Trust & Security
Last updated: June 8, 2026
RevPilot is operated by AeLux Holding Pte. Ltd. We take the security of customer data seriously and apply industry-standard controls across our application, infrastructure, and vendor stack. This page describes the technical and organizational measures we have in place today.
Compliance posture
- SOC 2: RevPilot is not currently SOC 2 certified. We follow practices aligned with the SOC 2 Security Trust Service Criteria and are working toward a formal Type II report. This page documents the controls a SOC 2 auditor would evaluate.
- GDPR: We act as a data controller for account data and as a data processor for content you submit. See our Privacy Policy for the legal bases, retention, and your rights.
- HIPAA: RevPilot is not HIPAA compliant. Do not submit protected health information (PHI) to the Service.
Encryption
- In transit: All traffic to RevPilot is served over TLS 1.2+ via Cloudflare. HTTP requests are automatically upgraded to HTTPS. HSTS is enabled on our production domains.
- At rest: Application data is stored in PostgreSQL with AES-256 encryption at rest, managed by our database provider. Object storage (file uploads) is encrypted at rest with AES-256.
- Secrets: Third-party API keys, OAuth client secrets, and webhook secrets are stored in an encrypted secret store and are only accessible to server-side runtime code. They are never bundled into the client.
- Passwords: User passwords are hashed using bcrypt by our auth provider. We never see or store plaintext passwords. Leaked-password protection checks credentials against the Have I Been Pwned database.
Access control
- Row-Level Security (RLS): Every user-facing table in our database has RLS enabled, with policies scoped to the authenticated user (
auth.uid()). A user can only read and modify their own rows. - Role separation: Application roles (admin, user) are stored in a dedicated
user_rolestable and validated through a security-definer database function to prevent privilege escalation. - Service-role keys: Privileged database credentials are server-only and never reach the browser. Sensitive tables containing OAuth tokens have no client-facing RLS policies and are accessed exclusively from authenticated server functions.
- Authentication: Email/password and Google OAuth, with optional email verification and password reset. Sessions use short-lived JWTs with refresh-token rotation.
- Least privilege: Internal access to production systems is limited to engineers who need it. Access is reviewed periodically and revoked when no longer needed.
Application security
- Server functions and public API endpoints validate all input with Zod schemas (length, format, type) before processing.
- Inbound webhooks (Stripe, integrations) verify HMAC signatures with timing-safe comparison before any side effects.
- Dependencies are scanned for known vulnerabilities; high and critical findings are patched promptly.
- Automated security scans run against our database schema and RLS policies.
- We use parameterized queries throughout — no string-concatenated SQL.
Infrastructure
- Hosting: Application served via Cloudflare's global edge network with DDoS protection and WAF.
- Database & auth: Managed PostgreSQL hosted in the EU, with automated daily backups and point-in-time recovery.
- Isolation: Production and development environments are separated, with distinct credentials and databases.
- Logging & monitoring: Application and edge logs are retained for operational and security investigations. Errors are tracked and alerted on.
Data handling
- Data minimization: We collect only the data needed to operate the service (account, usage, billing, support).
- Retention: Account and content data are retained while your account is active. On deletion, we remove personal data within 30 days, except where retention is required by law (e.g. invoices).
- Data residency: Primary database and auth services are hosted in the EU (Ireland). Some sub-processors (e.g. Stripe, Google) may process data outside the EU under Standard Contractual Clauses.
- Your rights: You can request access, export, correction, or deletion of your personal data by emailing hello@revpilot.net.
- Restricted data: Do not submit protected health information (PHI), payment card numbers, government-issued IDs, or other regulated data into RevPilot. The service is not designed or certified for these categories.
Sub-processors
We rely on the following sub-processors to operate RevPilot. Each has its own security and compliance posture (most are SOC 2 Type II certified).
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Managed PostgreSQL, authentication, file storage | EU (Ireland) |
| Cloudflare | CDN, DDoS protection, edge runtime, DNS | Global |
| Stripe | Payment processing and subscription billing | US / EU |
| Google (OAuth, Calendar) | Sign-in and optional calendar integration | Global |
| Resend | Transactional email delivery | US / EU |
| Lovable AI Gateway | LLM inference for generation features | US / EU |
| Lovable | Application hosting and deployment | Global |
We update this list as our stack evolves. Contact us if you need to be notified of changes.
Incident response
- We monitor for security events and investigate anomalies promptly.
- If a confirmed personal-data breach affects you, we will notify you and (where applicable) supervisory authorities within 72 hours, as required by GDPR Art. 33–34.
- Report a vulnerability or security concern to hello@revpilot.net. We aim to acknowledge reports within 2 business days.
Business continuity
- Automated daily database backups with point-in-time recovery.
- Stateless application servers can be redeployed within minutes.
- Edge hosting provides geographic redundancy.
Contact
Security questions, vendor due-diligence requests, or DPA requests: hello@revpilot.net.