Trust & Security
RLVNCE is infrastructure for regulated, citation-heavy workflows. Security, data isolation, and provenance are foundational - not afterthoughts.
In place today
Current security and data protection controls
Encryption
TLS encryption for all data in transit (HTTPS everywhere)
AWS-managed encryption at rest for all stored data
Passwords hashed with bcrypt (never stored in plaintext)
API keys hashed with SHA-256 (shown once on creation, never retrievable)
Tenant isolation
Application-level data isolation - every API request scoped to authenticated tenant
Corpora, documents, API keys, and usage data fully isolated per organization
API gateway enforces authentication and per-plan rate limiting on every request
Inter-service communication authenticated via HMAC-SHA256 signed tokens
Authentication & access control
API key authentication with scoped permissions (per-corpus, per-operation)
API key expiration dates and immediate revocation
OAuth 2.1 for MCP server (authorization code + PKCE, JWT access tokens)
Session authentication with JWT for dashboard access
Organization-level team management with admin/standard roles
Append-only audit logs of all administrative actions - corpus changes, policy updates, API key lifecycle, team membership
Provenance & auditability
Every search result includes source URL, content hash, and timestamps
SHA-256 content hashing for document integrity and change detection
Webhook deliveries signed with HMAC-SHA256 for authenticity verification
robots.txt respected by default with configurable override
Data handling
No customer data used for model training, benchmarking, or any purpose beyond service delivery
Corpus deletion permanently removes all documents, indexes, and change events
Defined data retention periods for all data types (see Privacy Policy)
Usage metering with real-time plan enforcement and spend controls
Infrastructure
Hosted on AWS (US region) with managed encryption
Kubernetes-orchestrated services with automated scaling
Structured logging and OpenTelemetry tracing across all services
Secrets managed outside code repositories with rotation policies
In progress
Actively building toward enterprise-grade compliance
SOC 2
Working toward SOC 2 Type I with controls mapped to the platform architecture. Type II to follow.
SAML SSO
Enterprise single sign-on via SAML (IdP-initiated and SP-initiated) for dashboard and API access.
Data Processing Addendum (DPA)
Standard DPA template with subprocessors list for enterprise procurement. Explicit contractual language on data handling and no-training guarantees.
Vulnerability management program
SAST/DAST scanning, dependency auditing, patch SLAs, and tracked exceptions. Annual external penetration testing with remediation tracking.
Incident response
Formal IR playbooks, communication templates, on-call rotation, and postmortem process.
Status page
Public status page with uptime monitoring, incident history, and maintenance notifications.
On the roadmap
Planned for upcoming releases
Regional deployments
EU, UK, and Australia regions for data sovereignty compliance.
RBAC with fine-grained roles
Admin, Operator, Developer, Read-only roles with per-corpus permissions.
SCIM provisioning
Automated user provisioning and deprovisioning from your identity provider.
IP allowlisting
Restrict API and dashboard access to approved IP ranges.
Private connectivity
VPC peering or PrivateLink for customers requiring network-level isolation.
SLA with uptime guarantees
Formal SLA template with uptime commitments and support response targets.
Customer-managed encryption keys
BYOK support for customers requiring their own KMS key management.
Data retention controls
Per-corpus configurable retention for query logs, extracted content, and audit logs.
Security inquiries
Questions about our security posture or enterprise requirements
If you're evaluating RLVNCE for a regulated or enterprise deployment, we're happy to discuss our security architecture, controls, and roadmap in detail.
Security: security@rlvnce.com
Enterprise sales: sales@rlvnce.com
Privacy: privacy@rlvnce.com
Ready to evaluate?
Start with the free tier or reach out to discuss enterprise requirements.