Security Overview

Home / Legal / Security Overview

This Security Overview summarizes the technical and organizational measures Rivvet uses to protect the platform and Client Data. It is informational and supplements the Master Services Agreement and Data Processing Agreement; where it differs from those documents, the DPA and the applicable Service Order control. Rivvet applies commercially reasonable measures appropriate to the nature of the Services and updates them over time.

1. HOSTING & INFRASTRUCTURE

The platform is hosted on reputable United States-based cloud providers using managed infrastructure. Production systems are operated separately from development and testing environments.

2. ENCRYPTION

Client Data is encrypted in transit using TLS 1.2 or higher and encrypted at rest using industry-standard algorithms.

3. ACCESS CONTROLS

Access to systems and Client Data follows role-based access control and least-privilege principles. Authentication is required for all access, and multi-factor authentication is required for administrative access to production systems.

4. MONITORING & LOGGING

Rivvet maintains logging and monitoring of relevant platform and infrastructure activity to help detect and respond to anomalies and potential security events.

5. DATA SEGREGATION

Client Data is logically segregated so that each client’s data is associated with that client’s account and is not commingled with other clients’ data in a manner that would permit unauthorized cross-client access.

6. SUBPROCESSORS

Rivvet engages vetted subprocessors that are contractually bound to data-protection obligations at least as protective as Rivvet’s own. A current Subprocessor List is available to clients on written request to legal@rivvetai.com, with at least 30 days’ notice of additions or replacements as described in the DPA.

7. AI DATA HANDLING

AI processing of conversational and submitted data is transient and performed to deliver the Services. Rivvet’s AI model providers are bound by enterprise data processing terms under which they do not train foundation models on Client Data, and Rivvet uses commercially reasonable measures to prevent models from retaining or learning from Client Data beyond service delivery.

8. DATA RETENTION & DELETION

Retention follows the DPA and the applicable Order. On termination, Rivvet exports Client Data on written request within 30 days and deletes it within 90 days, subject to legal retention requirements.

9. INCIDENT RESPONSE

Rivvet maintains an incident-response process and will notify affected clients without undue delay, and no later than 72 hours after confirming a breach of security affecting Client Data, consistent with the DPA.

10. BUSINESS CONTINUITY

Rivvet maintains commercially reasonable backup and redundancy practices designed to support recovery of platform data in the event of a disruption.

11. COMPLIANCE

Rivvet processes Client Data as a service provider and processor under the CCPA/CPRA and other applicable U.S. state privacy laws, and makes a Data Processing Agreement available at rivvetai.com/legal/dpa.

12. RESPONSIBLE DISCLOSURE

To report a suspected vulnerability or security concern, contact security@rivvetai.com or legal@rivvetai.com. We appreciate responsible disclosure and will work in good faith to investigate and address valid reports.

No method of transmission or storage is 100% secure. This overview describes Rivvet’s commercially reasonable security measures and is not a warranty. Rivvet’s specific, binding security commitments are set out in the Data Processing Agreement and the applicable Service Order.