Built for the regulated parts of healthcare.
Credentialing data represents some of the most sensitive information in a practitioner's career. As an agile, growth-stage company, Evercred prioritizes absolute transparency over conventional compliance marketing. Rather than over-stating future certifications, we provide a clear, real-time view of our current security posture, our active roadmap, and our data protection protocols.
Today, our methodology includes real-time trusted state medical license verification, board-certification tracking, NPI validation via CMS NPPES, DEA registration checks, and continuous OIG / SAM exclusion monitoring (coming soon).
Practitioners own their credential data. Always.
Every credential uploaded to Evercred is owned and controlled by the practitioner. They decide who sees it. They decide when it's shared. They can revoke access at any time.
When a practice receives a credential packet, it's a time-bound, scoped view of that practitioner's wallet — not a copy that lives forever in a database you don't control.
This is the opposite of how legacy credentialing software works. It's also why the model only makes sense if the practitioner trusts us.
We treat that trust as the product.What's true today, what's on our roadmap.
Two tables. Every row is either a verifiable practice (today) or a formal certification process we're working through (roadmap). Nothing here claims a certification we don't hold.
What's in place today
| Standard / practice | Status | What it means |
|---|---|---|
| Encryption in transit | TLS 1.3 | Every byte of API and browser traffic moving through Evercred is protected by modern, industry-standard transport layer security. |
| Encryption at rest | AES-256 | All credential documents and Protected Health Information (PHI) are fully encrypted when stored. |
| Practitioner data ownership | Architectural | True ownership is baked into our code. Practitioners own and control their individual credential data at the architectural level. It's not a feature toggle we can turn off. |
| Primary-source verification | Standard practice | Every verification is against the original issuing source (state boards, DEA, specialty boards, etc.) — not against practitioner-supplied documents. |
| Access control | Tenant + role-based | No unauthorized data sharing. System access is strictly limited by role, so users only see the credentials assigned to their practice. |
| Audit logs | Every access logged | Total transparency over your data. Every action — a user viewing a credential, a document upload, an AI agent triggering a verification — is logged with absolute attribution. You always know exactly who did what and when, and whether it was a human or an agent. |
| Data residency | United States | All data stored in U.S. cloud regions. |
On the roadmap
| Standard / framework | Status | Notes |
|---|---|---|
| HIPAA alignment + BAA program | In progress | BAAs available on request for enterprise customers. |
| SOC 2 Type II | Roadmap | Standard third-party audit, typically 6–12 months once the audit window opens. |
| HITRUST | Roadmap | Typically pursued after SOC 2. |
| NCQA-aligned credentialing | In progress | Our process aligns to NCQA standards for primary-source verification today; formal NCQA certification is on the roadmap. |
| Joint Commission compatibility | Roadmap | Outputs structured to support Joint Commission credential review processes. |
If you're a healthcare organization that needs a specific certification before you can adopt a vendor — talk to us. We'll tell you exactly where we are, what our timeline is, and whether we can match your requirement at all. No vague answers.
For our security team or to request a BAA, email it@evercred.com.
How the platform is built.
| Control | What it means | |
|---|---|---|
| Access control | Role-based access at every layer. Practice administrators see only their practice's data. Practitioners see only their own wallet. Every API call is authenticated and scoped. | |
| Audit logs | Every credential view, share, and verification is logged. Practitioners see exactly who viewed what credential and when. Practices get the same audit trail for compliance reviews. | |
| Data residency | All Evercred data is stored in U.S. cloud regions. | |
| Authentication | Two-factor authentication available on every account. | |
| Vendor security questionnaires | We respond to standard healthcare vendor security questionnaires (HECVAT, SIG Lite, custom) within 5 business days. Email it@evercred.com to request. | |
Every action is logged with absolute attribution.
Uploads, primary-source queries, packet shares, view events, approvals, expiration alerts — each event is timestamped, attributed (human or agent), and stored on a per-packet activity feed both you and the practitioner can pull at any time.
How we verify credentials.
Our AI agents perform primary-source verification: they query the original issuing source for each credential — the state licensing board for licenses, the DEA for controlled-substance registrations, the specialty board for certifications, and so on.
We do not rely on documents the practitioner uploads as proof of validity. The upload is a starting point; the verification comes from the primary issuing source itself.
This matters because primary-source verification is the standard required by NCQA, the Joint Commission, and most major payers. You want primary sources for your own peace of mind — to make sure your practice is operating safely. A credentialing process that can't show primary-source confirmation is not acceptable. Ours does it with agentic AI and proves it with an immutable audit trail.
Who else has access to your data.
Evercred uses third-party services to run the platform — cloud infrastructure, document storage, transactional email, payments, AI inference, and analytics. We sign Data Processing Agreements (and Business Associate Agreements where applicable) with every subprocessor.
A complete subprocessor list naming each vendor and the data they access is available on request for customers and prospective customers in active procurement review.
Email it@evercred.com to request the list.
Security questions, audits, or vulnerability reports?
Email it@evercred.com. We aim to respond within one business day on standard inquiries.
If you've found a security vulnerability in Evercred, please report it to it@evercred.com. We'll acknowledge within 72 hours and work with you on a coordinated disclosure timeline.