Security at RevIQ
Revenue infrastructure runs on trust. RevIQ is independently audited to SOC 2 Type II — an auditor’s opinion on how our controls operate over time, not a one-day snapshot — so the partners who route spend and inventory through us can prove our controls, not just take our word for it.
Last updated June 2026 · security.txt
Certifications
RevIQ is independently audited to SOC 2 Type II every year, and operates under GDPR and CCPA / CPRA. ISO 27001 certification is in progress. The full SOC 2 Type II report, our latest penetration-test summary, and the current subprocessor list are available to customers and prospects under NDA — request the report directly.
How we secure your data
SOC 2 is the audit; these are the practices it tests, and they run continuously:
- Encryption — TLS 1.2+ in transit and AES-256 at rest, with managed key rotation.
- Least-privilege access — SSO, enforced MFA, and role-scoped access reviewed on a regular cadence.
- Continuous monitoring — centralized, tamper-evident audit logs with automated alerting on anomalous activity.
- Testing — independent annual penetration tests plus continuous dependency and image scanning.
Secure SDLC, incident response, subprocessor governance, and backup & recovery detail are documented in our SOC 2 Type II report, available to customers under NDA on request.
Data, privacy & residency
Personal data moves through RevIQ under region-aware consent (CMP / TCF) honored end to end, with data minimization — we collect only what the service requires. We support GDPR and CCPA / CPRA data-subject requests, and a Data Processing Agreement (DPA) is available to every customer.
You choose where your data lives. Pin a workspace to the United States or the European Union at setup: operational data stays in the region you pick, while a small set of account metadata is always handled in the US. The choice is permanent.
Transparency
Verify rather than take our word for it — request our reports and controls documentation under NDA, and watch the platform in real time on our status page.
Reporting a vulnerability
We welcome reports from security researchers and triage every submission. Good-faith research is authorized — we won’t pursue legal action for it. Email [email protected] or read our security.txt.
FAQ
Is my data encrypted?
Yes. Everything is encrypted in transit with TLS 1.2+ and at rest with AES-256, and keys are rotated under management.
How can I access, export, or delete my data?
Email [email protected] with a data-subject request and we’ll process access, transfer, or deletion in line with GDPR and CCPA / CPRA.
Can I get the SOC 2 report?
Yes — it’s shared with current and prospective customers under NDA. Contact us to request it.