Careful with customer data.
RevDesk is cautious about how customer data is handled, during managed pilots and in the future SaaS platform. This page describes the current approach honestly, without overclaiming certifications we haven't earned.
How early pilots actually run
Before real lead data enters the future SaaS system, pilots run carefully and reversibly.
Managed pilots use controlled workflows
Early managed pilots may use customer-owned tools and controlled workflows rather than the future SaaS platform. We validate the LeadOps process with real businesses while keeping data handling simple and auditable.
Real data waits for security review
Real client data will not enter the future SaaS system until production secrets are rotated and an independent security review clears the platform. This is a hard gate. Not a checkbox.
Human approval before sensitive actions
Insurance claims, warranty questions, complaints, pricing, legal matters, and emergencies always require human review before any response is sent. This is built into the workflow architecture, not a setting that can be turned off.
What the system is built toward
When managed pilots graduate to the full RevDesk platform, this is the design they meet.
Tenant-isolated database design
Supabase Postgres with Row-Level Security policies designed to enforce tenant boundaries at the database layer, not only in application code.
Signed webhook intake
All webhook submissions are validated with HMAC-SHA256 signatures. Invalid or unsigned requests are rejected before any database write.
Service-role boundaries
Elevated database credentials are restricted to server-only files. Not exposed in client bundles or public API responses.
Consent and suppression enforcement
The SMS dispatch layer checks consent records and suppression lists before sending. Opted-out contacts are blocked at the system level.
Audit-oriented event trail
Lead intake, classification, message approval, and send actions are logged to an audit trail designed to be append-only.
Secret rotation tracker
Production credentials are tracked in a documented rotation process. All secrets must be confirmed rotated before any pilot client is onboarded.
What we don't claim
RevDesk does not hold SOC 2, HIPAA, ISO 27001, or any other compliance certification at this stage. We are a security-conscious platform in active development.
Our security posture is an ongoing commitment, not a completed audit. We believe describing what we've built, and what our current limitations are, is more trustworthy than displaying badges we haven't earned.
If you are evaluating RevDesk for a regulated industry or require specific compliance documentation, contact us before proceeding.
Questions about how we handle data?
We'll share our current security approach and pilot data handling process with any business considering a RevDesk engagement.
Ask a security question