SECURITY & PRIVACY

Design properties,
not marketing claims.

This page describes how EvoCortexAI is designed — what is structurally true about where data goes and what we claim and do not claim about security.

DESIGN PROPERTIES

What is structurally true when deployed as documented.

These statements describe the architecture. They are verifiable from the system design. They are not blanket guarantees and apply when the system is deployed according to its documented configuration.

Inference runs on hardware you control.
Saturn-Node executes model inference. You own and operate the hardware it runs on. Saturn-Control orchestrates work from your own infrastructure as well.
Data is not sent to EvoCortexAI servers.
By architectural design, prompt and inference traffic routes from the Saturn app to Saturn-Control to Saturn-Node — all on infrastructure you operate. EvoCortexAI does not operate a shared inference backend that processes your data.
No third-party model API is used by default.
The system is designed to run on locally deployed models via Saturn-Node. No third-party AI API is contacted during inference by default configuration.
Saturn-Node has no public API surface.
Execution nodes are not publicly reachable. They connect outward to Saturn-Control via a polling protocol. No inbound port is required on the node. Agents and clients address Saturn-Control only.
Secrets are not stored in the repository or logs.
Credentials, API tokens, and database passwords are injected at runtime from local-only environment files and are explicitly excluded from version control and log output.
WHAT WE DO NOT CLAIM

Claims that require formal verification we have not done.

These are accurate descriptions of what we avoid claiming, and why.

"End-to-end encrypted" — Encryption properties depend on transport configuration (TLS is used on HTTPS paths, but the system does not enforce encryption independently of the deployment).
"Zero-knowledge" — This requires a specific cryptographic protocol design. We make no such claim.
"GDPR compliant" — Compliance depends on specific data flows and legal analysis per use case. We have not conducted a formal GDPR compliance review for the platform as a whole.
"Secure" as a standalone adjective — Security is a property of a specific deployment, configuration, and threat model. We describe design properties; we do not claim the system is unconditionally secure.
"Audited" or "certified" — No third-party security audit has been conducted to date.
RESPONSIBLE DISCLOSURE

Reporting a security issue.

If you find a security issue in EvoCortexAI software or infrastructure, please report it directly. We aim to respond to credible reports within a few business days.

admin@evocortex.ai

Please include a clear description, reproduction steps, and any relevant evidence. We do not currently operate a bug bounty programme.