Our posture
- Least-privilege access for every human and every service.
- All secrets in a managed vault. No secrets in repos, ever.
- Hardware-backed MFA required for every RVLS account.
- Full-disk encryption on all endpoints; managed by MDM.
- Signed commits and branch protection on client repos.
Data handling
- Client production data stays in the client's environment.
- We use scrubbed or synthetic data for local development.
- Row-level security is the default for multi-tenant apps.
- PII is redacted at ingest before hitting any third-party service.
Responsible disclosure
Email security@rvlstech.com with a description, reproduction steps, and any proof-of-concept you're willing to share. We acknowledge within one business day and target a fix or mitigation within 30 days for high-severity issues.
Safe harbor
We won't pursue legal action against researchers who act in good faith, avoid privacy violations and service disruption, and give us reasonable time to remediate before public disclosure.
Next step
Ready to scope your build?
NDA-first intake. Senior-only teams. Production-ready increments every sprint.