Revv Trust Center

Security and privacy of user data is our #1 concern

Revv continuously aims to integrate security measures into all its operations and processes across its product and website. Security is the ‘key’ to running a business. It instills confidence in the users, third-party consultants, collaborators, and even employees and builds trust.

PRIVACY

At Revv, we understand the importance of customer data and ensure that privacy and confidentiality are maintained. The privacy policy defined by Revv enlists what data we procure from our customers, where it is stored, why it is collected, how it is being used, and whom it is shared with.  If you wish to know more about user data (about its processing or exercising rights) regarding the privacy policy or wish to report an issue, email us at - support@revv.so

COMPLIANCE

InfoSec Certifications

Revv is hosted on Amazon Web Service (AWS) Data Centers (DC). The AWS compliance program defines the robust controls put in place at AWS to ensure security and compliance in cloud storage. It helps customers to understand the compliance and audit standards with the government-focused, audit-friendly service features and AWS compliance enablers that build on traditional programs that enable customers to function in an AWS security environment. 

AWS DCs are ISO 27001:2013, SAS 70/SSAE 16 and PCI DSS certified.  More details on the certification are available here -  https://aws.amazon.com/compliance/programs/ 

Revv is hosted on Amazon Web Services (AWS) Data Centers (DC). AWS DCs are EU GDPR compliant. Details on these compliances are available here - https:// aws.amazon.com/compliance/programs/

Revv is building its system to be compliant with ISO 2700:2013 and SAS 70 (SOC 2) standards with the certification work under review. 

Electronic Signature Compliance

Revv provides eSignature services in partnership with OneSpan to compliance-driven industries. Onespan’s eSignature service meets the global eSignature compliance standards and provides its users with a secure and efficient solution. Here is a list of eSignature laws and regulations that is complied with to provide a safe and secure eSignature transaction to its users.

1. North America and Europe
ESIGN Act or Electronic Signatures in Global and National Commerce Act 
In the year 2000, the US federal law passed the ESIGN Act or Electronic Signatures in Global and National Commerce Act validating the use of electronic signatures and records for commercial transactions. The implementation of this act required 50 US states to adopt a uniform eSignature process with the assurity of records being valid in the court of law solely on the basis of electronic signatures. Learn more about the ESIGN Act.
UETA Act or Uniform Electronic Transactions Act 
The UETA Act or Uniform Electronic Transactions Act is implemented to ensure the validity of electronic contracts and electronic signatures and goes hand in hand with the ESIGN Act. UETA gives US states a framework for determining the legality of an electronic signature in both commercial and government transactions. OneSpan Sign electronic signatures comply with the UETA Act.
eIDAS or Electronic Identification and Trusted  Services Regulation
OneSpan electronic signatures comply with regulation 910/2014/EC based on eIDAS or Electronic Identification and Trusted  Services Regulation by replacing the former European EC/1999/93 Directive. There are specific legal criteria that are determined by the eIDAS on eSignatures with three levels of eSign - simple, advance, qualified. As per the directive, in the way, a handwritten signature satisfies the requirements of paper-based data, an advanced eSignature satisfies the legal requirements of signatures for data in digital or electronic form with a qualified certificate.
2. India

The Information Technology Act, 2000 (IT Act) was implemented in India to mainly regulate cyber activities. It also provides legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as“electronic commerce”, which involve the use of alternatives to paper-based methods of communication and storage of information, to facilitate electronic filing of documents with the Government agencies.  

3. Global regulations

With the world moving towards digital ways of working, countries across the globe are implementing laws and regulations to make electronic records and transactions legally binding and valid. Check out the different countries and their specific regulations.

Payment Compliance

Revv handles all its payment operations via Stripe. Revv does not process the credit card information. Stripe directly manages all the payment processes that take place in Revv. It is certified with Payment Card Industry Data Security Standard or PCI DSS standards. It is a proprietary information security standard overlooked by PCI Security Standards Council. Such certifications are mandated by card brands and thoroughly administered by the Payment Card Industry Security Standards Council.  The council was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. Such compliance ensure a secure process and assures customers that their sensitive payment card information is safe and secure. 

Periodic Compliance Audit

Revv conducts a periodic compliance/infosec audit where specific members from the engineering team with access to the database are trained in infosec protocols and best practices.

There is also an internal audit that takes place at a 6-month cadence where the security policies are reviewed along with remediation steps. 

Information Security and Infrastructure 

Data encryption

  • Data at rest - The data stored in AWS RDS is encrypted with AWS Key Management Service (KMS) which is a secure and resilient service with FIPS 140-2 validated hardware security modules to protect your keys. The data we store in S3 uses server-side encryption SSE-S3. The integration with AWS CloudTrail provides logs of all key usage to help meet regulator and compliance needs.

  • Data is transit - Data in transit in encrypted using HTTPS – TLS 1.2 (TLS1.1 disabled)

  • Data transfer policy - In case of a change in the data storage location, the customer will be notified 30 days in advance, requesting them to accept the change in location within 10 days from the notification.

  • Data retention policy - With Revv’s data retention policy, we expect to retain data for a period of 6 years. Upon receipt of an explicit request for deletion, the application data shall be removed from the system within 90 days. Revv’s systems and processes are built to be compliant with these policies.

  • Data backup - The database is synced up in real-time to the secondary zone of AWS. AWS RDS takes backup for point-in-time recovery up to the previous 7 days.

  • Data destruction - Backups are auto-deleted by AWS as part of the RDS managed service.

Authentication Method

AWS Cognito User Pools is a standards-based Identity Provider and supports identity and access management standards, such as Oauth 2.0, SAML 2.0, and OpenID Connect. Amazon Cognito is HIPAA eligible and PCI DSS, SOC, ISO/EIC 27001, ISO/EIC 27017, ISO/ EIC 27018, and ISO 9001 compliant.More details of AWS’ Cognito are available here - AWS Cognito

Incident reporting

Security incidents are serious concerns at Revv that are dealt with utmost sincerity. We encourage our users and employees to be well aware and careful of phishing emails, spam, unsafe websites, etc. And report any suspicious activity, incidents, or concerns as soon as possible. Reporting such concerns act as the ultimate protection shield against cybercrimes.

Here are some possible signs of emails and websites that could possibly lead to security incidents-

  • Fraudulent emails - You might receive a fraudulent email on Revv’s behalf asking you to click a link or share particular information. Hover over the link in the email which will show the destination you will reach if you click it. All links from Revv will redirect you to Revv.so domain.

  • Email attachments - Email notifications sent from Revv for eSigning a document will not have any file attachments. Make sure you do not click or download such files on your device.

  • False sense of urgency - Creating a false sense of urgency is the most common trait of any phishing email. Even in case of urgency, you will be specifically contacted by your account manager that you have been in touch with since you became a Revv user.

  • Spelling errors in email - Fraudulent emails will contain a lot of spelling mistakes, missing words, grammatical errors, gaps in logic, etc so as to avoid detection by spam filters.

  • Unsafe sites - You will see “https” before any safe website (in their URL). If you don’t see that in the website link, you are likely not on a secure site. 

There are chances of someone impersonating or misusing your Revv account. You need to immediately change your password and report the incident to the incident reporting team. 

If it’s suspicious, you tell us!

There is a specific team dedicated to incident reporting and can be reached out on - security@revvsales.com

Permissions and Audit trails

Knowing who is doing what and the ability to control the accessibility of users within the system is important.  Revv equips users with the capability to manage the accessibility of documents, accounts and track document status with timestamps - 

Role-based authority - While it’s critical to keep your data safe, one also needs to ensure who can access that data. As a user, Revv lets you customize access settings for your documents, allowing you to manage who can view which document and what actions can they take. Revv also adds layers of safety net by allowing users to enable two-factor authentication for every document transaction that takes place in the Revv ecosystem.

Audit trail - Every document in Revv comes with an activity tracker that keeps the real-time status tracker that lists activity like -  who opened the document, how many times was the document opened with exact time and date, who eSigned the document, and who hasn’t. You can check the activity tracker when the document is in the creation stage and when it is sent for signature too. This non-editable trail records every action in the document and can be defensible proof of access and signature. 

Security Team

Revv engages qualified (including CISA, CISSP, and CEH certified) and experienced external security professionals on a need basis to ensure all safety standards are met and assess the need for any further implementation or improvement of security measures put in place.

Revv also conducts Information Security and Privacy training for all new employees with refreshers annually.