// trust & security

Security

Revtown is open source. Read the code before you trust it. — github.com/LeRevOps/leclaw

You are connecting Revtown to your CRM. That means handing over read access to your pipeline, contacts, and deals. Here is exactly what Revtown does — and does not do — with that access.

Shadow mode by default

Revtown never modifies your CRM unless you explicitly enable write-back. Every agent runs in shadow mode — read-only. The only output is a scored report of what's broken. No records are changed, created, or deleted.

Write-back (Le Témoin) is a paid feature that requires deliberate activation. It will always show you a preview before making any change.

What Revtown reads

Agent	HubSpot scopes	What it reads
Le Data Quality	`crm.objects.contacts.read` `crm.objects.companies.read`	Contact and company field completeness, association hygiene
Le Stage Audit	`crm.objects.deals.read`	Deal stage, close date, amount, associated contacts
Le BDR	`crm.objects.contacts.read` `crm.objects.deals.read`	Activity timestamps, sequence enrollment, lifecycle stage

We request the minimum scopes required for each agent. We never request write permissions by default.

What gets sent to Claude API

Agent summaries are generated by sending metadata only to Anthropic's Claude API:

// SENT to Claude
Total contacts audited: 247
Issues found: 15
Severity breakdown: 3 critical, 8 warning, 4 info
Issue types: ["missing email", "no associated company", "missing phone"]

// NEVER SENT
Contact names, email addresses, phone numbers
Company names, domains, revenue figures
Deal names, amounts, close dates
Any record-level data or PII

Credential storage

Self-hosted CLI: Your tokens live in .env on your machine. Nothing leaves your infrastructure. The only external calls are directly to HubSpot and Anthropic — Revtown servers are never in the loop.
Hosted dashboard: HubSpot OAuth tokens and Anthropic API keys are stored encrypted in Supabase (AES-256 at rest, TLS in transit). Tokens are never logged, never exposed in API responses, and never shared with third parties.
Docker isolation (CLI): When Docker Desktop is available, each agent runs in its own container — resource-limited to 512MB RAM and 0.5 CPU, removed automatically on exit, with no access to the host filesystem.

What is never stored

Raw CRM records — no contact names, emails, company names, deal data, or PII
Credentials in plaintext
Agent output beyond aggregate counts, scores, and issue type labels

Revoking access

You can revoke Revtown's CRM access at any time without contacting us:

HubSpot: Settings → Integrations → Connected Apps → Revoke
Salesforce: Setup → Connected Apps → Revoke

Revoking immediately and permanently terminates all Revtown access to your CRM.

Infrastructure

Hosting: Vercel (Next.js dashboard) — ephemeral serverless functions, isolated per request
Database: Supabase (Postgres) — row-level security on all tables, every query scoped to your org
Auth: Supabase Auth — email/password, sessions expire automatically
CRM auth: OAuth 2.0 — tokens auto-refresh, never stored in browser

Reporting a vulnerability

Found a security issue? Email security@revtown.io before opening a public GitHub issue. We will respond within 48 hours and work with you on a coordinated disclosure.