Revopush security statement

Last updated: July 11, 2026

Security is fundamental to an over-the-air update platform. Revopush is designed to protect customer accounts, application data, and the update delivery path through layered infrastructure controls, trusted service providers, controlled access, and continuous vulnerability management.

This statement provides a public overview of the security practices and technology providers used to operate Revopush. It is intended for customers, prospects, auditors, and other external stakeholders and is available without authentication.

Security at a glance

  • Customer data is encrypted in transit using HTTPS/TLS and at rest using Microsoft Azure encryption controls.
  • Core services run on Microsoft Azure, with Cloudflare protecting and delivering traffic at the edge.
  • Access is limited by role and operational need, and users authenticate through Google, Microsoft, or GitHub SSO.
  • Every Revopush-owned public and private GitHub repository is covered by automated vulnerability scanning.
  • Security events are monitored and handled through an incident response process.

Secure infrastructure

Revopush runs its core cloud infrastructure on Microsoft Azure. We use Azure services to host and operate the platform, while access to production systems is restricted to authorized personnel and limited according to operational need.

Cloudflare provides an additional edge layer in front of Revopush services. It helps us deliver traffic reliably and protect public endpoints from common internet-based threats. Connections to Revopush web services are protected in transit using HTTPS.

OTA update delivery

Revopush delivers JavaScript bundles and related assets to mobile applications over secure network connections. Access to applications, deployments, and releases is controlled through authenticated accounts and API credentials.

Customers remain in control of which releases they publish and which deployments receive them. API keys and other credentials should be treated as secrets and stored only in appropriate secret-management systems, including the protected secret stores provided by CI/CD platforms.

Access control and authentication

Revopush supports single sign-on through trusted identity providers:

  • Google
  • Microsoft
  • GitHub

Authentication is delegated to the selected identity provider. Revopush does not collect or store the user's password for these providers. Customers should enable multi-factor authentication and follow the security guidance offered by their identity provider.

Access to internal systems and third-party services is granted according to role and operational need. We review and remove access when it is no longer required.

Secure development practices

Revopush uses GitHub to host its source code. Both private and public Revopush repositories are covered by automated vulnerability scanning. This gives the team continuous visibility into known vulnerabilities in application code and dependencies so findings can be reviewed and remediated.

Changes to the platform are tracked through version control and reviewed as part of the development workflow before they reach production. Dependencies and vulnerability findings are reviewed as part of normal engineering work, and remediation is prioritized according to risk.

Revopush does not require access to a customer's source-code repository to deliver an OTA release. Customers can build a release in their own environment or CI/CD system and upload the resulting bundle and assets using Revopush tooling.

Data protection

We limit the data collected and processed to what is needed to provide, secure, support, and improve the service. Access to customer and operational data is limited to authorized personnel and services.

Encryption in transit. Network traffic between customers, applications, and Revopush web services is encrypted in transit using HTTPS/TLS.

Encryption at rest. Customer data stored within Revopush's Microsoft Azure environment is encrypted at rest using Azure-provided encryption controls. Payment card data is handled by Stripe and is not stored in Revopush systems.

Our cloud and edge providers maintain their own physical, operational, and infrastructure security controls.

For more information about the personal data we collect, how it is used, and customer rights, see the Revopush Privacy Policy.

Monitoring and incident response

We monitor the availability and operation of Revopush services and investigate events that may affect the confidentiality, integrity, or availability of the platform. Service availability information is published on the Revopush status page.

Our incident response process covers identification, investigation, containment, remediation, recovery, and follow-up. Security events are triaged according to their potential impact and escalated to the appropriate technical owner.

If a confirmed security incident affects customer data or use of the service, we will communicate with affected customers in accordance with applicable legal and contractual requirements.

Vulnerability management

Automated vulnerability scanning runs across all Revopush-owned private and public repositories. Findings are assessed based on severity, exploitability, and potential impact, then prioritized for remediation.

We also keep platform components and dependencies under review so security updates can be evaluated and applied as part of our normal engineering process.

Third-party service providers

Revopush relies on established providers for specific parts of the service:

  • Microsoft Azure — cloud hosting and infrastructure
  • Cloudflare — edge delivery and protection for public services
  • GitHub — source-code hosting and development security tooling
  • Google, Microsoft, and GitHub — SSO identity providers
  • Stripe — subscription and payment processing

Each provider is responsible for the security of the services it operates. We limit integrations and permissions to the access needed for their intended purpose.

Secure payments

Revopush uses Stripe to process subscription payments. Payment card details are submitted to and processed by Stripe; Revopush does not store full payment card numbers or card security codes on its systems.

Stripe's own security and compliance information is available from the Stripe Trust Center.

Security is a shared responsibility

Revopush secures the cloud service and the systems used to deliver it. Customers are responsible for protecting their identity-provider accounts, API keys, CI/CD credentials, signing keys, and access to their applications and deployments.

We recommend using multi-factor authentication, applying least-privilege access, rotating credentials when team membership changes, and never placing secrets directly in source code or build logs.

Ownership and review

The Revopush Engineering team owns this security statement and is responsible for keeping it aligned with current infrastructure, security practices, audits, and policies. The statement is reviewed at least annually and whenever a material change affects our security or compliance posture. The latest review date is shown at the top of this page.

Reporting a security issue

If you believe you have found a vulnerability or security incident involving Revopush, please email [email protected]. Include enough detail for us to reproduce and investigate the issue, but do not include sensitive customer data or publicly disclose the issue before we have had an opportunity to respond.

For general questions about this statement or Revopush security practices, contact [email protected].