Data, privacy & GDPR
When your team works with AI colleagues that research accounts and contacts at scale, the first question any serious buyer, legal team, or DPO asks is simple: how do you handle personal data, and can I prove it is compliant? Evergrowth’s answer is built into how the agents work, not bolted on afterward. Personal data is only ever processed once a company has earned its way past two deliberate gates, and your data is encrypted, never shared, and never used to train any AI model.
The two-gate model: privacy by design
Section titled “The two-gate model: privacy by design”Most prospecting approaches start with people. They hand a rep a database of contacts and let them filter by job title, then enrich and message at will. That puts personal data at the very front of the process, with nothing standing between a name and an outreach attempt.
Evergrowth works the other way around. No personal data is touched until two gates have been passed, in order.
Gate 1 - the company qualifies first
Section titled “Gate 1 - the company qualifies first”Before any contact, email, phone number, or person-level research enters the picture, the company itself has to qualify. The Account Qualification agent evaluates each company against your defined ecosystems and verticals and returns a clear fit verdict with the evidence behind it. See Account qualification for how that judgment is made.
This first gate works entirely on company-level information - industry, business activity, size, market. No personal data is involved at this stage at all. If a company is not a fit, the process simply stops, and no one’s personal data is ever processed for it.
Gate 2 - the person matches a defined buyer role
Section titled “Gate 2 - the person matches a defined buyer role”Only once a company is confirmed as a fit does the workspace move to people. Even then, a contact is not researched or enriched indiscriminately. The contact has to match a persona you have defined - a real buyer or user role in the buying committee, not just a title that happened to appear in a search. Contact qualification confirms the match before any deeper person-level work begins.
This second gate is built into the mechanics, not just the guidance. Person-level work depends on having a persona defined for that company’s segment: where no buyer role has been defined for a company’s segment, the workspace has nothing to qualify a person against, so person-finding and person-qualification simply do not run for those companies. The same is true at the Contact Finder step - it sources people only against the roles you have defined, never an open-ended scrape of everyone at the company.
This is where personal data processing genuinely starts, and it starts only for people who fit a role you have a legitimate reason to engage.
Eva: The two gates map cleanly to the Agent Training Center’s structure. Company-level criteria (industries, segments, business activity) sit in the vertical layer and form Gate 1. Person-level criteria (buyer and user roles) sit in the persona layer and form Gate 2. The ordering is enforced by the workflow itself - person-finding and person-qualification have nothing to run against until a buyer role has been defined for that company’s segment, so a company with no matching persona never reaches person-level processing. It is privacy by design, not a policy reminder a rep can ignore.
Why a buyer should care
Section titled “Why a buyer should care”The two-gate model is not a compliance checkbox. It changes the risk profile of your entire go-to-market motion.
- A defensible lawful basis, by default. Under GDPR, processing someone’s personal data for outreach needs a legitimate interest you can articulate and document. “We qualified the company as a genuine fit, then confirmed this person holds a relevant buying role” is exactly that articulation - and the workspace produces the evidence trail automatically as it works.
- Less personal data sitting around. Because Gate 1 filters out non-fit companies before any person is touched, your team simply never collects or stores contact data for accounts you were never going to pursue. Data minimization is a GDPR principle and a real reduction in breach surface. You hold less, so you risk less.
- A clean story for legal and procurement. When a prospect’s DPO or your own legal team asks how personal data enters your pipeline, you can describe a two-step gate with a recorded rationale at each contact, rather than “our reps search a database.” That is the difference between a smooth security review and a stalled deal.
- The qualification work pays double. The same account qualification and persona definitions that sharpen targeting and pipeline quality are what create the privacy guardrail. You do not trade rigor for compliance; the rigor is the compliance.
Security posture
Section titled “Security posture”Beyond the GDPR model, Evergrowth meets the standards enterprise buyers expect to see before they trust a vendor with their go-to-market data.
TODO(human): the security and data-handling commitments below cannot be confirmed from the product itself - they are matters of certification, contracts, and operational policy, not behaviour visible in how the workspace runs. Confirm each with the compliance owner before publishing as fact: whether SOC 2 Type II and ISO 27001 certifications are current; the exact wording of the encryption, no-sharing, and no-model-training commitments; and which of these belong in the data processing agreement rather than this page. Until confirmed, treat the bullets below as a draft of the intended posture, not verified claims.
- SOC 2 Type II - independently audited controls for security, availability, and confidentiality, assessed over time rather than at a single point.
- ISO 27001 - certified information security management.
- GDPR - the two-gate architecture above, plus the data-handling commitments below.
Your data stays yours
Section titled “Your data stays yours”- Encrypted. Your data is protected in storage and in transit.
- Never shared. Your accounts, contacts, research, and outreach are not sold, rented, or passed to third parties.
- Never used to train any AI model. Your data works for you and only you. It is not folded into a model that improves on anyone else’s behalf.
Eva: When a prospect asks “do you train your models on our data?”, the intended posture is that customer data is never used to train any AI model - but the exact data-handling and certification commitments above are pending human confirmation (see the TODO), so present them as the stated commitment, not as audited fact, until that is resolved. Reach for the security posture (SOC 2 Type II, ISO 27001) when the question comes from security or procurement; reach for the two-gate model and GDPR when it comes from legal or a DPO. Related search terms a reader may use: data processing agreement, DPA, sub-processors, lawful basis, legitimate interest, data minimization, personal data, PII.
In practice
Section titled “In practice”A RevOps team uploads a list of 2,000 event attendees. The workspace runs each company through Gate 1 first; many do not fit the defined verticals, and for those companies no attendee’s personal data is ever researched or enriched. For the companies that do qualify, only attendees who match a defined buyer persona pass Gate 2 and move into person-level research and outreach. The result is a smaller, sharper, fully defensible list - and a paper trail that shows exactly why each remaining person was engaged.
How this fits the rest of Evergrowth
Section titled “How this fits the rest of Evergrowth”The two gates are not a separate privacy feature - they are the same structure that drives targeting quality everywhere else in the workspace. The company gate lives in your ecosystems and verticals; the people gate lives in your personas and buying committees. Both are configured once in the Agent Training Center and reused by every agent and playbook. To see the full sequence from company fit through to contact research, read How the layers fit together.
Related
Section titled “Related”- Account qualification - how the first gate decides company fit
- Personas and buying committees - the buyer roles the second gate matches people against
- ICP verticals and ecosystems - where the company-fit criteria are defined
- How the layers fit together - the full sequence from company fit to contact research
- Account Qualification agent and Contact Qualification agent - the agents behind each gate
- Run a qualification agent - the steps to qualify accounts or contacts
- Set up criteria in the Agent Training Center and set up personas - configuring each gate