Security Layers
| Layer | Technology | Description |
|---|
| Secrets at Rest | AES-256-GCM | All gateway credentials encrypted before database storage |
| Transport | TLS 1.2+ | All API traffic encrypted in transit |
| API Keys | Cryptographic Random | 24-byte keys with rev_ prefix (base64url encoded) |
| Webhook Signatures | HMAC-SHA256 | Every outbound webhook signed with the client’s webhookSigningSecret |
| Connector Webhook Verification | HMAC-SHA256 | Inbound webhooks from supported billing platforms (Chargebee, Stripe, ReCharge, etc.) are signature-verified against the client’s platform secret before processing |
| Resilience | Exponential Backoff | Outbound gateway calls retry with backoff on 5xx errors |
| Rate Limiting | Per-API-Key | 60 requests/min on recovery |
Card Data Handling
Revtain does not store, process, or transmit raw card numbers. Card data stays entirely within your existing gateway and never touches Revtain infrastructure.
When a payment fails, you pass Revtain the gateway token (e.g. a Stripe pm_xxx). That token is an opaque reference — it cannot be reversed into card data. Revtain uses it only to instruct your gateway to retry the charge against the same stored credentials.
The hosted card update page lets your customers replace their stored card without typing any details into Revtain-controlled fields. Card data flows from the customer’s browser directly into your gateway’s tokenisation API; Revtain receives only the resulting token. Your PCI scope is unchanged.
API Key Security
Your API key can trigger charges. Treat it like a database password.
- Never expose in client-side code, public repos, or logs
- Store in environment variables or a secret manager (AWS Secrets Manager, Vault, etc.)
- Rotate immediately if you suspect compromise — contact support@revtain.com
- Use separate keys for different environments (dev, staging, production)
Webhook Signature Verification
All outbound webhooks include an X-Revtain-Signature header. Always verify before processing — see the Webhooks Guide for code examples.
Compliance Documentation
Revtain can provide an architecture diagram, processor relationship summary, and an SOC overview under NDA for procurement reviews. Contact the Revtain team for details.