure HTTPS origins and are limited in scope.
- Input Validation and Sanitization:
- User inputs are validated and sanitized to protect against XSS, CSRF, and injection attacks.
- No Hardcoded Secrets:
- Encryption keys and other sensitive information are never hardcoded in client applications.
- Rate Limiting:
- Eviya applies API rate limiting to prevent abuse and mitigate denial-of-service (DoS) risks.
5. Infrastructure and Hosting
- Secure Cloud Infrastructure:
- Encrypted data is hosted in cloud environments with strong physical and digital security controls.
- Data Localization:
- We are actively working toward meeting regional data storage requirements (e.g., UAE) where applicable.
- Encrypted Backups:
- Backups are encrypted and protected under the same security principles as production data.
6. Privacy and Compliance Alignment
- Global Privacy Standards:
- Eviya aligns its practices with GDPR, CCPA, UAE PDPL, and is preparing for India's DPDP Act.
- Children's Privacy:
- The service is restricted to users aged 16 and above.
- Zero-Knowledge Policy:
- Due to encryption, Eviya cannot respond to third-party content access requests, protecting user confidentiality.
- No Ads, No Profiling:
- User data is never sold or used for behavioral advertising or external analytics.
7. Risk and Breach Resilience
| Threat |
Risk Level |
Mitigation |
| Database Breach |
Low |
Data remains encrypted and unreadable. |
| Insider Threat |
Low |
No server-side decryption possible. |
| Network Eavesdropping |
Very Low |
Enforced HTTPS/TLS encryption. |
| Key Leakage |
Very Low |
Client-only, in-memory encryption keys. |
| XSS or Injection Attacks |
Low |
Input validation and sanitization practices implemented. |
| AI Data Exposure |
Very Low |
Zero-knowledge architecture ensures AI never accesses unencrypted user data. |
In the event of a breach, only encrypted, unusable blobs could be exposed.
8. Security Roadmap (Planned Improvements)
- Establishing a formal Vulnerability Disclosure Program (VDP) inviting ethical hacker feedback.
- Preparing for external audits (SOC 2, ISO 27001) based on growth and customer demands.
- Implementing regional data storage mirrors for jurisdictional compliance.
- Continuing internal security training and audits to stay ahead of emerging threats.
- Enhancing AI privacy controls with additional safeguards and transparency measures.
- Implementing advanced anomaly detection for AI interactions to prevent potential misuse.
Vulnerability Disclosure Program
We have established a Vulnerability Disclosure Program to encourage security researchers to report potential security issues. If you believe you've found a security vulnerability, please report it to us at Please enable JavaScript to view.
For more details on our security reporting process, please see our Security Policy.
Conclusion
Based on this self-audit, Eviya maintains strong, industry-standard security practices across user data collection, storage, encryption, and platform operations.
We remain committed to continuous improvement, privacy by design, and protecting the emotional and mental well-being of our users through uncompromising data security.
Contact Information
If you have any questions, concerns, or wish to report a potential security issue, please contact:
Security Team – Eviya
✉️ Email: Please enable JavaScript to view
🌐 Website: https://eviya.ai