Security at Riovis
Your data is our highest priority. Security is built into every layer of the platform, from encryption to compliance.
TLS 1.3
In transit
AES-256
At rest
GDPR
Compliant
Encryption
All customer data is encrypted in transit and at rest using industry-standard algorithms.
- TLS 1.2+ for all data in transit, with TLS 1.3 preferred
- AES-256 encryption for all data at rest
- Cloud-managed key rotation and storage
- All database backups encrypted before storage
Data Protection
Your data stays yours. Tenant isolation, encryption, and strict retention policies protect your information at every stage.
- Tenant data isolation - your data is never mixed with other customers
- 72-hour breach notification commitment
- 30-day data export window after subscription ends
- Data Processing Agreement (DPA) available for all customers
Authentication & Access
Modern, phishing-resistant authentication with granular role-based access control.
- OAuth sign-in (Google, Apple)
- Google and Apple OAuth
- Role-based access control with granular permissions
- Automatic idle timeout with re-verification
- Scoped, expirable, and revocable API keys
Application Security
Security headers, input validation, and secure development practices protect the platform at the application layer.
- CSRF protection on all state-changing requests
- Content Security Policy (CSP) and HSTS headers
- Rate limiting on all public endpoints
- Webhook signature verification
- Dependency scanning on every build
AI Data Handling
Riovis uses AI to power content generation, campaign optimization, and support Riovis AI features. Your data is never used to train AI models.
No model training on your data
We enforce no-training API configurations with every AI provider we use. Your content and prompts are never used to improve third-party models.
Short-lived prompt logs
AI interaction logs are retained for 90 days for debugging and abuse detection, then permanently deleted.
Your data stays separate
Each customer's data, brand configurations, and generated content are isolated and never shared across accounts.
Incident Response
We maintain a documented incident response plan and commit to transparent communication if a security event affects your data.
- 72-hour notification to affected customers after confirming a breach
- Detailed incident reports including scope, impact, and remediation steps
- Post-incident review to prevent recurrence
- Regulatory notification where required by law
Compliance
Built for global privacy standards
Riovis maintains controls mapped to major data protection frameworks so your organization can meet its regulatory obligations.
GDPR / UK GDPR
Data subject rights, lawful processing bases, and cross-border transfer safeguards for EU and UK users.
CCPA / CPRA
Consumer data rights including access, deletion, correction, and opt-out of sale or sharing.
PIPEDA
Consent-based data handling and breach notification for Canadian users.
Texas TDPSA
Consumer data rights, purpose limitation, and data protection assessments.
CAN-SPAM / CASL
Consent management, identification requirements, and unsubscribe mechanisms for commercial email.
Responsible Disclosure
We value the security research community. If you discover a vulnerability in any Riovis system, please report it responsibly so we can address it promptly.
How to report
- Email your findings to security@riovisplatform.com
- Include a detailed description, steps to reproduce, and potential impact
- Allow reasonable time for our team to investigate and remediate
- Do not access, modify, or delete data belonging to other users
- Do not publicly disclose the vulnerability before we have resolved it
We commit to acknowledging receipt within 2 business days and providing a timeline for resolution.
Have security questions?
Our team is ready to discuss your security requirements or provide additional documentation.