We take your privacy seriously

Revolut People maintains a policy for security management and activities, as well as the ongoing monitoring and review of security controls, systems, and procedures. Fees and T&Cs apply.

Request a free trial

Governance and compliance

Revolut People, as a part of Revolut, maintains a policy of internal and external auditing and assurance to ensure our continuing compliance with overarching regulatory and industry requirements.

Revolut People completed an SOC 2 Type 2 audit to provide an independent report on the operating effectiveness of its controls with respect to security.

Revolut obtained an ISO 27001 certificate to provide assurance on the maturity of its organisational information security management systems. Revolut also maintains a PCI DSS and PCI 3DS-compliant environment to ensure the security of card-handling processes and systems.

  • Security Programme and Policies

    Revolut People, as part of Revolut's suite of products, maintains a security programme which includes documented policies aligned to an ISO 27001. These are updated and approved annually, then communicated to appropriate personnel. These personnel are assigned roles and responsibilities for security management and activities, and the ongoing monitoring and review of security controls, systems and procedures.

    Learn more

Security training and awareness

Revolut People operates mandatory training and awareness programmes for privacy and information security. These ensure staff understand their obligations and responsibilities to comply with Revolut's security and privacy policies and procedures.

Staff complete the training upon hire, and annually thereafter. The formal training is supported by awareness communications to staff, related to role-specific responsibilities and information security threats.

Network and operational security controls

As part of Revolut, Revolut People implements policies and procedures for network and operational security management, with requirements to maintain protections for information systems and networks, including:

  • change control
  • network protections and segmentation
  • separation of production and non-production environments
  • malware protection
  • security logging and monitoring
  • protection of data in transit and at rest
  • vulnerability management and patching
Incident response

Revolut People established security incident response plans to minimise adverse impact on business operations or our customers, and to ensure a quick, effective, and orderly response to information security incidents.

The plans include clear reporting, escalation, and communication procedures.

Continuity and availability

Revolut People established specific disaster recovery and business continuity plans for the recovery of the platform. These plans are tested periodically to ensure they are appropriate and accurate.

The Revolut People team implements measures to ensure ongoing availability and recovery including data replication, service redundancy, and data backup and recovery procedures.

Data Availability & Redundancy

For resilience purposes, database cluster replicas are hosted in different cloud regions, which are utilised as a hot-standby backup. Hourly snapshots are retained for 72 hours, with daily snapshots retained for 90 days.

Transactional level logs are stored for 7 days, which (in combination with daily and hourly snapshots) allows for point-in-time recovery for any database transaction within the last 7 days.

Our primary database is either hosted in the UK and/or EU based on customer requirements. Backup files are stored in a separate data center to ensure data security and redundancy.

Access controls

Revolut People, as part of Revolut’s suite of products, implemented access controls to limit system and information access to authorised personnel only.

These involve controls and defined processes which enforce:

  • robust user authentication mechanisms
  • role-based access controls
  • password policies
  • access authorisation
  • access reviews
  • revocation processes
Physical access controls

Revolut People uses reputable third-party service providers to host its production infrastructure.

Revolut relies on these third parties to manage the physical access controls to the data-centre facilities that they manage.

Regular Security Assessments

Revolut People undergoes periodic security assessments to validate the security of its systems and applications.

These include security design review, vulnerability scans, and periodic penetration tests to identify and address potential weaknesses in the security infrastructure.

Book a demo

  • Encryption, Data Minimization, and Segregation

    Revolut People applies encryption techniques to protect data both in transit and at rest. This involves encrypting data during transmission over networks and storing it in an encrypted format on storage systems. Revolut People adheres to the principle of data minimisation by collecting and retaining only necessary and relevant personal information. Revolut implements segregation of data through the logical separation of different types of data and restrictions on unauthorised access to different user groups.

More info on data management and privacy

View our T&Cs
Privacy Notice

Get in touch with us at contact@revolutpeople.com for more information on any of the details on this page.