Rev.com's security program is built on a foundation of industry-leading standards and best practices. We are committed to protecting your data with a multi-layered approach that includes encryption, access controls, regular assessments, and incident response.
Rev.com adheres to stringent industry standards and regulations to ensure the confidentiality, integrity, and availability of your data.
Core Security Frameworks
SOC 2 Type 2
(System and Organization Controls 2)
Think of this as an independent audit of our security practices. A certified auditor examines our controls over a period of time (Type 2) to verify that we are consistently protecting your data.
Specifically, it focuses on these "trust service criteria":
- Security: Protecting data from unauthorized access.
- Availability: Ensuring our services are reliably accessible.
- Confidentiality: Keeping sensitive information private.
- Processing Integrity: Ensuring data is processed accurately and completely.
Essentially, SOC 2 Type 2 demonstrates that we have robust, documented, and consistently applied security controls.
HIPAA
(Health Insurance Portability and Accountability Act)
If you're dealing with any health-related information, HIPAA is crucial. It sets strict rules for protecting "protected health information" (PHI).
Rev.com implements specific safeguards to ensure PHI is handled securely, including:
- Administrative Safeguards: Policies and procedures governing access to PHI.
- Physical Safeguards: Measures to control physical access to systems and facilities.
- Technical Safeguards: Technology-based controls, such as encryption and access controls.
We take HIPAA extremely seriously and have implemented controls to protect any PHI that may be processed through our services.
HIPAA compliance is available for Enterprise plans only. Contact our sales team to discuss a plan tailored to your needs.
GDPR
(General Data Protection Regulation)
This is a European Union regulation that applies to any organization that processes the personal data of EU residents. It gives individuals greater control over their personal data and imposes strict obligations on organizations.
Key aspects of our GDPR compliance include:
- Data Minimization: Collecting only the necessary data.
- Purpose Limitation: Using data only for its intended purpose.
- Data Subject Rights: Providing individuals with rights like access, rectification, and deletion of their data.
- Data Protection Impact Assessments (DPIAs): Assessing and mitigating privacy risks.
Even if you are not based in the EU, GDPR best practices are implemented company-wide.
Practical Security Measures at Rev.com
Here's how these frameworks translate into concrete security measures.
Data Encryption
We encrypt your data both "in transit" (while it's being transmitted) and "at rest" (while it's stored). This means that even if someone were to intercept or access the data, it would be unreadable without the decryption key.
Access Controls
We implement strict access controls to limit who can access your data. Only authorized personnel with a legitimate business need can access sensitive information.
We utilize the principle of least privilege, meaning employees only have access to the data that is required for their job function.
Regular Security Assessments
We conduct regular vulnerability scans, penetration testing, and security audits to identify and address any potential security weaknesses.
We also conduct regular security awareness training for our employees to ensure they understand their role in protecting data.
Incident Response
We have a comprehensive incident response plan in place to handle any security incidents quickly and effectively.
This includes procedures for detecting, containing, and recovering from incidents.
Data Center Security
Our data is stored within secure data centers with physical security measures such as surveillance, access control, and environmental controls.
Vendor Management
We carefully vet our third-party vendors to ensure they meet our security standards.
FAQ
At Rev.com, we understand that civil law firms handle highly sensitive and confidential information. We are committed to ensuring the security, privacy, and integrity of your data. Below are answers to common questions about how Rev safeguards your information when using our AI-powered transcription and captioning services.
How does Rev ensure data security and confidentiality?
Rev employs industry-leading security measures to protect customer data, including encryption in transit and at rest, secure data storage, and access controls. We comply with stringent data protection regulations and regularly review our security policies to ensure continued compliance and effectiveness.
Is Rev HIPAA compliant?
Yes. Rev Enterprise is HIPAA-compliant, meaning we adhere to the rigorous security and privacy standards required to protect healthcare-related information. We have appropriate administrative, physical, and technical safeguards in place to ensure the confidentiality and integrity of protected health information (PHI). As required by HIPAA, Business Associate Agreements (BAA) are needed for customers sharing PHI. Speak with our sales team to learn more about Rev Enterprise accounts.
Does Rev use customer data to train AI models or large language models (LLMs)?
No. Rev does not use customer data, including transcripts, captions, or any other uploaded content, to train AI models or large language models (LLMs). Rev does not share or allow any third-party data processors to train on customer data. Rev only trains proprietary automatic speech recognition (ASR) models to improve speech-to-text accuracy while ensuring that customer data remains private and secure.
How does Rev handle customer data after a transcript is completed?
Rev retains data only as long as necessary to provide our services or as required by law. Customers can delete files from their accounts at any time, and Rev follows strict data retention and deletion policies to ensure that customer data is not stored beyond its intended use.
Will Rev respond to subpoenas requesting access to customer data?
No. Rev does not respond to subpoenas requesting access to customer data. We take customer privacy seriously and do not provide third-party access to customer files, transcripts, or other confidential information without explicit legal requirements and due process.
Who has access to my data within Rev?
Access to customer data is strictly limited to authorized personnel who need it to fulfill service requests. Rev employs role-based access controls (RBAC), multi-factor authentication, and logging mechanisms to prevent unauthorized access to customer information.
Does Rev offer enterprise-level security features for law firms?
Yes. Rev provides enterprise-grade security features, including SOC 2 Type II compliance, secure API integrations, single sign-on (SSO), dedicated data processing agreements, and custom retention policies. We work with law firms to meet their specific security and compliance needs.
How does Rev ensure data sovereignty and keep data within the US?
Rev enforces data sovereignty policies to ensure that all customer data is processed and stored within the United States. Our secure infrastructure is designed to comply with US data protection regulations, providing law firms with confidence that their sensitive information remains within US jurisdiction and under applicable legal protections.
How can I ensure my firm’s data is handled securely when using Rev?
We recommend utilizing Rev’s secure upload portals, enforcing strong access controls within your firm’s Rev account, and leveraging our security settings to manage data retention. If you have specific security concerns, our enterprise team can work with you to tailor security solutions.
For further questions, please contact our security and compliance team at security@rev.com.