The R2 auditor is here.
You're ready.
You handle other people's data for a living. Every laptop that rolls off the truck might contain financial records, employee files, or worse. Your tools need to take that as seriously as you do.
EU data centers. Database-level tenant isolation. Per-drive erasure tracking. Audit trails on everything. Compliance documentation that builds itself. Your auditor is going to run out of questions.
Standards & compliance
Built for an industry that gets audited.
GDPR Compliant
Your clients hand you laptops full of employee data, financial records, and things they'd rather nobody saw. We treat that responsibility the same way you do. Full GDPR compliance. DPAs ready to sign. Right to erasure implemented — for real, not "we'll get to it."
ISO 27001 Aligned
Your security questionnaire has 47 questions and you're tired of answering them for every vendor. We've aligned with ISO 27001 so you can point your clients to our documentation instead of writing a novel every time someone asks "how do you protect our data?"
R2 / R2v3 Ready
If you're R2 certified, you know the documentation requirements are relentless. Chain of custody, downstream vendor tracking, data security verification, environmental compliance — ReVend generates all of it as you work. The auditor shows up, you pull the report, you go back to your coffee.
ADISA Compatible
Per-drive erasure tracking with Blancco-compatible certificates. Because the ADISA auditor knows that Dell Latitude had two NVMe drives, and "we wiped the laptop" isn't good enough. Per-drive status. Per-drive certificate. Per-drive peace of mind.
Infrastructure
Security isn't a feature. It's the architecture.
We didn't bolt security on after the fact. We built the platform with it. Because your clients trust you with their data, and you need to trust the tools you use to handle it.
EU Data Residency
Frankfurt, Germany. eu-central-1. Your data doesn't leave the European Union. Not for processing, not for backups, not for analytics, not because some engineer in California wanted to debug something. It stays in the EU. Full stop.
Encryption Everywhere
AES-256 at rest. TLS 1.3 in transit. The data on disk is encrypted. The data moving between your browser and our servers is encrypted. There is no moment where your data sits unencrypted, hoping nobody looks.
Tenant Isolation
Postgres Row Level Security on every single table. Your competitor who also uses ReVend cannot see your data. Not through the API, not through a bug, not through anything. The database itself enforces the walls between tenants. Not the application. The database.
Role-Based Access
Your warehouse operator doesn't need to see settlement financials. Your sales team doesn't need to see internal grading notes. Your intern definitely doesn't need admin access. Each role sees exactly what it should. Nothing more.
Audit Trails
Who moved that asset from Zone A to Zone B? When was the grade changed from B to C, and by whom? Who approved the settlement? Everything is logged. Everything is searchable. When the auditor asks, you don't have to guess.
Incident Response
We have documented procedures for security incidents, including notification within 72 hours per GDPR. We've tested them. We hope to never use them. But the procedures exist, the team is trained, and nobody has to improvise at 3am.
Data security
Every device is a liability until it's wiped.
That Dell Latitude from the bank? It might have customer financial records on the SSD. That HP from the hospital? Medical records. That ThinkPad from the law firm? You don't even want to know.
ReVend tracks data security from the moment a device arrives. Data-bearing devices are flagged at check-in. Erasure is tracked per drive, not per device — because that laptop with two NVMe drives needs two certificates. Blancco-compatible reports attach automatically. The chain of custody runs from intake to certificate delivery without a gap.
When the ADISA auditor asks “how do you prove erasure for storage device B in laptop RV-000003412?” you pull up the record. Drive serial number. Erasure method. Timestamp. Certificate number. Time elapsed since you stopped worrying: zero seconds. Because you never started.
Compliance reporting
Documentation that builds itself.
You know that end-of-quarter panic where the compliance team needs R2 documentation and everyone scrambles? That doesn't happen when the documentation generates as you work.
Process a device through the standard workflow: receive, test, grade, wipe, ship. At each step, the relevant compliance artifacts create themselves. Certificates of recycling. Certificates of destruction. Downstream vendor documentation. Mass balance reports. ESG sustainability data. All linked to the right devices, the right orders, the right clients.
Audit preparation goes from “three people, two weeks, one sense of impending doom” to “pull the report, send the link, go back to work.” Your compliance officer might actually smile. We can't guarantee that part.
Data ownership
Your data is yours. That's not negotiable.
Full data export at any time. CSV, JSON, whatever format your systems need. We made it easy to leave because we're confident you won't want to. But if you do, your data walks out the door with you. No retention fees. No lock-in. No “please contact your account manager to discuss options.”
We sign DPAs. We welcome security reviews. We'll walk your DPO through our architecture before you sign anything. Transparency isn't a marketing claim. It's the default.
Questions about security?
We're happy to walk your team through our security architecture.
Or send over your security questionnaire. We've probably answered it before.