Security

Security isn't a checkbox at handoff — it's the way we work every day. This page describes our posture, our commitments, and how to reach us if you find something we missed.

Our posture

  • Least-privilege access for every human and every service.
  • All secrets in a managed vault. No secrets in repos, ever.
  • Hardware-backed MFA required for every RVLS account.
  • Full-disk encryption on all endpoints; managed by MDM.
  • Signed commits and branch protection on client repos.

Data handling

  • Client production data stays in the client's environment.
  • We use scrubbed or synthetic data for local development.
  • Row-level security is the default for multi-tenant apps.
  • PII is redacted at ingest before hitting any third-party service.

Responsible disclosure

Email security@rvlstech.com with a description, reproduction steps, and any proof-of-concept you're willing to share. We acknowledge within one business day and target a fix or mitigation within 30 days for high-severity issues.

Safe harbor

We won't pursue legal action against researchers who act in good faith, avoid privacy violations and service disruption, and give us reasonable time to remediate before public disclosure.

Next step

Ready to scope your build?

NDA-first intake. Senior-only teams. Production-ready increments every sprint.

Report a vulnerability