Security

Effective Date: 19 June 2026Version: 1.3.6

How RevvTik protects Customer Data. This page is a high-level summary; enterprise customers may request detailed questionnaires, our DPIA, and policies under NDA.

Encryption

  • In transit: Data is protected in transit using industry-standard TLS encryption between browsers, API clients, and RevvTik services.
  • At rest: Sensitive customer content—including transcripts, AI analyses, coaching insights, integration credentials, and selected account fields such as email addresses and display names—is encrypted at rest using industry-standard encryption. Production environments are configured to require encryption for sensitive data fields.
  • Key management: Encryption keys and third-party credentials are managed as production secrets, stored in secure deployment configuration or a secrets manager, and rotated according to documented operational procedures.
  • Backups: Where database or storage backups are enabled, they use provider encryption-at-rest options and follow applicable backup retention and purge procedures aligned with our erasure commitments.

Access control

  • RBAC: Admin, Manager, and Salesperson roles with tenant isolation. Salespeople see their own calls; managers see their team; tenant admins can access organisation calls for administration, quality review, and compliance, including transcripts where your deployment stores them.
  • Least privilege for staff: RevvTik engineering does not have standing access to production transcript content. Support / engineering access to Customer Data is time-limited, justified, approved, and logged with an approval reference.
  • Authentication: Customer workspace sign-in uses a server-side session model. After successful authentication (email and password and/or Google OAuth, where enabled), RevvTik issues a short-lived signed access token (JSON Web Token, JWT) in an HttpOnly cookie named `rt_at` (fifteen (15) minutes) and a rotating opaque refresh token in a separate HttpOnly cookie named `rt_rt` (up to seven (7) days of inactivity, or until you sign out). Refresh tokens are stored only as cryptographic hashes in our database; if a revoked refresh token is reused, the session is ended for security. JWT access tokens are sent automatically by your browser on API requests and are not stored in `localStorage` or `sessionStorage`. For UI convenience, a minimal user profile (such as display name and role) may be cached locally without session secrets. Passwords are hashed with industry-standard algorithms. Sensitive organisation actions (such as permanent deletion) require step-up verification (for example a one-time code). Login attempts are rate-limited to reduce brute-force risk.

Audio handling

Uploaded or ingested meeting media is processed for transcription and then deleted promptly after transcription processing completes, subject to temporary retry, integrity-check, or cleanup operations required for reliable processing. The underlying file is removed and the recording reference is cleared from our systems. Scheduled cleanup processes sweep for orphaned files to reduce retention risk. Deletion events are logged as compliance evidence.

Retention & growth tracking

  • Default: transcripts, AI analyses, scores, and coaching insights are retained for up to 24 months from creation, then automatically deleted. This default supports historical comparison so users can see growth, what coaching produced results, and where to improve.
  • Org-configurable: tenant administrators may set the organisation retention window to 12 / 18 / 24 months in Org settings. The automated retention process applies that value per organisation, falling back to 24 months when no organisation-specific setting has been saved, not a second hidden “platform minimum” layered on top.
  • Pre-deletion notice: retention processes may emit advance notices for operators, such as operational logs or deduplicated records, approximately 30 days ahead where configured. This is primarily admin-facing today.
  • On verified account or organisation deletion, Customer Data is deleted from primary application systems within 30 days, subject to technical and legal retention constraints. Backup copies may persist through backup retention and rotation cycles, typically not exceeding a further 30 days, and are protected from normal use until overwritten or purged.
  • For verified individual erasure requests, RevvTik will respond within the applicable legal timeframe and delete or anonymise personal data where required, subject to legal exceptions, technical constraints, and the Customer's role as controller.

Audit logging

We log access events, including who accessed which resource and when, without writing transcript text or score reasoning into application logs, to avoid creating an uncontrolled secondary store of personal data. Audit logs are retained for up to 12 months, are themselves protected, and can be exported in a scoped form on request for enterprise customers.

AI processing & sub-processors

AI inference is performed via configured providers, such as OpenAI or Azure OpenAI for analysis and AssemblyAI for transcription. Audio is sent to AssemblyAI’s EU API endpoint for transcription processing. RevvTik does not use Customer Data to train its own models. Third-party training and logging settings depend on each provider’s product tier and account configuration: we select no-training or limited-retention options where the vendor offers them and document the active sub-processors at Sub-processors. Cross-border transfers rely on appropriate safeguards, such as SCCs, and supplementary measures where applicable.

Incident response & breach notification

We maintain an incident response process with detection, triage, containment, and notification steps. Where GDPR applies and RevvTik acts as processor, we notify affected Customers, as controllers, within 72 hours of becoming aware of a personal data breach, with the information needed for their Art. 33/34 obligations. Where RevvTik acts as controller, we notify the competent supervisory authority within 72 hours where required. The process is reviewed periodically and updated as the platform changes.

Vulnerability reporting

Suspected vulnerabilities can be reported to support@revvtik.com. We will acknowledge within 72 hours and coordinate disclosure responsibly.

Roadmap

SOC 2 Type II and ISO 27001 alignment are targets for enterprise procurement; contact your account team for the latest status.

Related: Trust center · Privacy Policy · DPA · Sub-processors