Controls
Operational across the product, the underlying platform, and the engineering team.
Infrastructure security
- Cloudflare Web Application Firewall in Block mode covering OWASP Top 10 and known malicious IP and bot signatures
- Cloudflare Full (strict) TLS — origin-side certificate validation prevents downgrade and man-in-the-middle scenarios
- Per-IP and per-account rate limiting on authentication, ingestion, and public APIs — enforced at the Cloudflare edge and at the origin
Product security
- Schema-validated input at every HTTP request handler, queue consumer, and external integration boundary
- OWASP Top 10 static analysis on every pull request — merges blocked on policy violations
- Dependency vulnerability scanning on every pull request — merges blocked on Critical and High severity findings
Data and privacy
- Encryption in transit using TLS across all external and internal connections
- Encryption at rest provided by the underlying database and object storage platforms using industry-standard algorithms
- Object storage configured with public access blocked at the bucket level; reads gated by IAM credentials over HTTPS
Organizational security
- Multi-factor authentication enforced on every production-access account across all infrastructure providers
- Privileged access restricted to the lead engineering team
- Quarterly access reviews; departure-triggered access removal verified before the departure is closed
Internal security procedures
- Defined incident response lifecycle: triage, contain, eradicate, recover, document
- Automated daily database snapshots with 7-day retention; Point-in-Time Recovery to 2-minute granularity available on demand
- Quarterly internal security review with dated evidence records and risk-register update
Sub-processors
Third-party providers that process customer data on Revelir's behalf. A Data Processing Agreement is executed with each provider where applicable.
| Vendor | Purpose | Data residency |
|---|---|---|
| Cloudflare | CDN, WAF, DNS, Workers compute, R2 object storage, D1 database, KV cache | Globally distributed |
| Supabase | PostgreSQL database, authentication | Singapore (ap-southeast-1) |
| AWS | S3 object storage | Singapore (ap-southeast-1) |
| Render | Backend service hosting | Provider-managed |
| Vercel | Frontend deployment hosting | Globally distributed |
| Google Cloud | Vertex AI Gemini inference (paid tier) | United States (us-central1) |
| OpenAI | LLM inference (paid commercial tier) | Provider-managed |
| Anthropic | LLM inference | Provider-managed |
| Voyage AI | Embedding inference | Provider-managed |
| Qdrant | Vector search | Provider-managed |
| Langfuse | LLM observability | Provider-managed |
| ClickHouse | Analytics and event storage | Provider-managed |
| Infisical | Centralized secrets management | Provider-managed |
| Sentry | Application observability and error monitoring | Provider-managed |
Report a vulnerability
Revelir welcomes coordinated disclosure from external security researchers. Reports submitted to our security team will be acknowledged within two business days.
security@revelir.aiRequest documentation
The Information Security Policy, Data Processing Agreements, and current sub-processor list are available to customers and prospective customers under mutual non-disclosure.
Request documentation