Continuous Improvement
Revenue Engine is currently in beta.
This page explains the security and operational improvements Sales Triage intends to make as the platform matures.
The purpose of publishing this page is not to pretend everything is already complete. It is to show clients what exists today, what is planned next and why those improvements matter.
Priorities may change as the platform, client requirements and risk profile evolve.
Implemented During Beta
| Outcome | Control or Practice | Status |
|---|---|---|
| Keep platform data in the UK | UK hosting on Fasthosts virtual server | Implemented |
| Protect data in transit | HTTPS/TLS enforced | Implemented |
| Protect stored credentials | API keys and integration secrets encrypted at rest (AES-256-GCM) | Implemented |
| Reduce password exposure | Passwords stored as hashes | Implemented |
| Limit privileged access | Production access limited to founder | Implemented |
| Support recovery | Weekly full backups | Implemented |
| Reduce data loss risk | Daily incremental backups | Implemented |
| Reduce local backup dependency | Offsite backup copy held in UK-hosted Microsoft OneDrive | Implemented |
| Provide legal privacy transparency | Published Privacy Policy | Implemented |
| Clarify controller and processor roles | Privacy Policy explains data protection roles | Implemented |
| Improve supplier transparency | Published supplier and subprocessor page | Implemented |
High Priority Improvements
These are the highest priority items because they are likely to reduce real client risk and answer common supplier review questions.
| Outcome | Improvement | Current Status |
|---|---|---|
| Protect stored client data | Enable full-database encryption at rest for database storage | Planned |
| Protect connected accounts | Encrypt stored OAuth mailbox and calendar tokens at the field level | Planned |
| Reduce attack surface | Offer restriction of platform access to approved countries (for example UK-only) | Planned |
| Protect future file uploads | Ensure file and document storage is encrypted at rest before wider use | Planned |
| Reduce account compromise risk | Enforce multi-factor authentication for all users, including administrators | Implemented |
| Reduce deployment risk | Create a separate staging environment | Planned |
| Improve recovery assurance | Complete and document a backup restore test | Planned |
| Improve recovery clarity | Document backup retention, RPO and RTO | Planned |
| Improve incident handling | Create a written incident response process | Planned |
| Improve breach detection | Add a login/access audit trail and centralised security alerting | Planned |
| Improve infrastructure resilience | Separate database from application server | Planned |
Medium Priority Improvements
| Outcome | Improvement | Current Status |
|---|---|---|
| Validate security posture | Commission independent penetration testing | Planned before larger enterprise use |
| Improve vulnerability management | Introduce regular vulnerability scanning | Under review |
| Improve supplier confidence | Evaluate Cyber Essentials certification | Under review |
| Improve governance maturity | Review ISO 27001 suitability as the business scales | Future consideration |
| Improve auditability | Add clearer administrative and client audit logging | Under review |
| Improve access governance | Introduce documented access review process | Planned as team grows |
| Support data portability | Provide a self-serve export of a client's full platform data (a manual export is available on request today) | Planned |
| Support clean offboarding | Automate a time-bound account deletion process on termination (handled manually on request today) | Planned |
Not Currently Planned for Immediate Beta
| Item | Reason |
|---|---|
| ISO 27001 certification | Not proportionate during beta, but may be reviewed as the platform and client base grows |
| SOC 2 | Not currently required for the current UK-focused beta stage |
| Enterprise SSO | To be reviewed if clients require it |
| Formal uptime SLA | To be reviewed after production architecture matures |
How This Page Should Be Maintained
When an item is completed:
- move it into the implemented section
- update the relevant security page
- add a changelog entry
- add or update any relevant question in Questions Clients Have Asked
When a client asks about a risk not covered here:
- answer the client directly
- add a question and answer if useful to future clients
- add an improvement item if the question exposes a gap