Security Overview
Evenpay handles sensitive compensation data — salaries, pay equity analyses, and personal employee information. We take this responsibility seriously. This article explains how Evenpay is built and operated to keep your data safe.
Infrastructure & Hosting
Evenpay runs entirely on Google Cloud Platform (GCP), hosted in the EU — primarily in the europe-north1 region (Hamina, Finland). Google Cloud's data centers are physically secured with restricted access, 24/7 surveillance, and meet the highest industry standards.
Key infrastructure details:
Component | Technology |
Application hosting | Google Cloud Run (auto-scaling, containerized) |
Database | Google Cloud SQL for PostgreSQL (private VPC, no public IP) |
Frontend delivery | Firebase Hosting with global CDN |
Key management | Google Cloud KMS (AES-256, per-organization keys) |
Logging | Google Cloud Logging (structured, centralized) |
All internal service-to-service communication (e.g. Cloud Run to Cloud SQL) travels through a private VPC connector — the database is never exposed to the public internet.
Certifications & Compliance
Evenpay is ISO/IEC 27001 certified, demonstrating that our information security management system meets internationally recognized standards for protecting sensitive data. This certification covers our own operations, processes, and controls.
Our infrastructure provider, Google Cloud, is also independently audited and holds certifications including ISO/IEC 27001 and SOC 2 reports — providing a certified foundation at every layer of the stack.
Evenpay is designed to comply with the EU General Data Protection Regulation (GDPR) and operates exclusively within the EU. No customer data is transferred outside the EU unless explicitly requested by the customer or required by law.
Network Security
Evenpay uses a multi-layered approach to protect against external threats:
Protection | How it works |
DDoS protection | Multi-layer: Cloudflare at the edge, Google Cloud Armor at the infrastructure level |
Web Application Firewall | WAF rules filter malicious traffic before it reaches the application |
Rate limiting | Automatic throttling of excessive or abusive requests |
HTTP hardening | Security headers (via Helmet.js) and strict origin validation |
Monitoring & Incident Response
Evenpay systems are monitored continuously. Security anomalies — such as unusual query patterns, rate-limit breaches, or failed authentication attempts — trigger automatic alerts. Our team investigates and responds to any incidents promptly.
Structured logs (JSON format) are collected centrally via Google Cloud Logging, covering API requests, authentication events, security incidents, and system errors. Logs use pseudonymized identifiers (user IDs and organization IDs) and never contain sensitive personal data like national IDs or addresses.
Software Development Practices
Evenpay follows modern secure development practices:
Practice | Description |
Separate environments | Dedicated test and production environments — development never touches live data |
Automated testing | Unit and integration tests run before every release |
CI/CD pipelines | Version-controlled, managed deployments with full traceability |
Database migrations | Schema changes are version-controlled and applied through a managed migration process |
Evenpay is a web application — no software needs to be installed on your workstations. It works with any modern browser.
Tenant Isolation
Evenpay uses a relational database (PostgreSQL) where each organization's data is logically isolated. Every database query includes an organization identifier, and the application layer enforces strict access boundaries — a user can never access another organization's data.
Database access is limited to application service accounts. There are no direct internet connections to the production database. Access to production systems is controlled by Evenpay's Data Protection Officer using Google Cloud IAM.
Frequently Asked Questions
Where is my data stored?
In the EU — specifically in Google Cloud's europe-north1 region (Hamina, Finland). Backups are also stored within the EU (multi-region EU).
Is Evenpay ISO 27001 certified?
Yes. Evenpay holds ISO/IEC 27001 certification for our information security management system. Our infrastructure provider (Google Cloud) also holds ISO/IEC 27001 certification and SOC 2 reports — so security is certified at every level.
Can Evenpay employees see my organization's data?
Access to production data is strictly limited. Only authorized personnel whose job responsibilities require it — managed through Google Cloud IAM by our Data Protection Officer — can access production systems. Sensitive personal data is encrypted at the application level with organization-specific keys.
Does Evenpay install anything on our computers?
No. Evenpay is fully browser-based. No client software, plugins, or agents are required.
Updated on: 08/04/2026
Thank you!