Security

OpenEvidence is committed to carefully protecting and securing your data and ensuring that OpenEvidence.com is always available when you need it. We use a variety of industry-standard technologies and services to safeguard your data from unauthorized access, disclosure, use, and loss, and are constantly monitoring and improving our products and services.

Infrastructure Security and Reliability

Cloud platform security

OpenEvidence's services are primarily hosted on Google Cloud Platform and Vercel, industry leaders providing highly scalable and secure cloud computing platforms. We leverage Google Cloud's secure infrastructure as described in the Google infrastructure security design overview and Google security overview whitepaper. Vercel provides comprehensive Infrastructure Security and Application security protections as described in the Security and Compliance Measures overview.

Reliability

OpenEvidence strives to maintain high operational availability of our products and services.

Data Security and Privacy

User data

OpenEvidence stores and processes user data securely according to our Privacy Policy and Terms of Use.

Data encryption

Data is encrypted in transit and at rest. OpenEvidence uses SSL/TLS to encrypt data in transit and encrypts data at rest using industry-standard encryption algorithms, using strong encryption and authentication (TLS 1.2 with SHA256 certificate). Data is stored within our databases with AES-256. This helps ensure that none of your data can be read by anyone that is not authorized.

Code testing and assessments

OpenEvidence tests all code for security vulnerabilities before release, and regularly scans our network and systems for vulnerabilities.

  • Application vulnerability threat assessments
  • Network vulnerability threat assessments
  • Security control framework review and testing
OpenEvidence completes an external penetration test on an annual basis.

Security Policies

OpenEvidence maintains security polices, which are reviewed annually and updated regularly. These policies include:

  • Asset Management
  • Data Protection
  • Data Retention
  • Information Security
  • Incident Response
  • Risk Assessment
  • Software Development Life Cycle
  • System Access Control
  • Vendor Management
  • Vulnerability Management

OpenEvidence requires annual security training for all employees.

Vulnerability Disclosure

We take all reports of security vulnerabilities seriously and will respond to valid reports as we verify the vulnerability and develop a fix.

Vulnerabilities and security concerns related to OpenEvidence can be responsibly reported to security@openevidence.com. Please include a detailed description of your discovery with clear, concise, reproducible steps or a working proof-of-concept.

We welcome security researchers to submit reports of vulnerabilities affecting OpenEvidence.com, the OpenEvidence app, and other properties involved in the processing of user data. Please be aware that bug bounties are typically reserved for confirmed reports of vulnerabilities that are medium or higher severity and offered at the discretion of our information security team. We take into account attack scenario, exploitability, and security impact.

Product
OpenEvidence
Company
About
Announcements
Security
Contact Us
Email
Twitter

Don′t miss our weekly email alert. Stay up to date on all the new findings that matter.

We care about your privacy. View our terms of use.

© OpenEvidence 2025. All rights reserved.

Terms of UsePrivacy Policy

OpenEvidence is an experimental technology demonstrator. OpenEvidence does not provide medical advice, diagnosis or treatment. User questions and other inputs on OpenEvidence are not covered by HIPAA. It is the responsibility of the user to ensure questions do not contain protected health information (PHI) or any information that violates the privacy of any person.