Your billing data, handled like we'd want ours handled
Revenue data is sensitive. Here is exactly what RevTune accesses, how we store it, who can touch it, and how to erase everything if you ever want to leave.
Buyer facts
Last updated 2026-04-22
- Compliance status
- SOC 2 Type I — not yet certified. Audit planned for H2 2026.
- DPA availability
- Available on request — support@revtune.io
- Primary data region
- US-East (AWS us-east-2 via Neon + Vercel)
- Backup retention
- 30 days rolling, encrypted at rest
- Incident-response SLA
- 24h acknowledgement, 72h status page update
- Subprocessor updates
- This page is updated before any change goes live
Read-only by design
We request the minimum scopes each billing platform offers — enough to read subscriptions, invoices, customers, and plans. We never have the ability to charge cards, refund, or mutate your catalog.
Encrypted in transit and at rest
All traffic runs over TLS 1.2+. API tokens and OAuth refresh tokens are encrypted column-level with AES-256-GCM before being written to Postgres. Row-level access is scoped to the workspace that owns the row — no cross-tenant reads are possible.
Workspace-scoped API keys
Outbound API keys are hashed with SHA-256 before storage. You only see the plaintext once at creation. Revocation takes effect on the next request — no TTL gap, no dangling sessions.
Tenant-isolated database
Every metric, event, and insight is keyed to an organization_id foreign key. All query paths enforce the tenant filter; the app layer refuses to return rows that don't match the authenticated workspace.
Webhook signature verification
Incoming webhooks from Stripe, Paddle, LemonSqueezy, and Chargebee are verified against provider-signed signatures before processing. Requests that fail verification are dropped without side effect.
One-click disconnect + erase
You can disconnect any billing platform and permanently delete the workspace from Settings → Danger Zone. We show the exact cascade (plans, subscriptions, customers, events, insights) before the deletion runs.
Commitments
What we will never do
We never sell, rent, or share your billing data with third parties.
We never use your data to train third-party models. AI analyses run through Anthropic under the enterprise zero-retention contract.
We log access events for audit and incident response, retained for 90 days then purged.
Deletion is permanent — when you delete a workspace, backups roll off within 30 days and the data is gone.
Subprocessors
Who helps us run the service
We keep our vendor list short and name every one of them. If anything on this list changes, we update the page before the change goes live.
| Subprocessor | Purpose |
|---|---|
| Vercel | Application hosting (US/EU regions) |
| Neon | Postgres database (serverless, us-east-2) |
| Clerk | Authentication + organization management |
| Upstash | Redis for rate limits and idempotency |
| Inngest | Async job orchestration |
| Anthropic | Claude models for AI analyses (zero-retention) |
| Resend | Transactional email delivery |
Found a vulnerability?
Email security@revtune.io with a proof of concept and the affected endpoint. We acknowledge within 24 hours, triage within three business days, and credit researchers on this page (with consent) once the issue is resolved. Please do not test against other customers' workspaces.
General security questions