Log in
PricingBlogContact

Security

How we protect your data

Trevy handles sensitive real estate data — your contacts, emails, deals, and client communications. We take that responsibility seriously. Here's how we protect it.

Encryption

In transit

All data transmitted between your browser and our servers is encrypted with TLS 1.2 or higher.

At rest

Sensitive credentials — your FUB API key, Gmail tokens, and Outlook tokens — are encrypted with AES-256-GCM before storage. Your password is hashed with bcrypt and never stored in plaintext.

Payments

Payment processing is handled entirely by Stripe. Your card number never touches our servers. Stripe is PCI-DSS Level 1 certified.

Authentication & Access

OAuth sign-in

Sign in securely with Google or Microsoft. We never see or store your Google/Microsoft password.

Session management

Sessions use signed JWT tokens that expire after 7 days. All API endpoints require authentication.

Webhook verification

All incoming webhooks (Follow Up Boss, Stripe) are verified using HMAC signatures to prevent spoofing.

Data Isolation

Trevy is a multi-tenant platform. Every database query is filtered by your account ID. Your data is never accessible to other customers, and team members only access CRM data through the team leader's FUB connection — each agent sees only their own assigned leads in chat.

Infrastructure

  • Hosting: Vercel (edge network + serverless functions)
  • Database: Supabase PostgreSQL (AWS us-east-2, United States)
  • AI Processing: Anthropic Claude API (data processed in the U.S., not retained for training)
  • Payments: Stripe (PCI-DSS Level 1)
  • Email Auth: Resend (for magic link verification only)

AI Data Handling

When you chat with Trevy, your messages are sent to Anthropic's Claude API for processing. This includes your conversation, relevant CRM context (stage names, tag names, agent names), and preferences you've asked Trevy to remember.

Key points:

  • Anthropic does not use your data to train AI models
  • Trevy does not use your data to train AI models
  • Conversation context is sent per-request and not stored by Anthropic beyond their standard processing window
  • We log token usage and costs for billing and performance monitoring — not the content of your conversations with the AI provider

Automated Security

  • Every code change goes through automated security review before deployment
  • All pull requests require passing tests + security checks before merging
  • Cron jobs and webhook endpoints require authentication (CRON_SECRET / HMAC signatures)
  • No public API endpoints expose user data without authentication

What You Can Do

  • Disconnect anytime: Remove Gmail, Outlook, or FUB connections from Settings
  • Revoke Google access: From your Google Account → Security → Third-party apps
  • Revoke Microsoft access: From your Microsoft Account → Privacy → App permissions
  • Delete memories: Ask Trevy to forget specific information
  • Cancel & delete: Cancel your subscription and request full data deletion

Reporting Security Issues

If you discover a security vulnerability, please report it to support@trevy.io. We take all reports seriously and will respond within 48 hours.

Trevy LLC
Florida, United States