Security

At RevOG, security is foundational to everything we build. Our industry operates under heightened regulatory scrutiny, and we understand that the sales data, customer records, and business analytics you entrust to our platform require the highest level of protection.

We employ defense-in-depth security practices across our entire stack, from infrastructure to application code, to ensure your data remains secure, private, and available only to authorized users within your organization.

Our infrastructure is built on industry-leading cloud providers with established security certifications and compliance programs.

• Application hosting — Deployed on Vercel, a SOC 2 Type II compliant platform with automatic DDoS protection, global edge network, and isolated serverless compute.
• Primary database — Powered by Neon Postgres with encryption at rest, automated backups, and point-in-time recovery. Data is stored in secure, regionally isolated infrastructure.
• Analytics processing — Sales analytics are processed through a dedicated ClickHouse instance, isolated from the primary application database, ensuring that analytical workloads do not affect application performance or security posture.

Authentication and access control are managed through Clerk, an enterprise-grade identity platform trusted by thousands of production applications.

• Session-based authentication — Secure, short-lived session tokens with automatic rotation reduce the risk of session hijacking.
• Role-based access control — Organization-level roles (admin, member) ensure users only have access to the features and data appropriate for their role.
• Multi-factor authentication — Support for TOTP authenticator apps and SMS-based verification as a second factor, adding an additional layer of protection to user accounts.
• Single sign-on (SSO) — Enterprise organizations can connect their identity provider for centralized authentication management.

RevOG is a multi-tenant platform with strict organization-level data isolation enforced at every layer of the stack.

• Every database query is automatically scoped to the authenticated user's organization ID, extracted from their verified session token.
• Organization IDs are never derived from user input or URL parameters — they are always resolved server-side from the authenticated session.
• Cross-tenant data access is architecturally impossible under normal operation. There are no shared data views or queries that span multiple organizations.
• Analytics data in ClickHouse follows the same isolation model, with every record tagged and filtered by organization.

All data is encrypted both in transit and at rest to protect against interception and unauthorized access.

• Data in transit — All connections to the RevOG platform use TLS 1.2 or higher. HSTS headers are enforced to prevent protocol downgrade attacks.
• Data at rest — All database storage uses AES-256 encryption. Backups are encrypted with separate keys and stored in access-controlled locations.
• Sensitive values — API keys, integration tokens, and other sensitive credentials are encrypted before storage and are never logged or exposed in application output.

Our application is built with security best practices integrated into the development lifecycle.

• Dependency management — Automated monitoring and regular updates of all third-party dependencies to patch known vulnerabilities.
• Input validation — All user inputs are validated and sanitized on the server side to prevent injection attacks, including SQL injection and cross-site scripting (XSS).
• CSRF protection — Cross-site request forgery tokens are enforced on all state-changing operations to prevent unauthorized actions.
• Content Security Policy — Strict CSP headers limit the sources of executable scripts and other resources, mitigating XSS and data injection attacks.
• Secure headers — Additional security headers including X-Frame-Options, X-Content-Type-Options, and Referrer-Policy are configured to harden the application against common web attacks.

We value the work of security researchers and welcome responsible disclosure of vulnerabilities. If you believe you have found a security issue in our platform, please report it to security@revog.com.

When reporting a vulnerability, please include:

• A description of the vulnerability and its potential impact
• Steps to reproduce the issue
• Any proof-of-concept code or screenshots that demonstrate the vulnerability
• Your contact information for follow-up

We ask that you:

• Allow us reasonable time to investigate and address the issue before public disclosure
• Avoid accessing, modifying, or deleting data that does not belong to you
• Do not perform actions that could degrade the availability of our services

We commit to acknowledging receipt of your report within two business days and will keep you informed of our progress toward resolution.

For security-related inquiries or to report a vulnerability, contact us at security@revog.com.

For general questions about our data practices, see our Privacy Policy.