Security at Revzio¶
Draft — review before publishing
This Trust Center is a working draft. Resolve every [verify] / [confirm] marker (most are
on the Subprocessors and Compliance pages) and have it
reviewed before pointing trust.revzio.ai at it.
Revzio operates a multi-tenant FinOps platform that reconciles billing, ERP, and bank data on behalf of customer organizations. Because that means handling financial and accounting records, security and privacy are core to how the product is built and run. This page summarizes our posture; the full policy set and audit evidence are available to customers and auditors under NDA — see how to request documents.
At a glance¶
| Area | Summary |
|---|---|
| Data isolation | Every tenant's data is isolated at the database layer with PostgreSQL Row-Level Security, scoped by organization. |
| Encryption | TLS 1.2+ in transit; AES-256 at rest. External ERP/billing credentials are encrypted with AES-256-GCM. |
| Access control | Least-privilege access, SSO-based authentication, enforced password strength, and login lockout. |
| Monitoring | Edge intrusion detection/prevention; centralized logging and monitoring. |
| Subprocessors | A maintained register of subprocessors with the data each handles and their attestations. |
| Policies | A management-approved, version-controlled information security & privacy policy set, reviewed at least annually. |
| Compliance | See our certifications status and roadmap. |
How we approach security¶
- Documented & reviewed. Our policies are authored as version-controlled documents, approved through review, and reviewed at least annually or on significant change. The full index is on the Policies page.
- Privacy by design. We collect the minimum data needed to deliver the service, process it under a Data Processing Agreement, and maintain a current register of the subprocessors involved.
- Defense in depth. Network controls, tenant isolation, encryption, least-privilege access, and monitoring are layered rather than relied on individually. A high-level view is on the Architecture Overview.
- Honest roadmap. Where a control is planned rather than already certified, we say so — see Compliance & Certifications.
Data Processing Agreement¶
Our DPA is available at revzio.ai/dpa . Customers requiring a signed copy or a custom DPA should contact us below.
Requesting documents¶
The detailed policies, architecture documentation, and (when available) independent audit reports are shared with customers and prospects under NDA. To request them, email security@revzio.ai with your company and the documents you need.
Last updated: [set on publish] · Owner: [FILL]