// Trust & Security Report

    Revolut Ltd / Revolut Bank UAB (Revolut Group) logo

    Revolut Ltd / Revolut Bank UAB (Revolut Group)

    Business banking and expense platform (business.revolut.com): multi-currency business accounts, corporate/expense cards, invoicing, payments, and merchant acquiring, offered by the Revolut group of regulated entities (Revolut Ltd and Revolut Bank UK Ltd in the UK; Revolut Bank UAB in Lithuania/EEA, plus local entities elsewhere). Distinct from Revolut Personal (consumer banking, including the AIR AI assistant) and from Revolut People (a separate Revolut product: an HR/payroll SaaS platform with its own trust hub) - both are different sub-products of the same corporate group and must not be conflated with Revolut Business.

    Certifications held

    1

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (compliance posture)
    HELD

    Documented first-party on the vendor domain. Revolut's Customer Privacy Notice (www.revolut.com/legal/privacy/) names a Data Protection Officer contact and states verbatim: 'Your rights: you have control over your personal data. You can ask for a copy of it, ask us to delete it or ask us to stop using it (especially for marketing) by contacting dpo@revolut.com,' and promises 'We will never sell your personal data.' It also sets out lawful bases for processing (contract, legal obligation, legitimate interests, substantial public interest, vital interests, consent). Provenance note: the Customer Privacy Notice itself (effective 17 March 2026) was captured verbatim on the vendor domain, and the 'Your rights' and 'We will never sell your personal data' quotes above are taken directly from it. Only the specific Standard Contractual Clauses sentence ('For individuals in the EEA, UK, Brazil, and Israel, this usually means entering into Standard Contractual Clauses with recipients of your data who are located in countries which are not recognised as having adequate data protection laws') was sourced from Revolut's Data Privacy Statement for Candidates (www.revolut.com/legal/data-privacy-for-candidates/, a recruitment-facing notice) rather than the Customer Privacy Notice, because the captured portion of the Customer Privacy Notice does not include a verbatim SCC sentence. Some other vendor endpoints (the Revolut People trust hub and the authenticated business.revolut.com app) return HTTP 403 to automated fetchers, but the Customer Privacy Notice was not among them.

    Verify on revolut.com
    > Show 8 unconfirmed / not-held certifications
    SOC 2 (Type I / Type II)
    NOT CONFIRMED

    No public evidence on Revolut Business's own pages (business.revolut.com, www.revolut.com/business/*). A SOC 2 Type II audit is publicly claimed on Revolut's Trust Hub for 'Revolut People' (revolut.com/people/trust-hub/) - but Revolut People is a separate Revolut product (an HR/payroll SaaS platform for managing employees), not the business-banking/cards product (Revolut Business) being assessed here. No vendor page states this audit's scope extends to Revolut Business. Treated as not held for this product to avoid conflating the two sub-products.

    source: revolut.com
    ISO 27001
    NOT CONFIRMED

    Same conflation issue as SOC 2: Revolut's 'Revolut People' Trust Hub states Revolut obtained an ISO 27001 certificate for its information security management system, but this is documented on the Revolut People trust page and job postings for Revolut's general security team, not on a Revolut Business-specific trust or security page. No direct vendor statement was found confirming ISO 27001 scope covers the business-banking/cards product. Graded not held for this product pending clearer scoping.

    source: revolut.com
    PCI DSS
    NOT CONFIRMED

    No direct first-party certification statement was found for Revolut Business itself. Revolut's own merchant help articles describe how 'Revolut systems reduce merchant PCI DSS responsibility' by masking card numbers for merchants using Revolut card readers/merchant accounts, but state PCI DSS compliance is the merchant's own responsibility, which is a different claim from Revolut itself holding a PCI DSS Level 1 certificate. Third-party sources (a Snyk case study) reference Revolut pursuing PCI compliance, but that is not a vendor-domain source.

    source: help.revolut.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence found on any Revolut-owned domain for Revolut Business.

    HIPAA
    NOT CONFIRMED

    No public evidence, and out of scope: Revolut Business is a business banking/fintech product, not a healthcare service or business associate handling PHI.

    ISO/IEC 42001 (AI management)
    NOT CONFIRMED

    No public evidence on any Revolut domain of an ISO 42001 or equivalent AI-governance certification.

    CSA STAR
    NOT CONFIRMED

    No public evidence found on vendor domain.

    FedRAMP
    NOT CONFIRMED

    Not applicable / no public evidence. Revolut Business is not marketed as a government-cloud or FedRAMP-authorized product.

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    EEA (Revolut Bank UAB, Lithuania, an EU-licensed bank) and UK (Revolut Ltd / Revolut Bank UK Ltd), depending on the entity a business customer is onboarded to; cross-border transfers rely on Standard Contractual Clauses per the Customer Privacy Notice.

    Revolut's consumer AI assistant, AIR ('AI by Revolut', mentioned on the Revolut homepage - 'AI by Revolut, AIR, is your 24/7 personal assistant'), is publicly described in press materials as operating with 'a strict zero data retention policy' where personal information 'is never stored by third-party AI partners or used for training external models.' This statement is specific to the personal/consumer AIR assistant. No equivalent first-party statement was found confirming the same no-training policy for Revolut Business's own product surface (e.g. any AI-powered insights, categorisation, or fraud-detection features inside Revolut Business). Because the AI-training posture evidence traces to the consumer product rather than Revolut Business directly, trains_on_customer_data is recorded as unknown (null) for this product rather than assumed to match.

    // Security controls

    Fraud detection and monitoring

    Vendor states 'Our in-house AI algorithms can flag high-risk transactions and suspicious spending patterns immediately' and that proactive warnings 'detect more than 95% of attempted scams'; a dedicated 24/7 Financial Crime team is referenced.

    revolut.com

    Biometric device binding and identity checks

    Every mobile device with Revolut on it is tied to the user's biometrics; strict identity verification is used at sign-up, described as 'powered by sophisticated machine learning.'

    revolut.com

    Card controls / virtual cards

    Single-use virtual card numbers that refresh after each transaction; cards must be activated and PINs viewed only in-app; two-factor authentication required for sensitive transactions.

    revolut.com

    Segregated client funds

    Business/e-money client funds are held in segregated accounts with large global banks (per Revolut Business 'A-grade security' marketing page, safeguarding rather than an information-security certification).

    revolut.com

    Deposit protection (UK entity only)

    Where a customer holds funds with Revolut Bank UK Ltd specifically, accounts are protected by the UK Financial Services Compensation Scheme (FSCS) up to GBP 120,000 per person; this is deposit insurance/regulatory protection, not an infosec certification, and does not apply to Revolut Ltd e-money accounts or non-UK entities.

    revolut.com

    // Products & data scope

    Revolut BusinessBusiness banking / expense management

    data: Company financial and transactional data; KYB/KYC data on the business and its directors/beneficial owners; card and payment data

    The product assessed here (business.revolut.com). No dedicated public trust center or formal SOC 2/ISO 27001/PCI certification statement was located specifically for this product.

    Revolut PersonalConsumer banking

    data: Individual financial, identity, biometric, device, and location data

    Includes AIR, the consumer AI assistant, which is documented as having zero data retention and no external-model training. Regulated via Revolut Ltd (e-money) and Revolut Bank UK Ltd (deposit-taking, FSCS-protected) in the UK, and Revolut Bank UAB in the EEA.

    Revolut PeopleHR / payroll SaaS

    data: Employee HR records, compensation data (works alongside third-party payroll providers rather than running payroll itself)

    A separate Revolut product with its own public Trust Hub claiming SOC 2 Type II and ISO 27001. This is NOT the same product as Revolut Business and its certifications should not be displayed against the Revolut Business listing.

    Revolut merchant / acquiringPayment acceptance

    data: Card transaction data for merchants using Revolut card readers or payment links

    Revolut's own help content states its systems reduce merchant PCI DSS scope by masking full card numbers, but places PCI DSS compliance responsibility on the merchant.

    // What to watch

    • Identity/conflation risk: Revolut's publicly claimed SOC 2 Type II and ISO 27001 certifications live on the 'Revolut People' Trust Hub (revolut.com/people/trust-hub/) - Revolut People is a distinct HR/payroll product, not Revolut Business (the business-banking/cards product at business.revolut.com being assessed). These certs must not be displayed under the Revolut Business listing without explicit vendor confirmation the audit scope covers it.
    • Evidence-capture gap: the customer-facing www.revolut.com pages (Customer Privacy Notice, How We Protect Your Money, Data Privacy Statement for Candidates, and the homepage) were captured first-party and are quoted directly.
    • No dedicated Revolut Business trust center or security-and-compliance page listing formal certifications was found; the existing 'a-grade security' marketing page covers fraud-prevention UX features (biometrics, virtual cards, fund segregation), not audited certifications.
    • PCI DSS: only merchant-facing help content (Revolut reduces merchant scope) and a third-party case study reference PCI DSS; no first-party statement confirms Revolut's own PCI DSS Level 1 certification status for the Business product.
    • AI-training posture (zero retention, no training on external models) is documented for the consumer AIR assistant, not confirmed as applying to Revolut Business specifically - recorded as unknown (null) rather than assumed identical.
    • FSCS deposit protection applies only when a customer is onboarded to Revolut Bank UK Ltd; Revolut Ltd (the more common e-money entity for many customers) is not FSCS-protected. This distinction should be reflected if deposit protection is surfaced in any listing.

    // At a glance

    Pricing model

    Tiered monthly subscription business plans (paid plans starting from a low monthly fee) plus per-transaction/FX fees; a free/starter tier also exists for very small businesses.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Revolut Ltd / Revolut Bank UAB (Revolut Group)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    revolut.com

    > Browse all vendor trust reports