Trust Center
Security & Privacy at EPM Monitor
Our commitment to your data: what we collect, where it lives, who can access it, and how we keep it safe. Updated continuously โ last reviewed .
12/13
GDPR controls
Self-service DSAR
5/5
SOC 2 CCs mapped
Type II planning
TLS 1.3
Encryption in transit
DTLS-SRTP for live view
AES-256
Encryption at rest
Supabase / R2
Architecture & data flow
๐ฆ Where data lives
- โข Postgres (Supabase, EU/US regions)
- โข Screenshots: customer's own Google Drive OR Cloudflare R2
- โข Firebase RTDB (signaling + config push only โ never media)
๐ Live screen view
- โข WebRTC peer-to-peer โ media never touches our servers
- โข DTLS-SRTP encryption end-to-end
- โข Session-bound, audited, optional consent prompt
๐ Authentication
- โข bcrypt(12) for passwords
- โข Optional TOTP 2FA for admins
- โข Session tokens with 12 h TTL, server-side hashed
- โข Google / Microsoft SSO supported
Sub-processors
We rely on the following processors. Each has a Data Processing Agreement signed.
| Vendor | Purpose | Region | Certifications |
|---|---|---|---|
| Supabase | Postgres, Auth, Edge Functions | US / EU / Asia (selectable) | SOC 2 Type II |
| Google Workspace | Customer's own Drive (screenshot storage) | Customer-controlled | SOC 2 / ISO 27001 |
| Cloudflare | R2 (binary distribution), Workers | Global edge | SOC 2 Type II / ISO 27001 |
| Firebase RTDB | Push-config signaling (no media) | Asia-Southeast | SOC 2 / ISO 27001 |
What we collect โ and what we don't
โ We collect
- โข Active application name + window title
- โข URLs visited (in non-private windows)
- โข Active vs idle time (mouse/keyboard activity timing only)
- โข Periodic screenshots (configurable interval)
- โข USB device connect/disconnect events
- โข Clipboard contents only when matching a configured DLP pattern
โ We never collect
- โข Keystrokes
- โข Microphone audio
- โข Webcam video
- โข Personal device content
- โข Files from personal cloud accounts
- โข Banking credentials or stored passwords
Customer & employee rights
๐ค
Right to access
Self-service JSON export of all data on any employee via the Compliance dashboard.
๐
Right to erasure
One-click cascade-delete: activity, screenshots, DLP events, user โ atomic.
๐ซ
Right to object
Employees can object directly to the customer's DPO listed on the auto-rendered privacy notice.
Incident response
If you suspect a security incident:
๐ง security@reevtech.in
๐ Acknowledge within 4 business hours
๐ Full notification within 72 hours as required by GDPR Art. 33
Documentation on request
Enterprise customers may request the following under NDA by emailing support@reevtech.in:
- ๐ Standard Contractual Clauses (EU SCCs 2021/914)
- ๐ Business Associate Agreement (HIPAA BAA)
- ๐ DPIA template (pre-completed for our processing)
- ๐ Penetration test summary
- ๐ Sub-processor list (current + change-of-processor notice policy)
- ๐ Disaster recovery & business continuity plan