Back to Legalsecurity@revenarc.com
Legal

Security

Last updated April 30, 2026.

Security

Last Updated: April 30, 2026

RevenArc is built for hospitality teams that rely on connected operational data. Our security program is designed to protect the confidentiality, integrity, and availability of Customer Data while supporting practical deployment across hotels, restaurants, outlets, and related hospitality operations.

This page describes RevenArc’s general security practices. Specific contractual commitments are governed by the applicable agreement, Order Form, DPA, and any security addendum signed by RevenArc.

1. Security Philosophy

RevenArc applies the following principles:

  • collect and process only data reasonably necessary for the Services;
  • protect data in transit and at rest using appropriate safeguards;
  • limit access based on role and business need;
  • separate customer environments and permissions through technical and organizational controls;
  • monitor systems for security, reliability, and abuse;
  • review vendors and subprocessors that may process Customer Data;
  • maintain incident response, backup, and recovery procedures;
  • design AI and analytics workflows with human review, privacy, and operational accountability in mind.

2. Shared Responsibility

Security is a shared responsibility between RevenArc and each customer.

RevenArc is responsible for implementing safeguards for the Services under its control. Customers are responsible for:

  • managing account administrators and Authorized Users;
  • using strong credentials and multi-factor authentication where available;
  • promptly removing users who no longer need access;
  • configuring PMS, POS, CRM, reservation, Academy, and other integrations appropriately;
  • limiting data submitted to RevenArc to data necessary for the Services;
  • maintaining security of customer networks, endpoints, devices, identity providers, and third-party systems;
  • reviewing Outputs before operational use;
  • complying with internal policies and applicable law.

3. Access Controls

RevenArc uses role-based access controls and authentication procedures designed to restrict access to Customer Data to authorized personnel and systems. Internal access is granted based on business need and is reviewed periodically.

Customer administrators are responsible for configuring user permissions within their account and ensuring that each Authorized User has access only to the data and features appropriate for their role.

3.1 Gateway-Based Access Architecture

RevenArc may use a gateway architecture for public application access. The gateway manages public login, logout, browser session issuance, route scoping, product selection, and signed identity headers for downstream product services. Product applications are designed to accept authenticated identity from the gateway and to enforce product- and role-specific access controls for RevenArc Hotel, RevenArc Restaurant, portfolio users, property or restaurant leaders, department leaders, and guest-facing staff.

3.2 Internal Service Access

RevenArc may use internal service keys for trusted automation, support, administrative workflows, monitoring, or service-to-service operations. Internal service keys are restricted to authorized systems, rotated or revoked as appropriate, and used only for authorized operational purposes.

4. Encryption and Data Protection

RevenArc uses encryption for data in transit and applies encryption or equivalent safeguards for data at rest where appropriate. We use technical and organizational controls designed to protect Customer Data from unauthorized access, disclosure, alteration, or destruction.

Customers should not submit full payment card numbers, card security codes, protected health information, government identification numbers, biometric information, or other prohibited data unless RevenArc has expressly agreed in writing.

5. Infrastructure and Availability

RevenArc uses cloud infrastructure, hosting, monitoring, logging, and operational controls designed to support reliability and availability. Current or expected infrastructure may include Railway for RevenArc application runtime and Vercel/v0 for the public marketing website, depending on the deployed Service or website component.

RevenArc’s public application routing may use a gateway service that routes users to product-specific surfaces such as RevenArc Hotel and RevenArc Restaurant. Product applications may run behind the gateway rather than exposing independent public login surfaces.

Unless a signed service-level agreement states otherwise, RevenArc does not guarantee uninterrupted operation, error-free performance, or any specific uptime percentage.

5.1 Prototype, Pilot, and Demo Data Controls

Certain pilot, demo, or prototype environments may use seeded demo data, limited-scope test data, or prototype storage. Customer production data should be processed only in environments approved for customer use and governed by the applicable Order Form, DPA, and security controls.

6. Monitoring and Logging

RevenArc maintains logs and monitoring systems to support security, troubleshooting, auditability, fraud prevention, abuse detection, and operational reliability. Logs may include authentication activity, system events, API activity, error data, and product usage telemetry.

7. Secure Development

RevenArc’s development practices are designed to reduce security risk through code review, testing, vulnerability management, dependency review, access controls, and deployment controls. Security issues are prioritized based on severity, exploitability, and potential impact.

8. Vendor and Subprocessor Management

RevenArc reviews vendors and subprocessors that may access Customer Data and requires appropriate confidentiality, security, and data protection obligations. Subprocessors may be used for hosting, infrastructure, AI inference, analytics, communications, support, security, payment processing, website deployment, and product operations.

Current or expected vendor categories may include Railway, OpenAI, Vercel/v0, GitHub, Square where enabled by a customer, and confirmed email, payment, support, CRM, analytics, or security vendors. Customer-directed PMS, POS, reservation, spa, CRM, and similar integrations may be governed by the customer’s direct relationship with the connected provider.

Customers may request current subprocessor information by contacting security@revenarc.com.

9. Incident Response

RevenArc maintains incident response procedures for detecting, investigating, containing, and remediating security incidents. If RevenArc confirms a Security Incident affecting Customer Data, we will notify affected customers without undue delay and provide information reasonably available to support customer response obligations, subject to legal, security, and confidentiality limitations.

10. Data Retention and Deletion

Customer Data is retained according to the applicable agreement, DPA, product settings, legal obligations, backup cycles, and customer instructions. Upon termination, expiration, or valid deletion request, RevenArc will delete or return Customer Data as required by the applicable agreement and law, subject to backup, archival, security, legal, and legitimate business retention requirements.

11. AI and Analytics Controls

RevenArc’s AI and analytics features are intended to assist hospitality teams with insight generation, coaching, training, and operational review. They are not designed to replace human judgment or make legally significant decisions about individuals.

RevenArc may use third-party AI providers, including OpenAI, to generate Outputs. Customer Data sent to AI providers depends on Customer configuration, connected systems, user permissions, and prompt context. RevenArc will use reasonable controls to limit AI processing to data reasonably necessary for the configured AI Feature and applicable customer instructions.

Customers should implement internal review processes before using Outputs for staff coaching, guest operations, revenue strategy, or other business action. Customers should not use Outputs as the sole basis for employment, compensation, discipline, or similar decisions.

12. Compliance Documentation

RevenArc may make security documentation, questionnaires, architecture summaries, or compliance materials available under confidentiality restrictions where appropriate. Unless a specific certification, audit report, or attestation is provided by RevenArc in writing, this page should not be interpreted as representing that RevenArc has obtained any particular certification, audit report, or regulatory attestation.

13. Responsible Disclosure

If you believe you have discovered a security vulnerability in RevenArc’s website or Services, contact security@revenarc.com with sufficient detail to allow us to investigate. Do not access, modify, destroy, exfiltrate, or disclose data that does not belong to you. Do not perform disruptive testing, denial-of-service testing, social engineering, spam, physical attacks, or testing of third-party systems.

We appreciate good-faith reports and will review them as appropriate.

14. Contact

Security questions may be sent to:

RevenArc LLC
Email: security@revenarc.com