Skip to content
Security

Enterprise-grade security for your revenue data.

Your financial data deserves the same protection as your revenue. Here’s exactly how we protect it.

Last reviewed May 2026
The three things that matter most
Encrypted in transit
TLS 1.3 on every connection between you, our application, and our infrastructure. Data never leaves your browser unencrypted.
Encrypted at rest
AES-256 encryption on disk inside our managed Postgres tenant. Backups are encrypted with the same keys and rotated by our provider.
Never shared, auto-deleted
Your contracts and invoices stay yours. We never sell, share, or train models on your data. Uploaded files are auto-purged 30 days after analysis — or immediately on request.

Access & authentication

Row-level security
Every Supabase table enforces row-level policies. A customer can only read rows they own — there is no application-side trust boundary to bypass.
Service keys server-side only
Service-role keys live exclusively in Vercel server functions. The browser never sees them, and they are never logged.
Two-person rule on production
Production database changes require a second approver. All access is audit-logged and reviewed weekly.

Data lifecycle

What we store
The CSVs you upload, the leakage findings derived from them, and your account email. Nothing else.
Where it lives
US-region Supabase Postgres and US-region Vercel functions. Data does not cross borders.
How long
Raw uploads auto-delete after 30 days. Findings persist until you delete your account. Backups roll off after 7 days.
Your controls
Email privacy@revcapture.com for export or deletion — fulfilled within 7 days.

How AI handles your data

  • We use Anthropic Claude (claude-sonnet-4-6) for analysis under enterprise no-train terms.
  • Prompts include only the line items required to detect a finding — no PII beyond what is already in your CSV.
  • Dollar amounts are computed by our deterministic calculator, never by the model.

Compliance & certifications

SOC 2 Type II
Audit in progress. Report available under NDA.
GDPR
Data Processing Addendum available on request.
CCPA
California residents may request export or deletion at any time.

Infrastructure

Hosted on Vercel (SOC 2 Type II) and Supabase (SOC 2 Type II, HIPAA-eligible).
All traffic terminates at TLS 1.3 with HSTS preload.
Secrets are rotated quarterly. No long-lived static credentials.

Responsible disclosure

Found something? Email us with reproduction steps. We respond within 48 hours and credit reporters in our hall of fame once the fix ships.

security@revcapture.com

Ready to see your leakage — safely?

Start Free Scan