Procurement and security teams look at this page first. Here's how we handle data, what certifications are in flight, the legal entity behind the brand, and who to reach about any of it.
Revoleap is a 2026 firm. We don't yet hold a SOC 2 report or an ISO 27001 certificate. We are building toward both, on a clear timeline, and we publish the roadmap below. In the meantime: we handle data the way an audited firm should, because shortly we will be one.
We work inside the client's cloud accounts, data warehouses, and identity systems by default. Where data must transit our environment for an engagement, we agree on the perimeter, the retention, and the disposal up front — in writing, before the engagement starts.
— LiveInitial Type I attestation targeted for late 2026; Type II report twelve months thereafter. We are working with a recognised auditor and will publish the bridge letter to qualified prospects under NDA.
— In flight · 2026Information Security Management System scoped and being implemented through 2026. Stage 1 audit targeted Q2 2027. Certificate published here on issue.
— In flight · 2026–27We process personal data only where the engagement requires it, only with documented purpose, and only for the period agreed in the engagement contract. Standard data subject rights honoured — access, correction, deletion, restriction, portability, objection.
— LiveEvery AI system we build for a client ships with an evaluation harness. Production agents have explicit guardrails, observability, and human-in-the-loop fallbacks for consequential actions. We do not deploy models we have not measured.
— LiveStandard procurement questionnaires (CAIQ, vendor risk, supplier security, DPA, master agreement) — we have boilerplate responses prepared and will work through bespoke ones within standard procurement timelines. Reach [email protected] to begin.
— LivePlain procurement basics — entity, registered office, regulators of record, and the people to reach for legal or compliance correspondence.
Write to [email protected] for a security questionnaire response, an architecture review, or a SOC 2 bridge letter request under NDA.
Write to [email protected] for vendor onboarding, master service agreements, data processing addenda, and master commercial terms.
Write to [email protected] for any data-subject request, data-handling clarification, or sub-processor inventory.
If you're not sure which inbox: [email protected], and we'll route it.