Internal Security

  • Network Encryption
    Data routed within our infrastructure happens inside a Virtual Private Cloud (VPC) and is secured and encrypted using Transport Layer Security (TLS).
  • Data Storage
    Rivery does not retain client data. If temporary data storage is required to execute your pipeline, Rivery can assign a designated FileZone for the account to hold the temporary data, or you can use your own FileZone to store the temporary data.
  • Passwords
    We use AWS Key Management Service (KMS) to encrypt and decrypt passwords, credentials and other sensitive data. All of our users’ credentials are encrypted with an association to each user and account.
  • Hosting
    Rivery environments are hosted on Amazon Web Services. Their physical and virtual resources are compliant with the highest standards such as SOC 1,2,3, and HIPAA.

 

Product Security

  • Connectivity
    Data traveling both, to and from, your integrations is protected. Rivery supports a variety of connection methods for when you need an extra layer of secure connectivity. This includes:

  • User access & control
    With fine grained user access and control, you can provide diverse teams to use the Rivery platform simultaneously, without accessing non-permissioned projects.
  • SSO (Single Sign-on)
    Centrally manage your policies for access.
  • Environments
    Create multiple environments, each walled off from each other, and each with their own fine grained access controls and connection credentials.

Certifications

SOC 2 (Type II)
Rivery undergoes an independent SOC 2 (Type 2) review every year. Additionally Rivery performs proactive security measures like periodic penetration testing to stay ahead of the curve.
icon
HIPAA
Rivery complies with HIPAA requirements for Protected Health Information (PHI) and will sign an appropriate Business Associate Agreement (BAA) with customers who are subject to HIPAA.
icon
GDPR
Rivery is fully compliant with the European Unions’ Global Data Protection Regulation, or GDPR.
icon

Frequently Asked Security Questions

  • Is it possible to install Rivery on my own servers (on-premise)?
    Rivery is a cloud-based, entirely SaaS solution and does not provide an “on-premise” version.
  • In what ways is SaaS better than On-Premise?
    As a SaaS provider, we are responsible for all maintenance and operations. On-premise, on the other hand, demands time, personnel, and equipment to maintain things current.

    Our SaaS systems are highly secure, with expert network and server security supervision. It’s also more cost-effective, and we assist with business continuity during times of crisis.

    Your compute and storage needs can be easily scaled up with minimum time and effort as the business grows.
  • Does Rivery comply with recognized data security standards?
    Rivery is SOC2 Type II certified and is GDPR and HIPAA compliant.
  • What type of data does Rivery store to provide its service?
    Customers have complete control over the data that is transferred via Rivery’s service. Unless requested, Rivery does not keep customer data longer than is absolutely necessary to process it. Data is erased after 48 hours at the most.
  • What are the connection methods supported by Rivery?
    Rivery supports a variety of connection techniques, including secure SSH, Private Link, or VPN tunnels.
  • What are the options Rivery provides for platform authentication?
    Rivery offers a variety of authentication methods, including SSO, Google OAuth 2.0, and user/password, depending on the customer’s preferences.
  • Does Rivery support adding strong authentication when using SSO or Google oAuth2 as the preferred authentication methods?
    Yes, it is possible to use multi-factor authentication.
  • Does Rivery support integrating Azure Active Directory and using our own credentials?
    Yes, this is supported by Rivery.
  • Does Rivery support user role-based access?
    Yes, these capabilities can be managed by the Administrator.
  • What measures are employed to protect our backup data?
    We only back up metadata identifiers for GDPR compliance and user analytics, not customer data.
  • Does Rivery have a Disaster Recovery Plan (DRP)?
    Rivery has created a disaster recovery plan that is based on AWS systems that are SOC 2 Type II and ISO 27001:2013 certified. Service interruptions due to hardware failure, natural disasters, or primary data center outages are minimized using the DRP design. Every year, a DR test is conducted.
  • Do you encrypt data at-Rest?
    We encrypt all data at-rest based on AWS configurations. Customer data at rest is encrypted and hosted in separate storage services provided by AWS. Encryption is deployed with Amazon S3, which uses AES256 bit Encryption.
  • Do you encrypt data In-Transit?
    Using a secure TLS connection, all traffic between the customer’s client and Rivery’s platform is encrypted. Encryption is enabled between Rivery’s customers and the app, as well as between Rivery’s sites.
  • Is Rivery tested for penetration?
    Our system is subjected to annual penetration testing by independent third-party security vendors, who use a gray-box approach and at a minimum cover the OWASP Top10.
  • Do you obtain and document consent from the data subject when collecting, using, or disclosing privacy-related data?
    Yes, see Rivery’s privacy policy for more details.
  • Does Rivery make a reasonable attempt to keep the collection, usage, and storage of privacy-related data to the bare minimum required to achieve the data’s intended purposes?
    Yes. Rivery does not save or sniff any data that passes through our customers’ pipelines (Rivers). Furthermore, client data is only kept for the duration of the pipeline’s processing and is subsequently erased after a maximum of 48 hours. It’s also worth pointing out that this is configuration-dependent. If a customer chooses to create their own landing zone, Rivery will not save any information.
  • Do you process or will you process any Personal Data on our behalf as part of the service you provide?
    Rivery only handles personal information that has been shared with us.
  • What type(s) of data are you processing that may be saved in storage?
    Client Contacts and Financial Data, as well as Configuration and Performance, are required for the engagement.
  • What are your main areas that conduct data processing?
    Our environment’s data is processed at AWS data centers. The US and Europe are the physical locations.
  • Is there a system in place at Rivery for deleting all or a subset of Personal Data given in response to a specific request and/or contract termination?
    In accordance with GDPR, we comply with customer requests to remove all personal data.
  • Do you have a mechanism in place to detect, assess, monitor, and respond to security risks posed by third-party service providers?
    Rivery’s third-party providers sign confidentiality agreements with Rivery to ensure that system confidentiality is maintained, which is in line with Rivery’s policy. Prior to onboarding new suppliers, Rivery has a third-party assurance process in place, which includes completing and approving vendor due diligence studies.
  • Do you keep track of all security issues and have a documented incident response plan?
    Yes, we can share this information after signing a non-disclosure agreement.

 

If you have any questions or comments regarding Rivery’s security policy, please contact: security@rivery.io