How Revity protects your data

Data handling

• Data minimization: we store only what we need to deliver billing integrity and alerts.
• Tenant isolation for each connected Stripe account; no cross-tenant access.
• Role-based access for internal staff with least-privilege permissions.

Encryption

• TLS 1.2+ for all app, API, and webhook traffic.
• Cloud-provider encryption at rest for databases, backups, and logs.
• Secrets stored in the hosting platform's encrypted secret store.

Application & infrastructure

• Scoped Stripe OAuth tokens; signature-verified webhooks; idempotent handlers.
• Routine dependency updates, CI lint/build checks, and monitoring/alerting.
• Backups with point-in-time recovery per database provider capabilities.

Incident response

• Logging for authentication, webhook processing, and anomaly jobs.
• Security contact: security@revity.app
• We notify affected customers without undue delay if a breach is confirmed.

Vendors & subprocessors

Core vendors include our cloud hosting provider, MongoDB (database), email provider, and analytics. We review vendor security posture and limit shared data to operational necessity. See the DPA for the current list.