---
title: "RevenueCat Security & Compliance"
description: "RevenueCat supports GDPR compliance and acts as a data processor when handling your end users’ personal data."
---

# RevenueCat Security & Compliance

At RevenueCat, protecting your data – and your customers’ – is core to our mission of making in‑app purchases simple and reliable for every developer. We follow industry‑leading standards, independent audits, and rigorous internal controls to earn and keep your trust.

**Certifications & Frameworks**

- **SOC 2 Type II**

Our controls for security, availability, and confidentiality are audited annually by an independent CPA firm. The latest report is available under NDA upon request.


- **GDPR & Global Privacy**

RevenueCat complies with EU and UK data-protection laws, California’s CCPA/CPRA, and Brazil’s LGPD, and processes your end-user data only as a data processor under our DPA and your documented instructions.
### **Infrastructure Security**

- **Encryption everywhere** – All data in transit and at rest is protected using industry-standard security protocols.


- **Continuous monitoring** – Automated alerting, log aggregation, and 24 × 7 on‑call response protect against incidents.


- **Secure SDLC** – Every code change passes peer review, static analysis, and CI security checks before deployment.


- **Active cloud security monitoring** – RevenueCat uses leading industry cloud security services to continuously scan and audit services, detect vulnerabilities or misconfigurations and detect anomalies and threats.


### **Operational Practices**

- **Vendor due diligence** – All third‑party providers undergo security and privacy reviews, and critical vendors hold equivalent certifications.


- **Employee security** – Staff complete background checks, annual security awareness training, and mandatory MFA on all company systems.


- **Business continuity** – Daily encrypted backups, redundant services, and tested disaster‑recovery plans ensure uptime and data integrity.


### **Responsible Disclosure**

If you discover a vulnerability, please email **[security@revenuecat.com](mailto:security@revenuecat.com)**. We investigate and remediate all valid reports promptly and appreciate responsible researchers.

We run a [**HackerOne**](https://hackerone.com/) bounty program to engage with security researches and encourage responsible disclosure.

### **Need more details?**

Enterprise customers can request our SOC 2 report, completed questionnaire (e.g., CAIQ, SIG), or a copy of our Information Security Policy by contacting **sales@revenuecat.com**.
