RevenueCat Security & Compliance

At RevenueCat, protecting your data – and your customers’ – is core to our mission of making in‑app purchases simple and reliable for every developer. We follow industry‑leading standards, independent audits, and rigorous internal controls to earn and keep your trust.

Certifications & Frameworks

  • SOC 2 Type II

    Our controls for security, availability, and confidentiality are audited annually by an independent CPA firm. The latest report is available under NDA upon request.

  • GDPR & Global Privacy

    RevenueCat complies with EU and UK data-protection laws, California’s CCPA/CPRA, and Brazil’s LGPD, and processes your end-user data only as a data processor under our DPA and your documented instructions.

Infrastructure Security

  • Encryption everywhere – All data in transit and at rest is protected using industry-standard security protocols.

  • Continuous monitoring – Automated alerting, log aggregation, and 24 × 7 on‑call response protect against incidents.

  • Secure SDLC – Every code change passes peer review, static analysis, and CI security checks before deployment.

  • Active cloud security monitoring – RevenueCat uses leading industry cloud security services to continuously scan and audit services, detect vulnerabilities or misconfigurations and detect anomalies and threats.

Operational Practices

  • Vendor due diligence – All third‑party providers undergo security and privacy reviews, and critical vendors hold equivalent certifications.

  • Employee security – Staff complete background checks, annual security awareness training, and mandatory MFA on all company systems.

  • Business continuity – Daily encrypted backups, redundant services, and tested disaster‑recovery plans ensure uptime and data integrity.

Responsible Disclosure

If you discover a vulnerability, please email security@revenuecat.com. We investigate and remediate all valid reports promptly and appreciate responsible researchers.

We run a HackerOne bounty program to engage with security researches and encourage responsible disclosure.

Need more details?

Enterprise customers can request our SOC 2 report, completed questionnaire (e.g., CAIQ, SIG), or a copy of our Information Security Policy by contacting sales@revenuecat.com.