Security
Security is foundational to Rivan because we process your customers' support conversations. This page summarises our controls; the internal hardening detail lives in docs/launch/SECURITY.md.
Data protection
- Encryption in transit: TLS 1.3 on all endpoints.
- Encryption at rest: per-tenant credentials encrypted with AES-256-GCM
using isolated keys.
- Tenant isolation: row-level security (RLS) on every tenant table; the
application uses least-privilege database roles.
Access control
- Role-based access control (Owner / Admin / Member) enforced in code.
- Append-only audit logging of sensitive actions (logins, config changes,
credential changes, approvals, member changes).
The agent boundary
The AI agent receives ticket transcripts as clearly delimited data, not instructions, and is hardened against prompt injection. It cannot read another tenant's data, and configuration endpoints never return secrets.
Vulnerability management
- Automated dependency scanning (Snyk +
pnpm audit) in CI; high/critical
findings block releases.
- Penetration test booked as part of our SOC 2 readiness program.
Subprocessors
We use a small set of vetted subprocessors (Anthropic, Crisp, Slack, Browserbase, Stripe, our host, and Sentry). The current list is published in the DPA Template.
Reporting a vulnerability
Email [email protected]. We aim to acknowledge within one business day and will keep you updated through remediation. Please do not publicly disclose until we've had a chance to fix the issue.