Revova handles your revenue data, so security is foundational — not an afterthought. Here's exactly how we protect it.
All data is encrypted in transit (TLS 1.2+) and at rest. Sensitive credentials (Stripe keys, SMTP passwords, webhook secrets) are stored encrypted and never exposed in the UI or exports.
Revova only listens for failed-payment events. We never move money, never charge cards on your behalf beyond the standard retry you configure, and never store full card numbers — those stay with your payment processor.
Revova runs entirely on SOC 2 Type II certified providers — Vercel (hosting), Supabase (database), Stripe & Paddle (payments), Resend (email). A formal SOC 2 audit of Revova itself is on our roadmap.
Export all your data as JSON anytime, or permanently delete your account and every record we hold, directly from Settings → Data & Privacy. See our Data Processing Agreement for details.
Every merchant's data is isolated by row-level security in the database. One account can never read another's payments, customers, or settings.
Background jobs use scoped service credentials. Webhook endpoints verify cryptographic signatures (Stripe, Paddle, Braintree) before accepting any event.
Need our Data Processing Agreement, Privacy Policy, or have a security question? Email security@revova.io.
Honest note: a SOC 2 report for Revova itself is not yet available — we're a young product. We build on SOC 2-certified infrastructure and are happy to complete a security questionnaire for enterprise evaluations.