01Security program
Renovo uses administrative, technical, and organizational safeguards proportionate to the service and data. Measures include authenticated access, account-scoped authorization, transport encryption, protected cloud storage, expiring and single-decision quote links, payment-provider tokenization, restricted operational access, dependency review, and security logging. No system can guarantee absolute security.
02Account-owner responsibilities
Use unique credentials and available device security, remove lost or former-worker devices, review recipients before sending private links, keep applications current, protect exported documents, and report suspected compromise promptly. Do not share individual credentials or publish private quote links.
03What to report
Reports may cover a reproducible weakness in a Renovo-controlled website, application, API, authentication flow, authorization boundary, private-link control, or data-exposure path. Availability issues, support disputes, spam, and vulnerabilities solely in an unrelated third-party service are not security research reports.
04Research rules
Use only accounts and data you own or have written authorization to test. Avoid social engineering, phishing, denial of service, destructive testing, persistence, malware, high-volume automation, physical attacks, privacy violations, or accessing another person's data. Stop immediately if private data is encountered and report only the minimum evidence needed to reproduce the issue.
05Submitting a report
Use the public Support page and identify the message as a security report; authenticated in-app support is preferred for account-specific issues. Include the affected product and route, impact, reproducible steps, relevant time, and a safe proof of concept. Do not attach secrets, raw customer records, or exploit data beyond what is essential.
06Our response
Renovo will triage good-faith reports, seek clarification when needed, validate impact, prioritize remediation, and communicate material status when practical. Renovo does not promise a bounty, a particular resolution, or a fixed response time. Public disclosure should be coordinated until users have had a reasonable opportunity to receive a fix.
07Good-faith research
To the extent within Renovo's control, Renovo does not intend to pursue legal claims against research conducted in good faith and in full compliance with this policy. This statement does not authorize violations of law or third-party rights and cannot bind another organization, regulator, or law-enforcement agency.
08Urgent account incidents
For suspected account takeover, exposed private links, lost devices, or unauthorized billing, stop using the affected session, secure the relevant email and device accounts, preserve non-sensitive timestamps, and contact authenticated support. Contact the payment provider or financial institution directly for payment-card emergencies.