Loading Revisit...

Security & Vulnerability Disclosure

Last updated: 2025-10-26

At Leveloper Kft., we take the security of the Revisit platform and our customers' data seriously. This page outlines our security practices and provides guidance for security researchers who wish to report vulnerabilities responsibly.

Security overview

We implement industry-standard security measures to protect customer data and ensure the integrity of our platform.

Infrastructure security

  • Self-hosted in EU: All infrastructure is hosted at our facility in Szigetszentmiklós, Hungary, ensuring full control and EU data residency
  • Network segmentation: Services are isolated using Docker containers with minimal inter-service communication
  • Firewall protection: Network-level firewalls restrict access to essential services only
  • Regular updates: Operating systems, dependencies, and security patches are applied regularly
  • Access controls: Physical and logical access to infrastructure is restricted to authorized personnel only

Application security

  • Transport encryption: TLS 1.2+ with strong cipher suites for all connections
  • HSTS enforced: HTTP Strict Transport Security prevents downgrade attacks
  • Authentication:
    • Passwords hashed with bcrypt (cost factor 10)
    • JWT-based sessions with short-lived access tokens (2 hours)
    • HttpOnly, Secure, and SameSite cookies prevent XSS and CSRF attacks
    • Optional multi-factor authentication (MFA/2FA) with TOTP
    • Trusted device management with secure token storage
  • CSRF protection: Double-submit cookie pattern with server-side validation
  • Rate limiting: API endpoints protected against brute force and abuse
  • Input validation: All user inputs validated and sanitized using Zod schemas
  • SQL injection prevention: Parameterized queries via Drizzle ORM
  • XSS prevention: Content Security Policy headers and framework-level escaping

Data protection

  • Encryption at rest: Integration tokens encrypted with AES-256-GCM
  • Encryption in transit: TLS 1.2+ for all data transmission
  • Database isolation: Multi-tenant architecture with separate database per project
  • Backup encryption: Database backups are encrypted and stored securely
  • IP minimization: Optional IP address masking/truncation
  • Automatic password masking: Recorder automatically masks password input fields
  • DNT/GPC support: Honor Do Not Track and Global Privacy Control signals

Access controls

  • Role-based access: Project owners and members with granular permissions
  • Session management: View and revoke active sessions from dashboard
  • Audit logging: Security-relevant actions logged for accountability
  • API key management: Secure generation and storage of project API keys

Monitoring and incident response

  • Application logging: Structured JSON logs for security monitoring
  • Error tracking: Anomalies and errors monitored and investigated
  • Uptime monitoring: Health check endpoints and alerting
  • Incident response plan: Documented procedures for security incidents
  • Breach notification: GDPR-compliant 72-hour notification to affected customers

Vulnerability disclosure policy

We welcome reports from security researchers who discover vulnerabilities in the Revisit platform. We are committed to working with the security community to protect our customers.

Reporting a vulnerability

If you believe you have discovered a security vulnerability, please report it to us:

  • Email: security@revisit.pro (preferred) or info@leveloper.io
  • Include:
    • Description of the vulnerability and its potential impact
    • Steps to reproduce (proof of concept)
    • Affected components, URLs, or endpoints
    • Your name and contact information (if you wish to be credited)

Responsible disclosure guidelines

When testing for vulnerabilities, please:

  • Do: Use your own test account and data
  • Do: Respect user privacy and avoid accessing customer data
  • Do: Give us reasonable time (90 days) to fix the issue before public disclosure
  • Do: Report the vulnerability as soon as you discover it
  • Don't: Access, modify, or delete data belonging to other users
  • Don't: Perform destructive testing (DoS, data deletion, etc.)
  • Don't: Exploit the vulnerability beyond what is necessary to demonstrate it
  • Don't: Publicly disclose the vulnerability before we have had a chance to fix it
  • Don't: Perform social engineering attacks against our employees or customers

Out of scope

The following are not considered vulnerabilities:

  • Missing security headers on non-sensitive pages
  • Clickjacking on pages with no sensitive actions
  • Denial of Service (DoS) attacks
  • Social engineering attacks
  • Physical attacks against our infrastructure
  • Issues in third-party services (Stripe, Google, etc.) — report directly to them
  • Automated scanner reports without validation
  • Issues requiring user interaction beyond normal security awareness (e.g., "user must install malware")

Our response process

When you report a vulnerability to us:

  • Acknowledgment: We will acknowledge your report within 48 hours (2 business days)
  • Validation: We will validate and assess the severity of the issue
  • Updates: We will keep you informed of our progress toward a fix
  • Fix and disclosure: Once fixed, we will coordinate disclosure timing with you
  • Credit: We will publicly credit you for the discovery (if desired) after the fix is deployed

Safe harbor

We will not pursue legal action against security researchers who:

  • Report vulnerabilities according to this policy
  • Act in good faith and avoid privacy violations, data destruction, or service disruption
  • Do not exploit vulnerabilities beyond demonstrating their existence

Data breach notification

In the event of a personal data breach affecting customer data, we will:

  • Notify affected customers without undue delay and within 72 hours where feasible (GDPR requirement)
  • Provide information about the nature of the breach, data affected, and mitigation steps
  • Work with customers to fulfill their own notification obligations to data subjects
  • Document the breach and our response for regulatory compliance

Security certifications and compliance

We are committed to maintaining compliance with relevant security and privacy standards:

  • GDPR: Full compliance with EU General Data Protection Regulation
  • CCPA/CPRA: Compliance with California privacy laws
  • ePrivacy Directive: Cookie consent and electronic communications compliance
  • PCI-DSS: No card data processed (Stripe handles all payments)

Questions or concerns

For security-related questions or concerns, please contact:

Privacy Policy·Cookies Policy·California Privacy Notice·Terms·DPA·Security