Security and Compliance

1. Overview

Reverba is a multi-tenant conversational CRM platform. We process personal data of operators (Reverba customers) and their end-contacts (the customer's final customers). For TikTok Shop, Mercado Livre, and Shopee integrations, we operate as a Service Provider — sellers grant access via official OAuth flows and can revoke at any time.

Our security posture is built on three principles:

• Multi-tenant isolation by design: every record is scoped by tenant, validated by automated tests on every deploy.
• Encryption at every layer: TLS 1.2+ in transit, bcrypt for passwords, AES-256-GCM for marketplace tokens, full disk encryption at rest.
• Honesty about limits: we publish what we have and what we don't (no SOC 2 or ISO 27001 yet — see the roadmap below).

2. Technical controls (summary)

• TLS 1.2+ on all public endpoints, HSTS active, security headers via helmet.
• Passwords stored with bcrypt (cost 10). JWT auth with 15-minute access TTL, 30-day rotating refresh.
• Marketplace OAuth tokens encrypted at rest with AES-256-GCM (TikTok Shop, Mercado Livre, Shopee, Meta).
• Multi-tenant isolation via AsyncLocalStorage + Prisma middleware. Tested end-to-end on every deploy.
• Global input validation with class-validator forbidNonWhitelisted + Zod for critical payloads.
• Rate limiting on sensitive endpoints (login, recovery, signup).
• HMAC-SHA256 validation on every inbound webhook (TikTok Shop, Shopee, Mercado Livre, Meta).
• Audit log for destructive actions and permission changes — actor, timestamp, IP, sanitized payload.
• Structured logging (Pino) with request-id per call.
• CORS allowlist (no wildcards), VPS firewall isolating Postgres from public internet.

See the full Information Security Policy for governance, vendor management, vulnerability SLAs, and roadmap.

3. Regulatory compliance

• LGPD (Brazilian Law 13.709/2018): Reverba acts as Controller for Operator data and Processor for End-Contact data uploaded by Customers. DPO appointed (Art. 41), retention table published (Art. 16), incident response within 72 hours (Art. 48). See the Privacy Policy.
• GDPR (EU Regulation 2016/679): subject rights honored under Articles 15-22, breach notification per Article 33, sub-processor list maintained per Article 28(2-4).
• TikTok Shop Open Platform: Service Provider App with customer_service, order, webhook scopes. Tokens encrypted, HMAC-validated webhooks, deletion on contract end within 30 days.
• Mercado Livre / Shopee Open Platforms: equivalent posture; tokens encrypted, scope minimization, data deletion on revocation.
• Marco Civil da Internet (Brazilian Law 12.965/2014): connection logs retained per Article 15, application logs per Article 13.

4. Formal documents

The complete set of public-facing legal and security documents:

• Privacy Policy — data we collect, why, how long we keep it, sub-processors.
• Terms of Service — contract between you (Customer) and Reverba.
• Information Security Policy — controls, governance, vendor management, roadmap.
• Data Retention — canonical retention table and disposal procedure.
• Incident Response Plan — phases, severity, communication, how to report.

5. Contact the security team

• DPO / security incidents: privacidade@reverba.com.br
• General support: contato@reverba.com.br / WhatsApp +55 19 98143-4313
• Status page: status.reverba.com.br
• Responsible disclosure: report vulnerabilities to privacidade@reverba.com.br; we ask for 90 days before public disclosure to allow remediation.

Operating entity: Oneck Creative LTDA — CNPJ 37.874.433/0001-86 — Limeira/SP, Brazil.