Trust Center

One page that links every privacy, security, and compliance document EverCFO publishes. Use this page when a procurement or security team asks for “the trust page.”

Last updated: 2026-05-23

Published policies and contracts

Privacy Policy

What data we collect, how we use it, and the rights you have over it. Includes the GDPR Article 13/14 transparency information and the up-to-7-year financial-record retention disclosure.

Read /privacy→

Security

The five layers of protection between customer data and the outside world — authentication, encryption, tenant isolation, traceable AI, and the AI reasoning log per LOCK-030.

Read /security→

Sub-processors

The complete list of every third-party processor EverCFO engages — 19 entries grouped by category, with role, data categories, storage location, and DPA links per row.

Read /subprocessors→

Data Processing Addendum

Draft DPA template covering GDPR Article 28 + UK GDPR obligations. Annex II renders verbatim from the codebase's verified-controls source of truth. A signed counterpart is available on request.

Read /dpa→

Cookie Policy

Which cookies and similar technologies EverCFO sets, why we set them, and the email + browser paths for opting out of analytics cookies.

Read /cookies→

Refund Policy

How cancellations and refunds work. Subscription fees are non-refundable except where required by law; discretionary credits apply in exceptional cases.

Read /refund-policy→

Terms of Service

The Master Service Agreement governing your use of EverCFO. Governing law: Quebec, Canada.

Read /terms→

Compliance posture

EverCFO publishes qualified statements about its regulatory posture rather than badge-style claims. Each statement describes the operational control or document EverCFO actually maintains today.

GDPR (EU)

EverCFO acts as Processor for Customer Personal Data under the Master Service Agreement and our DPA. Data subject rights are honored per /privacy section 7; sub-processor obligations are documented at /subprocessors. The draft DPA at /dpa covers GDPR Article 28 obligations including breach notification (without undue delay), audit rights, and Standard Contractual Clauses Module Two and Module Three flow-down.

UK GDPR

Where Customer Personal Data is subject to the UK GDPR, the UK Addendum to the EU SCCs (issued by the UK Information Commissioner's Office under Section 119A(1) of the UK Data Protection Act 2018) applies per the draft DPA Annex III. The UK Addendum is distinct from the stand-alone UK International Data Transfer Agreement.

CCPA / CPRA (California)

EverCFO is not currently a CCPA-threshold business per the California subsection of /privacy section 7 (we do not meet the 2025 California Consumer Privacy Act revenue, household, or data-broker thresholds). We extend the privacy rights described in /privacy section 7 voluntarily and will scale our CCPA program as the business reaches the threshold.

Quebec Law 25

EverCFO's primary place of business is Quebec, Canada. The privacy contact and incident-response procedures described in /privacy are designed to satisfy the Quebec Act respecting the protection of personal information in the private sector (Law 25), including the avec empressement breach-notification standard documented by the Commission d'accès à l'information du Québec.

PIPEDA (Canada)

The breach response and privacy contact procedures described in /privacy follow the guidance issued by the Office of the Privacy Commissioner of Canada under the Personal Information Protection and Electronic Documents Act (PIPEDA), including the as-soon-as-feasible breach notification standard.

SOC 2

EverCFO has not undertaken a SOC 2 audit. The engagement is deferred until EverCFO has a customer base that materially benefits from the investment (per the business decision documented in CLAUDE.md). Until a SOC 2 report is available, customers may rely on the draft DPA's Annex II verified Technical and Organizational Measures (TOMs) and the published Service documentation for evidence of compliance.

HIPAA, PCI-DSS, ISO 27001

EverCFO does not handle Protected Health Information (PHI) and is not a HIPAA Covered Entity or Business Associate. Paddle is the merchant of record for subscription payments and handles all payment-card data — EverCFO never sees or stores card numbers, so PCI-DSS does not apply at the EverCFO layer. ISO 27001 is out of scope until the SOC 2 engagement above.

Engineering provenance

The sub-processor list and the DPA Annex II Technical and Organizational Measures are not marketing copy. Both are rendered directly from typed source-of-truth files in the EverCFO codebase, with regression tests pinning their shape on every CI run.

Sub-processor registry: src/data/subprocessors.ts — currently 19 entries. Rendered at /subprocessors.
Verified Technical and Organizational Measures: src/data/dpa-tom.ts — currently 12 measures, each with a stable evidence pointer to a test, code path, or vendor-managed default. Rendered as Annex II of the draft DPA at /dpa.

Service status

EverCFO does not yet publish a public uptime dashboard. Internal uptime monitoring runs against the API health endpoint via BetterStack. A public status page will be linked here once it is available; in the meantime, please email support@evercfo.ai if you believe EverCFO is unavailable for your account.

Contact

Privacy — data subject requests, DPA negotiation, sub-processor questions: privacy@evercfo.ai
Security — vulnerability reports, incident inbound: security@evercfo.ai
Legal — contract questions, DPA counterparts: legal@evercfo.ai
General support — everything else: support@evercfo.ai