The R2 auditor is here.
You're ready.
You handle other people's data for a living. Every laptop that rolls off the truck might contain financial records, employee files, or worse. Your tools need to take that as seriously as you do. EU data centers. Database-level tenant isolation. Per-drive erasure tracking. Audit trails on everything. Compliance documentation that builds itself.
Built for an industry that gets audited.
GDPR Compliant
Your clients hand you laptops full of employee data, financial records, and things they'd rather nobody saw. We treat that responsibility the same way you do. Full GDPR compliance. DPAs ready to sign. Right to erasure implemented — for real, not “we'll get to it.”
ISO 27001 Aligned
Your security questionnaire has 47 questions and you're tired of answering them for every vendor. We've aligned with ISO 27001 so you can point your clients to our documentation instead of writing a novel every time someone asks “how do you protect our data?”
R2 / R2v3 Ready
If you're R2 certified, you know the documentation requirements are relentless. Chain of custody, downstream vendor tracking, data security verification, environmental compliance — ReVend OS generates all of it as you work. The auditor shows up, you pull the report, you go back to your coffee.
ADISA Compatible
Per-drive erasure tracking with Blancco-compatible certificates. Because the ADISA auditor knows that Dell Latitude had two NVMe drives, and “we wiped the laptop” isn't good enough. Per-drive status. Per-drive certificate. Per-drive peace of mind.
Security isn't a feature. It's the architecture.
We didn't bolt security on after the fact. We built the platform with it.
EU Data Residency
Frankfurt, Germany. eu-central-1. Your data doesn't leave the European Union. Not for processing, not for backups, not for analytics, not because some engineer in California wanted to debug something. It stays in the EU. Full stop.
Encryption Everywhere
AES-256 at rest. TLS 1.3 in transit. The data on disk is encrypted. The data moving between your browser and our servers is encrypted. There is no moment where your data sits unencrypted, hoping nobody looks.
Tenant Isolation
Postgres Row Level Security on every single table. Your competitor who also uses ReVend OS cannot see your data. Not through the API, not through a bug, not through anything. The database itself enforces the walls between tenants. Not the application. The database.
Role-Based Access + MFA
Your warehouse operator doesn't need to see settlement financials. Your sales team doesn't need to see internal grading notes. Your intern definitely doesn't need admin access. Each role sees exactly what it should. Nothing more. TOTP-based multi-factor authentication is enabled on every account, because a strong password alone is not enough in 2026.
Append-Only Audit Trails
Who moved that asset from Zone A to Zone B? When was the grade changed from B to C, and by whom? Who approved the settlement? Everything is logged. Everything is searchable. The audit_events table is append-only at the database trigger level — nobody, including platform admins, can rewrite history. The chain of custody on every asset is immutable. When the auditor asks, you don't have to guess. And nobody can quietly tidy up.
Defence-in-Depth Database
Seventy-three SECURITY DEFINER functions had their callers explicitly locked down. RLS policies consolidated. search_path pinned on every function so no privilege-escalation through schema-shadowing. The application layer enforces tenancy; the database layer enforces it again, in case the application gets it wrong.
Incident Response
We have documented procedures for security incidents, including notification within 72 hours per GDPR. We've tested them. We hope to never use them. But the procedures exist, the team is trained, and nobody has to improvise at 3am.
Every device is a liability until it's wiped.
That Dell Latitude from the bank? It might have customer financial records on the SSD. That HP from the hospital? Medical records. That ThinkPad from the law firm? You don't even want to know.
ReVend OS tracks data security from the moment a device arrives. Data-bearing devices are flagged at check-in. Erasure is tracked per drive, not per device — because that laptop with two NVMe drives needs two certificates. Blancco-compatible reports attach automatically.
When the ADISA auditor asks “how do you prove erasure for storage device B in laptop RV-000003412?” you pull up the record. Drive serial number. Erasure method. Timestamp. Certificate number. Time elapsed since you stopped worrying: zero seconds. Because you never started.
Documentation that builds itself while you work.
You know that end-of-quarter panic where the compliance team needs R2 documentation and everyone scrambles? That doesn't happen when the documentation generates as you work.
Process a device through the standard workflow: receive, test, grade, wipe, ship. At each step, the relevant compliance artifacts create themselves. Certificates of recycling. Certificates of destruction. Downstream vendor documentation. Mass balance reports. ESG sustainability data. All linked to the right devices, the right orders, the right clients.
Audit preparation goes from “three people, two weeks, one sense of impending doom” to “pull the report, send the link, go back to work.” Your compliance officer might actually smile. We can't guarantee that part.
Your data is yours. That's not negotiable.
Full data export at any time. CSV, JSON, whatever format your systems need. Every asset, every grade, every erasure certificate, every settlement — yours to download in one click. We made it easy to leave because we're confident you won't want to. But if you do, your data walks out the door with you. No retention fees. No lock-in. No “please contact your account manager to discuss options.” Ninety days of grace period after cancellation, then we delete everything. Not “scheduled for cleanup.” Deleted.
We sign DPAs before breakfast. We welcome security reviews — even the ones with 47 questions where half of them ask the same thing in different words. We'll walk your DPO through our architecture before you sign anything. Send us your security questionnaire. We've probably answered a worse one last week. Transparency isn't a marketing claim. It's the default. If your compliance officer wants to talk to our engineering team directly, we'll set up the call. They might even enjoy it.
Questions about security?
We're happy to walk your team through our security architecture. Or send over your security questionnaire. We've probably answered it before.