Legal and technical review required. This page is a plain-language template provided for review. Confirm each statement against the final infrastructure and connected providers, and have it reviewed by your own counsel before you rely on it publicly. It does not claim a certification, audit result, compliance status, data residency, or deployment-specific security guarantee.
Our principles
- Read-only by default. On systems of record, RevvOS reads and reports; writes or sends must be explicitly enabled.
- Human approval first. Customer-facing messages and financial actions start as drafts for a person to review. The current dashboard approval flow records review actions; it does not itself send a message.
- Unavailable means unavailable. Dashboard screens show explicit unavailable or empty states when a required feed has not been populated rather than inventing production data.
Role-gated access
The application supports signed-in admin, staff, and demo roles. Admin access is required for setup and QuickBooks configuration, normal dashboard actions are available to staff, and demo access is read-only. The final user roster and role behavior must be configured and tested for each deployment.
Setup and connection values
The setup form accepts allowlisted connection fields and sends them to the server. After saving, the browser receives connection labels and configured status rather than saved connection values. A configured status does not prove that vendor credentials are valid or that a dashboard feed is live.
Deployment-specific controls
Encryption behavior, hosting location, retention, credential rotation, monitoring, incident handling, subprocessors, backups, and any local processing depend on the deployed architecture and operational owners. They must be verified and documented for the customer deployment before corresponding claims are published.
Connected providers and data pipeline
RevvOS relies on connected third-party systems and on a separate data pipeline to populate dashboard feeds. Each enabled collector, permission scope, destination, schedule, and feed status must be tested independently. The setup screen alone does not create vendor accounts, test credentials, start collectors, or establish provider availability.
Responsible disclosure
If you believe you have found a security issue, please email team@simplufy.com with the details. We appreciate reports made in good faith.
Contact
Security questions? Email team@simplufy.com.