How We Protect Your Data
Last updated: July 5, 2026Community organizations trust Evontar with sensitive member information — names, contact details, financial records, and private communications. We take that responsibility seriously and have built encryption into every layer of the stack, not as an afterthought but as a core design requirement.
Encryption in Transit
All traffic between your browser and Evontar travels over HTTPS, enforced by TLS certificates issued by Let’s Encrypt. HTTP requests are automatically redirected to HTTPS. There is no unencrypted path to any part of the application.
Encryption at Rest
Database
Your community’s structured data — member records, announcements, events, polls, and more — is stored in a Neon-managed PostgreSQL database. Neon encrypts all database storage at rest using AES-256. The encryption keys are managed by Neon’s infrastructure and rotated automatically.
Uploaded Files
Documents, images, and other files you upload are stored in a self-hosted MinIO object store running on our infrastructure. Every object is encrypted at rest using server-side encryption (AES-256). Each object receives its own unique data-encryption key, which is itself wrapped by a master key held in our key management system — an envelope-encryption scheme that means no two objects share the same key.
Sensitive Fields (Application-Level Encryption)
For particularly sensitive personal information — member names, phone numbers, and addresses — we apply an additional layer of AES-256-GCM encryption at the application level before the data ever reaches the database. Even if someone gained raw access to the database rows, these fields would be ciphertext. Encryption and decryption happen in the application process using a key that is never stored in the database itself.
Authentication Security
Passwords
Passwords are hashed using a memory-hard algorithm before storage. We never store your password in plain text, and it is never logged or transmitted after you submit it.
Two-Factor Authentication
Evontar supports time-based one-time password (TOTP) two-factor authentication. When you enable 2FA, your authenticator app secret is encrypted before it is stored, so it cannot be read even from a database backup.
Social Sign-In
If you sign in with Google, Evontar never receives or stores your Google password. We receive only your name and email address via Google’s OAuth 2.0 flow.
Data Isolation
Every piece of data in Evontar is scoped to an organization. Our application enforces this at the database query layer — it is architecturally impossible for one organization to read another organization’s data, even if an authentication bug existed. Access within an organization is further restricted by role: only verified members can see community content, and only board administrators can manage members and settings.
Infrastructure
Evontar runs on Hetzner Cloud infrastructure in Europe. The application, database proxy, object store, and background workers run on private Docker networks — only the HTTPS reverse proxy is internet-facing. Database credentials and encryption keys are injected as environment variables at runtime and are never baked into container images or committed to version control.
Backups
Neon provides continuous database backups with point-in-time restore. Backup data is encrypted using the same AES-256 scheme as live data.
What We Do Not Do
- We do not sell your data to advertisers or data brokers.
- We do not use cross-site tracking cookies.
- We do not send uploaded files to third-party processing services — all uploads remain on our infrastructure.
- We do not store payment card data (payments are not currently a feature).
Reporting a Vulnerability
If you discover a security vulnerability in Evontar, please report it responsibly to security@evontar.com. We will acknowledge your report within 48 hours and work with you on a coordinated disclosure timeline. We do not pursue legal action against researchers who report vulnerabilities in good faith.
Questions
For questions about our security practices, contact us at security@evontar.com. For general privacy questions, see our Privacy Policy.