Security Practices

Last updated: 19 December 2025

Our Security Commitment

At Revano, security is not an afterthought. It's built into every layer of our platform. We understand that you're trusting us with sensitive evidence data, and we take that responsibility seriously.

Encryption at Rest Per-Tenant Isolation 2FA Required CSRF Protection

Data Encryption

Encryption at Rest

All customer data is encrypted using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256). Each tenant has a unique encryption key, ensuring complete data isolation.

Encryption in Transit

All connections to Revano are encrypted using TLS 1.2 or higher. We enforce HSTS headers with a two-year max-age to prevent downgrade attacks.

Key Management

Tenant encryption keys are wrapped with a master key and stored separately from encrypted data. Key rotation is supported without service interruption.

Evidence Report Security

Generated evidence reports are encrypted and delivered via password-protected ZIP archives with unique, randomly generated passwords.

Authentication & Access Control

Password Security

Passwords are hashed using PBKDF2-HMAC-SHA256 with 240,000 iterations and unique salts. We use constant-time comparison to prevent timing attacks.

Two-Factor Authentication

TOTP-based 2FA is required for all accounts. Evidence exports require re-authentication with a one-time code to prevent unauthorized data access.

Session Management

Sessions expire after 30 minutes of inactivity. Users can view and terminate active sessions from their account dashboard.

Login History

All login attempts are logged with IP address and device information. Users can review their login history to detect unauthorized access.

Tenant Isolation

Revano is built as a multi-tenant platform with strict isolation between accounts:

  • Data Isolation: Each tenant's data is stored in separate encrypted containers with unique encryption keys
  • Scope Enforcement: All API and dashboard requests validate ownership before returning data
  • Resource Validation: Cross-tenant data access attempts result in 403/404 errors
  • API Authentication: Each account has unique API credentials that cannot access other tenants' data

Web Application Security

Content Security Policy

Strict CSP headers restrict script execution to approved sources with nonce-based validation. Frame embedding is denied to prevent clickjacking.

CSRF Protection

All state-changing requests require valid CSRF tokens. Tokens are generated per-session and validated using constant-time comparison.

Input Validation

All user input is sanitized to prevent XSS, SQL injection, and other injection attacks. HTML content is scrubbed of dangerous tags and attributes.

Rate Limiting

Comprehensive rate limiting protects against brute force attacks, credential stuffing, and API abuse. Limits are enforced per-IP and per-account.

Security Headers

All responses include the following security headers:

Header Value Purpose
Strict-Transport-Security max-age=63072000; includeSubDomains Enforce HTTPS for 2 years
X-Frame-Options DENY Prevent clickjacking
X-Content-Type-Options nosniff Prevent MIME sniffing
Referrer-Policy no-referrer Prevent referrer leakage
Content-Security-Policy Strict nonce-based policy Prevent XSS attacks

Monitoring & Incident Response

  • Request Logging: All requests are logged with metadata for security analysis (sensitive data is excluded)
  • Error Tracking: Server errors are captured with sanitized context for debugging
  • Abuse Detection: Automated systems monitor for suspicious activity patterns
  • Incident Response: We maintain an incident response procedure to handle security events within GDPR timelines

Data Retention & Deletion

  • Account data is retained for the lifetime of the subscription plus 90 days
  • Evidence reports expire after 90 days and are automatically deleted
  • Login history and security logs are retained for 180 days
  • Upon account deletion, all data is permanently and irreversibly removed
  • Billing records are retained for 7 years as required by Dutch tax law

Infrastructure

Revano operates on self-hosted infrastructure for maximum control and data sovereignty:

  • Location: Self-hosted servers in Lelystad, The Netherlands (EU)
  • Data Residency: All customer data stored exclusively within the European Union
  • No Third-Party Cloud: We do not use AWS, Google Cloud, Azure, or similar providers for data storage
  • Traffic Protection: Cloudflare provides DDoS protection and CDN services (traffic routing only)

Compliance & Certifications

Revano is designed to support your compliance requirements:

  • GDPR: Full compliance with EU General Data Protection Regulation
  • AVG: Compliant with Dutch implementation of GDPR
  • Data Processing Agreement: Standard DPA available for all customers
  • Sub-processor Transparency: Full list of sub-processors publicly available

Security Questionnaires

We understand that enterprise customers require detailed security assessments. We're happy to complete security questionnaires (SIG, CAIQ, custom) and provide additional documentation upon request.

Contact us at [email protected] for security inquiries.

Responsible Disclosure

We value the security research community. If you discover a security vulnerability, please report it responsibly:

  • Email: [email protected] (subject: Security Vulnerability)
  • Include detailed steps to reproduce the issue
  • Allow reasonable time for us to address the vulnerability before public disclosure

We commit to acknowledging reports within 48 hours and providing regular updates on remediation progress.

Contact

For security-related inquiries:

Klaver Solutions
Blaasbalg 14
8253LX Dronten
The Netherlands
KVK 91096111
Email: [email protected]