Security & Sub-processors

Last updated: 2 June 2026

This page describes the technical and organisational measures Coedify Technology LLP applies to protect the revsko Service, the sub-processors we engage to operate it, and how to report a suspected vulnerability. It complements the Privacy Policy and the Data Processing Addendum.

1. Security program

We maintain a written security program proportionate to the nature of the Service and the sensitivity of the data we process on behalf of Customers. The program is reviewed at least annually and updated as the Service evolves. Where we are not yet certified to a particular standard, we map our practices to recognised control frameworks (such as ISO 27001 and SOC 2 control categories) and intend to pursue independent certification as the business scales.

2. Data protection

Encryption in transit. All connections between users, integrations, and the Service use TLS 1.2 or higher.
Encryption at rest. Customer Data, including OAuth tokens and message content, is encrypted at rest using AES-256 or equivalent provided by the underlying cloud platform.
Secrets management. Provider credentials and OAuth tokens are stored in a managed secret store with restricted access and audit logging.
Tenant isolation. Customer Data is logically isolated per tenant; all data-access paths require the caller's authenticated tenant identifier and are enforced at the application layer.

3. Access controls

Role-based access for Customer users (Admin, Sales Rep, Viewer) within their tenant.
Coedify personnel access to production systems is granted on the principle of least privilege, requires multi-factor authentication, and is logged.
Production access to Customer Data by Coedify personnel is restricted to a small operations group and is only used for documented support, abuse, security, or legal reasons consistent with the Privacy Policy.
Customers can disconnect OAuth-connected accounts at any time. Disconnection stops further access and triggers deletion of cached provider data per our retention policy.

4. Application security

Approval-gated workflows: every important action (for example, sending email or escalating a conversation) can be set to wait for human approval before it is executed.
Scoped agent permissions: each agent operates with the minimum permissions required (for example, Research can read but cannot send; Outreach can only send approved drafts).
Input validation, output encoding, and parameterised queries to mitigate injection.
Authentication, session management, and CSRF protections in the application layer.
Audit logging of administrative actions, approvals, and access to Customer Data.
Secure software development lifecycle: code review, dependency scanning, and static analysis on changes to production code.

5. Infrastructure security

Production infrastructure runs on tier-1 cloud providers with hardware, network, and physical security operated by the provider.
Network segmentation between public-facing and internal services; administrative interfaces are not exposed to the public internet.
Continuous patching of operating systems and managed-service dependencies on the provider's schedule.
DDoS mitigation and edge protections via our CDN/edge provider.
Centralised logging and monitoring for security and operational events.

6. AI and email-provider controls

Customer Data sent to large-language-model providers is processed transiently to produce user-facing outputs and is not used to train foundation models. We rely on each provider's zero-retention or enterprise data-handling terms as published by that provider.
Coedify does not train its own foundation models on Customer Data, Google user data, or Microsoft user data.
Google Workspace integrations comply with the Google API Services User Data Policy, including the Limited Use requirements. See the Limited Use Disclosure in the Privacy Policy.
Microsoft 365 integrations (where enabled) comply with the Microsoft APIs Terms of Use and applicable Microsoft 365 certification requirements.
Customers may bring their own keys ("BYOK") for AI, email, and enrichment providers; in that case, the Customer's contract with that provider governs.

7. Incident response

We maintain a documented incident-response process. If we become aware of a security incident affecting Customer Data, we will (a) investigate, (b) take reasonable steps to contain and remediate, and (c) notify affected Customers without undue delay and consistent with our obligations under applicable law and the Data Processing Addendum. Notifications will include the information then reasonably available, including the nature of the incident, the categories of data involved, and the steps taken or proposed.

8. Business continuity and backups

Customer Data is backed up on a regular schedule. Backups are encrypted and access-controlled.
Disaster-recovery procedures are reviewed periodically. Target recovery objectives are tightened as the Service matures.
Software changes follow a documented release process with rollback paths.

9. Personnel

All personnel sign confidentiality agreements covering Customer Data.
Personnel are trained on security and privacy responsibilities on joining and at appropriate intervals thereafter.
Access is provisioned per role and revoked promptly on role change or departure.

10. Sub-processors

We engage sub-processors to operate the Service. We require each sub-processor to provide protections at least as protective as those in this page and the Data Processing Addendum, and we periodically review their compliance. The lists below distinguish (a) sub-processors that are currently authorised to process Customer Data, (b) sub-processors that are activated only when the Customer enables an optional feature or uses BYOK, and (c) sub-processors that are planned but not yet authorised to process Customer Data. Planned entries are listed for transparency only and become authorised only after they go live and after the notice procedure in the DPA has been observed.

10.1 Currently authorised sub-processors

Sub-processor (legal entity)	Service	Data categories	Processing location
Google LLC	Firebase Hosting / Google Cloud — hosting of the marketing site and selected back-office services.	Public-site request metadata; limited back-office configuration data. No Customer Data of the application is hosted via this entry.	United States; global edge.
Cloudflare, Inc.	CDN, DDoS protection, and privacy-preserving web analytics for the marketing site.	Request metadata; aggregated analytics. No cookies set for tracking.	Global edge network.
Google LLC	Google Workspace APIs (Gmail and Calendar) — used when a Customer connects a Google account. Access is scoped per OAuth consent; see the Limited Use Disclosure.	Gmail draft content, provider identifiers, calendar availability, and calendar events for the connected user only.	Determined by the Customer's Google tenant.
OpenAI, L.L.C. (and affiliated entities, including OpenAI Ireland Ltd for EU traffic where applicable)	Large-language-model inference for agent features (research, drafting, classification). Used under enterprise / zero-retention terms; not used to train foundation models.	Transient prompt and completion content needed to produce the user-facing output. Excludes use of Google / Microsoft user data outside the Limited Use scope.	United States (and EU for Customers routed to OpenAI Ireland where available).
Anthropic, PBC	Large-language-model inference for agent features. Used under enterprise / zero-retention terms; not used to train foundation models.	Transient prompt and completion content needed to produce the user-facing output.	United States.

10.2 Optional / Customer-enabled sub-processors

These sub-processors are engaged only if the Customer enables the corresponding optional feature, brings its own account credentials ("BYOK"), or asks us to provision the integration. They are not authorised to process the Customer's data unless the Customer opts in.

Sub-processor (legal entity)	Service	Data categories	Processing location
Meta Platforms, Inc. (WhatsApp Business Platform)	Optional. WhatsApp message transport for India recipients in opted-in or recipient-initiated conversations only.	Message content and metadata for conversations in which the recipient has opted in or initiated the conversation.	Global, per Meta routing and applicable WhatsApp Business Platform terms.
Apollo.io, Inc.	Optional / BYOK. Contact and company enrichment where the Customer elects to use it or brings its own Apollo account.	Business contact identifiers submitted for enrichment.	United States.

10.3 Planned (not yet authorised to process Customer Data)

The following integrations are on our roadmap and are listed for transparency. They are not pre-authorised to process Customer Data. When any of these go live we will follow the change-notice procedure in the DPA before allowing them to process Customer Data.

Sub-processor	Intended service
Microsoft Corporation (Microsoft Graph / Microsoft 365)	Process emails, drafts, and calendar events on behalf of Customers who connect a Microsoft 365 account, when this integration is enabled.

This list may be updated as we add or remove sub-processors. Customers may subscribe to advance notice of material changes by emailing security@revsko.com; objections are handled as set out in the Data Processing Addendum.

11. Responsible disclosure

We welcome reports of suspected security issues. Please email security@revsko.com with a clear description of the issue, steps to reproduce, and the impact you observed. Please do not access or modify data that does not belong to you, do not run automated scans against production, and give us a reasonable time to investigate and remediate before public disclosure. We will acknowledge your report, work with you in good faith, and credit you where you wish.

12. Contact

Coedify Technology LLP
C-89, 5th Floor, Sector 2, Noida, Uttar Pradesh 201301, India
Security: security@revsko.com
Privacy: privacy@revsko.com
General: hello@revsko.com · +91 81300 46116