Enterprise-grade protection for your customer data, quote history, payment records, and crew timesheets. And a privacy stance you can show a homeowner without hedging.
Running on the same stack as
01/Security benchmark
TLS handshake
At-rest encryption
Row-level isolation
Continuous GPS on crew
0%
of traffic on TLS 1.3
0-bit
AES at rest
0
breaches to date
0h
breach notification SLA
02/Controls
Every control on this page is enforced on every RevCore Pro account. Nothing is a premium add-on. Nothing is configuration the customer has to remember to turn on.
SOC 2
In progress
TLS 1.3
No fallback
AES-256
At rest
US host
AWS us-east
RLS
Row-level
Type II audit preparation in progress. Controls mapped to Trust Services Criteria.
All traffic encrypted in transit on the latest protocol — no fallback to older versions.
Every row, every attachment, every backup encrypted at rest in a US-hosted region.
Enforced at the database layer. A rep physically cannot read another company’s data.
Owner, Manager, Rep, and Tech roles — each limited to the minimum surface they need.
Vercel edge plus Supabase on AWS us-east. No data transferred abroad without direction.
03/Architecture
The same request path handles a quote lookup, a payment, and a crew clock-in. No secret back-channels, no customer tier that unlocks weaker defaults.
Browser
TLS 1.3
Vercel Edge
rate-limited
Next.js Server
auth · RBAC
Supabase · RLS
AES-256 at rest
Cross-region backup
AWS us-west
01
In flight
TLS 1.3, HSTS preload, no TLS 1.2 fallback.
02
In process
Row-level security and service-role isolation on every table.
03
At rest
AES-256 on every row and attachment. Cross-region backups.
04/Principles
01
Every byte encrypted in flight and at rest. Backups stored in a geographically isolated region and verified with automated restoration tests.
02
Row-level security on every table. Service role keys never exposed to the client. Every privileged operation happens server-side and is logged.
03
Sentry with PII scrubbed before send. Rate-limiting on every public endpoint. Dependencies reviewed weekly. On-call runbook already written.
05/How we ship
Security isn't a quarterly review deck. It's enforced in the commit, the PR, and the deploy pipeline — so the engineers who built the product can't ship something unsafe by accident.
2
Reviewers required
Every change to auth, billing, or access control needs a second set of eyes before merge.
Weekly
Dependency review
Automated audit plus a human sweep every Monday. Critical CVEs patched within 72 hours.
100%
PRs behind CI
Typecheck, lint, unit tests, and integration tests all green before a deploy is allowed.
24h
Breach notification
Material incidents disclosed to affected customers within a calendar day, in plain English.
06/Privacy stance
On Pro and Scale we capture location server-side at exactly three crew events to prove presence. Outside of those, we don't know where your crew is — and we're not asking.
Captured
Clock-in
One fix, verified against the job address.
Captured
Clock-out
One fix, when the crew finishes or leaves.
Captured
Job-site photo
One fix, attached to the photo record itself.
Not captured
Live-location map
Not streamed. Not stored. Not rendered.
Not captured
Driving telemetry
We are not a fleet tool. No braking events.
Not captured
Background location
The phone is not reporting when off the job.
07/Data lifecycle
Step 01
Crew clock-ins, photos, quotes, and payments arrive over TLS 1.3. The server signs and timestamps every event before anything is stored.
Step 02
Data is written through row-level security into an AES-256 at-rest volume. Attachments are encrypted before S3 hands the upload back.
Step 03
Point-in-time snapshots and daily backups are copied to a second AWS region. Backups are restore-tested; a backup that cannot restore is not a backup.
Step 04
You can export your customer, job, and payment data as CSV/JSON at any time — no support ticket, no retention bait.
Step 05
Account closure triggers a 30-day hold, then a permanent purge across primary, replica, and backups. We publish the clock, we don’t hide it.
08/Transparency
09/Common questions
Last reviewed · Apr 2026 · v3.9·Signed off by RevCore Pro engineering
09/Signed
Every claim on this page maps to a control we run, a key we hold, or a log line we sign. Start the 14-day trial and the same controls run on your tenant from minute one — same encryption, same audit log, same posture you just read.
Reviewed by
RevCore Pro · Engineering
Apr 2026 · v3.9
