Security at RevvDoctor
How we protect your dealership's data. Last updated: July 2026
Encryption in transit & at rest
All traffic is served over TLS 1.2+. Data stored in our managed Postgres (Supabase) is encrypted at rest with AES-256.
Row-level access control
Every dealer's data is isolated with Postgres Row Level Security. A user can only ever read or write rows scoped to their own account.
Managed, hardened infrastructure
We run on Vercel and Supabase — SOC 2 Type II certified providers. We do not operate our own physical servers or store card data (payments are handled by Stripe).
Least-privilege secrets
Service-role keys and API tokens are held server-side only, never exposed to the browser, and scoped to the minimum access each function needs.
Payments
We never see or store your card details. All subscription billing is processed by Stripe, a PCI-DSS Level 1 certified payment provider. RevvDoctor only receives a tokenised customer reference.
Authentication
Accounts are secured with email + password authentication managed by Supabase Auth, including email verification and secure password reset flows. Sessions are protected with httpOnly cookies.
Responsible disclosure
Found a vulnerability? We want to hear from you before anyone else does. Email security@revvdoctor.com with details and steps to reproduce. We aim to acknowledge reports within 48 hours and will not pursue action against good-faith security research.