Security

Security at RevvDoctor

How we protect your dealership's data. Last updated: July 2026

Encryption in transit & at rest

All traffic is served over TLS 1.2+. Data stored in our managed Postgres (Supabase) is encrypted at rest with AES-256.

Row-level access control

Every dealer's data is isolated with Postgres Row Level Security. A user can only ever read or write rows scoped to their own account.

Managed, hardened infrastructure

We run on Vercel and Supabase — SOC 2 Type II certified providers. We do not operate our own physical servers or store card data (payments are handled by Stripe).

Least-privilege secrets

Service-role keys and API tokens are held server-side only, never exposed to the browser, and scoped to the minimum access each function needs.

Payments

We never see or store your card details. All subscription billing is processed by Stripe, a PCI-DSS Level 1 certified payment provider. RevvDoctor only receives a tokenised customer reference.

Authentication

Accounts are secured with email + password authentication managed by Supabase Auth, including email verification and secure password reset flows. Sessions are protected with httpOnly cookies.

Responsible disclosure

Found a vulnerability? We want to hear from you before anyone else does. Email security@revvdoctor.com with details and steps to reproduce. We aim to acknowledge reports within 48 hours and will not pursue action against good-faith security research.