Security

Riv.ai operates as infrastructure for business communication - which means the confidentiality, integrity, and availability of your data and your customers' data is our direct responsibility. We approach security as a continuous engineering and operational discipline, not a compliance checkbox.

Our security programme is built on three commitments:

• Least privilege by default: access to data and systems is granted only to the extent required to perform a specific function, and revoked immediately when no longer needed.
• Defence in depth: no single control is treated as sufficient. We layer preventative, detective, and corrective measures across network, application, data, and identity layers.
• Transparency: when something goes wrong, we notify you promptly, describe what happened, and explain the steps we are taking. We do not hide incidents.

Cloud environment

Riv.ai's production infrastructure is hosted on enterprise-grade cloud providers with ISO 27001, SOC 2 Type II, and PCI-DSS Level 1 certifications. Our cloud environments are deployed in geographically redundant regions to ensure high availability and data resilience.

Network security

• All production systems are isolated within private virtual networks with no direct public ingress
• Network security groups and firewall policies enforce strict inbound/outbound traffic rules
• Web Application Firewall (WAF) protection is applied to all customer-facing endpoints
• DDoS mitigation is active at the network perimeter
• All external-facing services are hosted behind load balancers with TLS termination

Availability and redundancy

• Production databases use automated failover with point-in-time recovery
• Message queue and delivery infrastructure is horizontally scalable with no single points of failure
• Automated backups are taken daily and tested periodically for restore integrity
• We maintain and test a Business Continuity Plan (BCP) and Disaster Recovery (DR) runbook

In transit

All data transmitted between your browser or application and our services is encrypted using TLS 1.2 or TLS 1.3. We enforce HTTPS-only access on all endpoints and apply HTTP Strict Transport Security (HSTS) headers. Connections that attempt to downgrade to older protocols are rejected.

At rest

All customer data stored on our infrastructure - including databases, object storage, and backup snapshots - is encrypted at rest using AES-256 encryption. Encryption keys are managed through a dedicated key management service (KMS) with automated rotation policies.

Payment data

Riv.ai does not store, process, or transmit raw payment-card numbers. All payment transactions are handled by PCI-DSS-certified third-party payment processors. We retain only non-sensitive billing references.

Internal access

• Multi-factor authentication (MFA) is mandatory for all internal team members accessing production systems, cloud consoles, and code repositories
• Access to production data is restricted on a strict need-to-know basis; all access requests go through an approval workflow and are logged
• Privileged access management (PAM) controls are applied to all infrastructure administration accounts
• Employee access is reviewed quarterly and revoked within one business day of offboarding

Customer authentication

• Customer accounts support strong password policies with minimum complexity requirements
• Multi-factor authentication is available for all customer accounts and recommended for all users
• API access is controlled through scoped, revocable API keys and OAuth 2.0 tokens
• Session tokens carry appropriate expiry and are invalidated on logout or password change

Role-based access control (RBAC)

Within the Riv.ai platform, customers can assign roles to team members, limiting access to specific features, communication channels, and data views consistent with the principle of least privilege.

Secure development lifecycle

• Security requirements are defined at the design stage for all new features
• All code changes go through peer review, automated static analysis (SAST), and dependency vulnerability scanning before deployment
• We track and remediate known vulnerabilities in third-party dependencies on an ongoing basis using automated scanning tools
• Secrets, credentials, and API keys are never committed to source control

OWASP and injection defence

Our development practices explicitly address OWASP Top 10 risks. We apply parameterised queries to prevent SQL injection, contextual output encoding to prevent XSS, CSRF tokens on all state-changing requests, and strict input validation at system boundaries.

Third-party security

All third-party service providers that process Riv.ai customer data are evaluated against our vendor security requirements before onboarding and are required to maintain equivalent security standards through contractual commitments.

We maintain a continuous vulnerability management programme that includes:

• Automated scanning: scheduled and event-triggered vulnerability scans across our infrastructure, container images, and application dependencies
• Penetration testing: periodic third-party penetration tests of our production environment and web application layer; findings are risk-rated and tracked to remediation
• Patch management: critical security patches are applied within 24 hours of availability; high-severity patches within 7 days; all others within 30 days
• CVE monitoring: we monitor Common Vulnerabilities and Exposures (CVE) feeds and security advisories for all components in our technology stack

Security findings are tracked in our internal issue management system with defined remediation SLAs based on severity, and ownership is assigned to named engineers.

We maintain a documented Incident Response Plan (IRP) that is tested through tabletop exercises at least annually. Our process follows the phases of: Detect → Contain → Eradicate → Recover → Review.

Detection and monitoring

We operate 24×7 infrastructure and application monitoring with automated alerting for anomalous activity. Our security logging pipeline aggregates events across all production systems into a centralised SIEM for real-time analysis.

Breach notification

In the event of a confirmed personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify you without undue delay and, where feasible, within 72 hours of becoming aware of the breach (as required under GDPR and DPDP Act rules)
• Provide details of the nature of the breach, the categories and approximate number of data records concerned, likely consequences, and measures taken or proposed
• Notify the relevant supervisory authority or Data Protection Board of India as required by applicable law

Post-incident, we conduct a root-cause analysis and share a summary with affected customers where appropriate. We use every incident - including near-misses - to improve our controls.

Our security programme is aligned with and designed to meet the requirements of:

Enterprise customers who require evidence of specific security controls or compliance documentation (such as security questionnaire responses or data processing addenda) may request these by contacting sales@rivai.in.

Security on the Riv.ai platform is a shared responsibility. We secure the infrastructure and platform; you are responsible for your account and how you configure and use the Services. Your responsibilities include:

• Credential management: keeping API keys, access tokens, and user passwords confidential; rotating credentials regularly; revoking access promptly when team members leave
• MFA adoption: enabling multi-factor authentication on all user accounts with access to your Riv.ai workspace
• Least-privilege configuration: assigning users only the roles and permissions required for their specific function
• Secure integration: ensuring that any applications or systems you integrate with the Riv.ai API handle credentials securely and do not expose API keys in client-side code or public repositories
• Compliance obligations: obtaining appropriate consent from your customers before sending them messages or calls through the platform; complying with all applicable telecom, spam, and data-protection laws in your jurisdiction
• Incident reporting: notifying us promptly at sales@rivai.in if you suspect that your Riv.ai credentials have been compromised or that the platform is being used without your authorisation

We operate a responsible disclosure programme for security researchers and members of the public who discover vulnerabilities in our products or infrastructure. We are committed to working with the security community to keep our platform secure.

How to report

Email sales@rivai.in with the subject line [SECURITY] and include:

• A clear description of the vulnerability and its potential impact
• The affected URL, endpoint, or system component
• Steps to reproduce the issue (including any payloads or screenshots)
• Your preferred contact details for follow-up

Our commitments to reporters

• We will acknowledge your report within 2 business days
• We will keep you informed of our investigation and remediation timeline
• We will credit researchers who responsibly disclose valid, non-public vulnerabilities (unless you prefer anonymity)
• We will not pursue legal action against researchers who act in good faith and comply with these guidelines

Out-of-scope

To protect our customers and maintain service integrity, the following activities are out of scope and may be treated as unauthorised access:

• Denial-of-service or volumetric attacks against our infrastructure
• Social engineering or phishing attacks against Riv.ai employees or customers
• Automated scanning that generates significant load on production systems
• Accessing or modifying customer data without explicit permission from the account owner
• Testing against third-party services or infrastructure not owned or operated by Riv.ai

For security-related enquiries, vulnerability reports, or requests for security documentation, contact us using the details below. For general product or sales enquiries please use the same contact.