Evident Harbour is built for regulated workloads. This page lists every third party that processes customer data on our behalf, and the rules everyone agrees to when using the platform.
Last updated: 6/5/2026
The vendors below process customer data strictly to deliver the service. Each is bound by a data processing agreement and assessed against ISO 27001 / SOC 2 expectations.
| Processor | Purpose | Data categories | Location |
|---|---|---|---|
Supabase (via Lovable Cloud) | Managed Postgres database, authentication and storage | Account data, workspace data, risk register, controls, assets, audit logs | EU / US regions (depending on workspace) |
Cloudflare Workers | Application hosting, SSR runtime and edge delivery | Request metadata, IP addresses (transient), session cookies | Global edge network |
Lovable AI Gateway | AI model access for assisted authoring and summarization features | Prompt content submitted by users when AI features are invoked | Routed to underlying model providers (Google, OpenAI) |
Resend | Transactional email (invitations, notifications, password reset) | Recipient email address, message content, delivery telemetry | EU / US |
Sentry | Error monitoring and performance tracing | Stack traces, user agent, anonymized user ID, request path | EU |
Lovable platform | Hosting, deployment, preview environments and project storage | Source code, build artifacts, project configuration | EU / US |
We notify workspace owners by email at least 30 days before adding a new sub-processor that handles customer content.
By accessing Evident Harbour you agree to these rules. Violations may result in suspension, content removal or termination, with notice where reasonably possible.
Use the platform only for lawful purposes and in compliance with the laws and regulations applicable to your organization, your workspace data and the people it concerns.
Do not upload, store or transmit content that is unlawful, defamatory, infringes intellectual property, contains malware, exploits a person, or includes special-category personal data (biometric, genetic, health) unless your workspace has agreed an explicit data processing schedule covering it.
Keep credentials confidential, enable multi-factor authentication where available, and report any suspected compromise to security@evidentharbour.com without delay. Do not probe, scan or test the vulnerability of the system without prior written consent.
Do not attempt to disrupt or degrade the service: no denial-of-service activity, no scraping at a rate that materially burdens the platform, no circumvention of authentication, rate limits or tenant isolation, and no reverse engineering of the runtime.
Each workspace is for the use of a single customer organization and its invited members. Do not use a workspace to store data belonging to another organization unless that arrangement is formally documented between both parties.
When AI features are invoked, prompt content is sent to our AI gateway sub-processor (see above). Do not submit content you are not entitled to disclose to a third-party processor, and do not rely on AI-generated output as a substitute for qualified professional judgement.
You may export your workspace data at any time. Audit logs are retained for the lifetime of the workspace and made available on request, subject to authentication and identity verification.
We may suspend access where continued use poses a security, legal or operational risk to the platform or its other users. Where suspension is preventative rather than punitive, we will work with you to restore service as soon as reasonably possible.
We may update this policy and the sub-processor list. Material changes are announced via in-product notice and, where the change affects sub-processing of customer content, by email to workspace owners at least 30 days before taking effect.
Questions? Contact trust@evidentharbour.com.