Rivan
← All docs

Security

Security is foundational to Rivan because we process your customers' support conversations. This page summarises our controls; the internal hardening detail lives in docs/launch/SECURITY.md.

Data protection

  • Encryption in transit: TLS 1.3 on all endpoints.
  • Encryption at rest: per-tenant credentials encrypted with AES-256-GCM

using isolated keys.

  • Tenant isolation: row-level security (RLS) on every tenant table; the

application uses least-privilege database roles.

Access control

  • Role-based access control (Owner / Admin / Member) enforced in code.
  • Append-only audit logging of sensitive actions (logins, config changes,

credential changes, approvals, member changes).

The agent boundary

The AI agent receives ticket transcripts as clearly delimited data, not instructions, and is hardened against prompt injection. It cannot read another tenant's data, and configuration endpoints never return secrets.

Vulnerability management

  • Automated dependency scanning (Snyk + pnpm audit) in CI; high/critical

findings block releases.

  • Penetration test booked as part of our SOC 2 readiness program.

Subprocessors

We use a small set of vetted subprocessors (Anthropic, Crisp, Slack, Browserbase, Stripe, our host, and Sentry). The current list is published in the DPA Template.

Reporting a vulnerability

Email [email protected]. We aim to acknowledge within one business day and will keep you updated through remediation. Please do not publicly disclose until we've had a chance to fix the issue.