— Trust & Governance

The serious bits, out in front.

Procurement and security teams look at this page first. Here's how we handle data, what certifications are in flight, the legal entity behind the brand, and who to reach about any of it.

§ 01
Our posture

We will be audited on what we ship.

Revoleap is a 2026 firm. We don't yet hold a SOC 2 report or an ISO 27001 certificate. We are building toward both, on a clear timeline, and we publish the roadmap below. In the meantime: we handle data the way an audited firm should, because shortly we will be one.

— Data handling

Client data stays in the client's systems where possible.

We work inside the client's cloud accounts, data warehouses, and identity systems by default. Where data must transit our environment for an engagement, we agree on the perimeter, the retention, and the disposal up front — in writing, before the engagement starts.

— Live
— SOC 2 Type II

Audit in flight.

Initial Type I attestation targeted for late 2026; Type II report twelve months thereafter. We are working with a recognised auditor and will publish the bridge letter to qualified prospects under NDA.

— In flight · 2026
— ISO 27001

ISMS being stood up.

Information Security Management System scoped and being implemented through 2026. Stage 1 audit targeted Q2 2027. Certificate published here on issue.

— In flight · 2026–27
— Data Protection

Built to support India's DPDP Act and GDPR-aligned handling.

We process personal data only where the engagement requires it, only with documented purpose, and only for the period agreed in the engagement contract. Standard data subject rights honoured — access, correction, deletion, restriction, portability, objection.

— Live
— AI & model risk

We test what we ship.

Every AI system we build for a client ships with an evaluation harness. Production agents have explicit guardrails, observability, and human-in-the-loop fallbacks for consequential actions. We do not deploy models we have not measured.

— Live
— Vendor onboarding

We complete your questionnaire.

Standard procurement questionnaires (CAIQ, vendor risk, supplier security, DPA, master agreement) — we have boilerplate responses prepared and will work through bespoke ones within standard procurement timelines. Reach [email protected] to begin.

— Live
§ 02
Certifications & controls roadmap

What we'll be auditable on, and when.

  1. — Q3 2026
    Information Security Management System baseline — policies, asset inventory, access controls, incident response, business continuity.
    Internal milestone
  2. — Q4 2026
    SOC 2 Type I — initial point-in-time attestation across Security, Availability, Confidentiality.
    Report under NDA
  3. — Q2 2027
    ISO 27001 — Stage 1 audit; Stage 2 to follow within the quarter.
    Certificate published
  4. — Q4 2027
    SOC 2 Type II — observation period closed; full report available to qualified prospects.
    Report under NDA
  5. — 2028
    CSA STAR Level 2 (cloud-services-specific), HIPAA readiness if healthcare workload demands it, additional regional certifications as engagement geography requires.
    Demand-led
§ 04
Reach the right person

If you're evaluating us.

Write to [email protected] for a security questionnaire response, an architecture review, or a SOC 2 bridge letter request under NDA.

Write to [email protected] for vendor onboarding, master service agreements, data processing addenda, and master commercial terms.

Write to [email protected] for any data-subject request, data-handling clarification, or sub-processor inventory.

If you're not sure which inbox: [email protected], and we'll route it.