Security at RevDesk
RevDesk runs revenue conversations for regulated and high-trust businesses. The platform is built on encryption-everywhere defaults, named sub-processors with executed agreements, scoped access controls, and a documented audit trail. This page is the public reference. The detailed packet is available under NDA via sales.Request the full security packet
SOC 2 mapping, sub-processor BAAs, penetration test summary, DPA, incident response runbook.
Encryption
| Layer | Posture |
|---|---|
| In transit | TLS 1.3 on every public surface. SRTP on real-time media. |
| At rest | AES-256 for every data store: Postgres, Vercel Blob (recordings, LOAs), backups. |
| Application secrets | Encrypted with REVDESK_ENCRYPTION_KEY before persistence. Provider keys never appear in plaintext logs. |
| Recordings | Encrypted at rest. Signed URLs expire on access. Retention default 90 days under HIPAA mode; configurable per team. |
Access controls
- SSO and SAML on Enterprise. Group-based provisioning.
- Row-level scoping. Every API query runs through an ownership filter scoped to the authenticated principal’s org and team visibility. Cross-tenant reads are not architecturally reachable.
- Audit log on every mutation. Recorded via tRPC middleware. Exportable on request.
- Outreach disclosure attestation. Every outbound call and SMS persists whether a recording disclosure or STOP-instructions phrase was attached at send time, plus a two-party-consent state flag for calls. Exportable via the Compliance Center on the Outreach page — see Outreach audit.
- Sub-entity isolation for multi-tenant operators. See Sub-entities.
Sub-processors
The full and current list lives in your data processing addendum. Highlights:| Service | Role | BAA / DPA |
|---|---|---|
| Tier-1 US carrier | Voice and SMS termination, branded calling, SIP trunking | Conduit Exception for HIPAA. DPA on file. |
| LiveKit | Real-time media transport | BAA executed for HIPAA-eligible teams. |
| Hiya | Number reputation analytics | DPA. Verified per deployment for HIPAA-strict customers. |
| Vercel | Application hosting and storage (Blob) | BAA available on Enterprise. |
| Neon (managed Postgres) | Primary data store | BAA available; encryption and backup defaults documented. |
| OpenAI, Anthropic | LLM inference | BAA available on Enterprise. PHI redaction enforced when BAA absent. |
| Deepgram, AssemblyAI | Speech-to-text | BAA available case-by-case. |
| Stripe | Billing | BAA available. PHI never appears in invoice metadata. |
Data residency
US default. Recordings, transcripts, and call metadata are stored in US regions. EU residency is available on Enterprise on a customer-by-customer basis. Talk to sales if your contract requires a specific region.Retention
| Object | Default retention | Override |
|---|---|---|
| Call recordings | 90 days under HIPAA mode, 365 days otherwise | Customer-configurable per team |
| Transcripts | Matches recording retention | Customer-configurable |
| Call metadata | Indefinite (needed for billing, analytics, audit) | Reduced on contract request |
| Audit log | Indefinite | Exportable on offboarding |
Network controls
- IP allowlisting on the API for Enterprise.
- Branded calling at the carrier level with STIR/SHAKEN attestation. See Caller trust.
- DNC scrubbing and TCPA-aware sequencing run before any outbound dial leaves the platform.
SOC 2
SOC 2 Type II audit is in progress. Controls are mapped, evidence collection is underway, and the report will be available under NDA via sales when issued. Until then, the security packet covers the same control families and includes a gap analysis prepared by our auditors.HIPAA
PHI handling is gated by a per-workspacehipaa_enabled flag that activates only after you sign a BAA with RevDesk. The flag enables voice-AI provider HIPAA mode, locks the recording disclosure on, caps recording retention, restricts LLM routing to BAA-covered providers, blocks installs of non-BAA integrations, and emits a compliance audit log. See HIPAA and BAA coverage for the full posture and how to request a BAA.
Incident response
Breach notification procedures per § 164.410. Customers are notified within 72 hours of confirmed material incident. Post-incident reports include root cause, remediation, and prevention measures. For unconfirmed events, the customer security contact on file is notified during the investigation, not after.Reach security
- General security questions: security@revdesk.com
- Compliance and BAAs: compliance@revdesk.com
- Vulnerability disclosure: security@revdesk.com (PGP key in the packet)
Request the full security packet
Sent under NDA. Includes mapping to SOC 2, DPA, BAA addendums, and the latest penetration test summary.