🔥 New · RM Copilot 2.0 - Voice mode is live

RevEvolve
Trust & Security

Built for procurement - verifiable, contractual, audit-ready.

SOC 2 Type II controls. AES-256 at rest. TLS 1.2+ in transit. Multi-region cloud with documented RPO/RTO. 72-hour breach notification - contractual.

This page is the procurement-evaluation gateway. Everything below describes what RevEvolve runs in production today: defense-in-depth architecture, attestation status, data protection controls, AI training disclosure, infrastructure reliability commitments, access controls, incident response timelines, and customer data ownership terms. Need NDA-gated detail? Email the security team - 24-hour triage SLA.

  • SOC 2Type II controls - verification with security/legal
  • GDPREU data subject rights honored
  • CCPACalifornia privacy rights honored
  • PCI DSSCard data handling controls
  • AES-256Encryption at rest
  • TLS 1.2+Encryption in transit

Security architecture

Six pillars - defense in depth.

Encryption · access control · network isolation · audit logging · continuous monitoring · incident response. The architecture in one page.

  • 01

    Encryption - at rest and in transit.

    AES-256 at rest across all customer data stores. TLS 1.2+ in transit between every service and every client. Field-level encryption applied to designated PII fields. Keys rotated on a documented cadence with HSM-backed key management.

  • 02

    Access control - least-privilege by default.

    SSO via SAML 2.0 supported for all customer organizations. MFA enforced for admin roles. RBAC with least-privilege role definitions. Internal RevEvolve personnel access requires named justification, time-bound approval, and full audit logging.

  • 03

    Network isolation.

    Customer environments isolated at the application and data layers. Production-internal traffic encrypted end-to-end. Public ingress points limited to documented APIs with rate limiting, WAF, and bot detection in front of every endpoint.

  • 04

    Audit logging.

    Every customer-facing and admin-facing action writes to an immutable audit log. Logs cover authentication, authorization, configuration changes, data access, recommendation history, and override events. Customer-side audit export available on request.

  • 05

    Continuous monitoring.

    24/7 platform monitoring with automated alerting on availability, latency, error rate, and security anomaly signatures. Threat intelligence feeds integrated into the detection pipeline. Quarterly red-team exercises documented internally.

  • 06

    Incident response.

    Documented incident response playbook with on-call rotation. Confirmed-incident breach notification to affected customers within 72 hours. Post-incident written report within 14 days, covering root cause, remediation, and prevention.

Data protection

Encryption + key management - documented and contractual.

  • 01

    AES-256 encryption at rest.

    Applied across all customer data stores including primary database, replicas, backups, and archives.

  • 02

    TLS 1.2+ in transit.

    Enforced on every service-to-service link, every API endpoint, and every customer-facing surface. TLS 1.3 supported where the client supports it.

  • 03

    Field-level encryption.

    Designated PII and authentication fields encrypted with separate keys above the storage-layer encryption.

  • 04

    Key management.

    Keys held in an HSM-backed key management service. Rotation on a documented cadence. Customer-managed keys supported on request.

AI training disclosure

Customer data does not train third-party models.

Customer-specific models are trained exclusively on the customer's own data. Cross-customer training is prohibited. Third-party LLM providers (e.g., Anthropic Claude) are used only via API for inference under a no-training contractual condition - customer prompts and responses are never used to train external models. This is a contract term with each LLM provider, not a configuration toggle.

  • Customer-specific models on customer data only.

    No cross-customer training. Each property's model is its own model.

  • Third-party LLM training prohibited.

    Inference-only access to external LLMs under a no-training contract clause with each provider.

  • Provider-agnostic by design.

    LLM providers can be swapped without changing customer data flow. Customer data never leaves the contract perimeter.

Infrastructure

Multi-region cloud - documented RPO/RTO.

Operational metrics on the public status page; the table below is the contractual baseline.

  • Cloud infrastructureMajor US cloud provider · multi-region
  • Uptime SLA99.9% target · status page available
  • Backup cadenceContinuous + nightly snapshots
  • RPO≤ 5 minutes · production data
  • RTO≤ 1 hour · core services
  • Disaster recoveryMulti-region failover · tested quarterly

Access control

Identity + authorization - least-privilege by default.

  • SSO via SAML 2.0.

    Customer-side identity provider integration supported. Just-in-time provisioning available.

  • MFA enforced for admin.

    Multi-factor authentication required for all administrative actions. TOTP and WebAuthn supported.

  • RBAC with least-privilege.

    Role definitions ship with least-privilege defaults. Custom roles available with audit-logged scope changes.

  • Internal access controls.

    RevEvolve personnel access to customer data requires named justification, time-bound approval, and full audit logging.

Incident response

72-hour breach notification - contractual, not aspirational.

  • On-call rotation.

    24/7 documented rotation across security, infrastructure, and platform engineering.

  • Breach notification within 72 hours.

    Affected customers notified within 72 hours of incident confirmation. Notification includes scope, suspected cause, and remediation steps in flight.

  • Post-incident report within 14 days.

    Written report delivered to affected customers covering root cause, remediation timeline, and the prevention measures adopted.

  • Customer-side incident contact.

    Email sales@hotelswitchboard.com for any suspected incident on the customer side. 24-hour security triage SLA.

Data ownership

Customer data stays customer data.

Three commitments on ownership, export, and deletion - written into the contract.

  • 01

    Customer owns customer data.

    Configuration, recommendations history, audit logs, and any data the customer uploads or generates remain customer property under the contract.

  • 02

    Export on demand.

    Full data export available on request in a documented format. Self-serve export for the most-requested data classes; full export with a 5-business-day SLA.

  • 03

    Deletion within 30 days of contract end.

    Standard deletion timeline. Earlier deletion available on request. Deletion certificate provided on completion.

Procurement resources

Public + NDA-gated - everything procurement needs.

PUBLIC

  • Security Whitepaper

    PDF · public

  • Privacy Policy

    Web · public

  • Terms & Conditions

    Web · public

  • Subprocessor list

    Web · public

NDA-PROTECTED

  • SOC 2 Type II report

    PDF · NDA-protected

  • Penetration test summary

    PDF · NDA-protected

  • Architecture diagram

    PDF · NDA-protected

  • Vendor security questionnaire

    DOCX · on request

FAQ

Procurement questions, answered.

RevEvolve operates with SOC 2 Type II controls. The current attestation status, auditor, and most-recent report period are available under NDA - request the Type II report at sales@hotelswitchboard.com. Compliance evidence is also reviewable through the procurement portal during contracting.

Procurement & security

Working through evaluation - we'll move at your pace.

Vendor security questionnaires, SOC 2 Type II reports under NDA, custom data-residency commitments, or active incident triage. The team responds within 24 hours on security; 2 business days on procurement.

Email sales@hotelswitchboard.comRequest vendor questionnaire

Privacy policy · Terms & conditions · Comparison sheet