Security at Revnary

For automated column mapping and service period detection, anonymised column headers and small description samples may be processed by Google Gemini (a Google Cloud AI service). Revenue figures and full transaction rows are not shared. Google's API terms prohibit using this data for model training.

Files are stored on Google Cloud in the EU. Core processing runs on Google Cloud Run in the EU. Backups remain within the EU.

• Files are encrypted in transit (TLS 1.2+) and at rest (AES-256).
• Generated workbooks are retained for 90 days after job completion (or until you delete them), then permanently removed.
• You can delete files immediately from within the product; deletion propagates from active storage and scheduled backups.

• Role-based access; production data access is restricted to a small, audited group on a least-privilege basis.
• Admin access protected by MFA and hardware-backed keys for engineering.

• Backend compute runs on Google Cloud Run with network isolation and managed secrets. Uploaded files and generated workbooks are stored on Google Cloud Storage in the EU region.
• Continuous logging of auth, file access, and exports; alerts for unusual activity.

• Regular dependency patching and container image scans.
• External penetration testing at least annually and after major changes.
• A documented vulnerability disclosure process.

• Encrypted backups with daily snapshots and tested restore procedures.
• No single points of failure in the storage path for uploads and workbooks.

• We act as Processor; you remain Controller.
• We support access, rectification, and deletion requests.
• Data Processing Addendum (DPA) available on request.