Security

Last updated: April 19, 2026

Security is foundational to OpeRev. This page describes the measures we take to protect our customers, their data, and the integrity of the Service.

1. Our Security Philosophy

OpeRev handles sensitive business data, including contact information, revenue data, and integrations with external CRMs. We take a defense-in-depth approach — no single layer is expected to be perfect; multiple layers combine to resist failures and attacks.

2. Infrastructure

2.1 Hosting

OpeRev is hosted on enterprise-grade cloud infrastructure:

  • Application hosting: Vercel (SOC 2 Type II certified)
  • Database and backend: Supabase (SOC 2 Type II certified)
  • File storage: AWS S3 or equivalent, with server-side encryption

2.2 Network Security

  • All traffic to and from OpeRev is encrypted using TLS 1.2 or higher
  • Edge DDoS protection via our hosting providers
  • Rate limiting and abuse detection on public endpoints
  • Separate environments for development, staging, and production

3. Data Protection

3.1 Encryption

  • In transit: TLS 1.2+ for all connections
  • At rest: AES-256 encryption for database and file storage
  • Sensitive credentials: third-party OAuth tokens stored with application-layer encryption (AES-256-GCM)

3.2 Multi-Tenant Isolation

OpeRev uses row-level security (RLS) policies enforced at the database layer to ensure strict data isolation between customer workspaces. Every query is automatically scoped to the authenticated user's workspace.

3.3 Backups

  • Daily automated database backups with point-in-time recovery
  • Backups encrypted at rest
  • Regular restore testing

4. Authentication and Access Control

4.1 User Authentication

  • Passwords are hashed using bcrypt with appropriate work factors
  • Session management uses secure, HTTP-only cookies
  • Rate limiting on authentication endpoints to prevent brute force attacks
  • HMAC-signed OAuth state to prevent CSRF during third-party integrations

4.2 Administrative Access

  • Internal access to customer data is restricted and logged
  • Multi-factor authentication required for employee accounts
  • Least-privilege access model
  • Access reviewed regularly

5. Application Security

5.1 Secure Development

  • Code reviewed before deployment
  • Automated testing including end-to-end (Playwright) tests
  • Dependency vulnerability scanning
  • Secret scanning to prevent accidental credential exposure in code

5.2 Production Deployment

  • Automated CI/CD with required tests before production release
  • Environment variables and secrets managed through secure vaults
  • Rollback capability for rapid incident response

6. Integrations and Third Parties

When you connect third-party services (such as HubSpot) to OpeRev:

  • OAuth tokens are encrypted at rest
  • We request only the minimum scope necessary
  • You may revoke integrations at any time from your account settings
  • We do not share integration credentials with other services

7. Monitoring and Incident Response

  • Continuous monitoring for errors, anomalies, and security events
  • Logging of key application and security events
  • Documented incident response procedures
  • Customer notification in the event of a material security incident

8. Compliance and Responsibilities

8.1 Our Responsibility

We are responsible for securing the OpeRev Service, its infrastructure, and the data processing practices we operate.

8.2 Your Responsibility

As a customer, you are responsible for:

  • Protecting your account credentials
  • Managing access for users in your workspace
  • Ensuring your use of the Service complies with applicable laws
  • Having the legal basis to process any contact or lead data uploaded to OpeRev

9. Privacy

For information about how we handle personal data, see our Privacy Policy.

10. Responsible Disclosure

We welcome reports of security vulnerabilities. If you believe you have discovered a vulnerability:

  • Email: security@operev.com
  • Please provide sufficient detail to reproduce the issue
  • Give us reasonable time to respond before public disclosure
  • Do not access or modify data beyond what is needed to demonstrate the issue
  • Do not test against production data belonging to other customers

We appreciate the security research community and will respond to good-faith reports.

11. Contact