riivet is the all-in-one operating system for insurance restoration contractors. It replaces disconnected subscriptions (CRMs, scanning apps, estimating platforms, scheduling software, e-signature services, analytics dashboards, and more) with 20 integrated features on a single platform.

What software does riivet replace?

riivet replaces DASH, Albi, Xcelerate, PSA, and JobNimbus (CRM), DocuSketch and MatterPort (scanning), Encircle (contents), DocuSign (e-signatures), PowerBI and Forecastr (analytics), Zapier (automations), Slack (messaging), Trainual (training), NectarHR (employee rewards), and EOS/Traction (business operations), all in one platform.

How much does riivet cost compared to using separate tools?

Restoration companies typically spend $60,000 to $80,000+ per year on fragmented software subscriptions plus connector fees. riivet consolidates all of these into a single platform at a fraction of the cost, eliminating duplicate subscriptions, Zapier fees, and the hidden cost of manual data re-entry.

Is riivet available now?

riivet is currently in private alpha testing with 15 selected restoration companies. Public beta launch is expected between May and June 2026. You can request early access at riivet.ai/demo.

Can I import data from my current CRM into riivet?

Yes. riivet supports data import from any existing CRM. The onboarding process is designed to get your team up and running on Day 1 of launch with all your historical data intact.

Legal

Data Processing Agreement

Last updated: April 22, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Automate HQ, Inc. ("Riivet," "Processor") and the Customer identified in the applicable services agreement ("Controller"). It governs Personal Data that Processor handles on Controller's behalf in connection with the Riivet Service. The DPA is effective co-terminous with the parties' main services agreement (the "Agreement") and applies wherever Processor processes Personal Data on Controller's behalf. Enterprise customers may execute a signed counterpart of this DPA on request.

1. Definitions

Applicable Data Protection Law means GDPR (Regulation (EU) 2016/679), UK GDPR, CCPA (as amended by CPRA), and any other data-protection law applicable to a processing activity.
Personal Data has the meaning given in Applicable Data Protection Law.
Sub-processor means a third party engaged by Processor to process Personal Data on Controller's behalf.
Security Incident means a confirmed unauthorized access, disclosure, alteration, or loss of Personal Data.
Terms including Processing, Data Subject, Controller, Processor, and Supervisory Authority have the meanings given in GDPR.

2. Roles of the Parties

Controller is the data controller for Personal Data it enters into the Service, including Personal Data about its own users, its end customers, and related records. Processor acts as a data processor under GDPR (and as a service provider under CCPA) on Controller's documented instructions.

Processor does not sell Personal Data and does not share Personal Data for cross-context behavioral advertising. Nothing in this DPA permits Processor to use Personal Data for its own purposes beyond those stated in Annex 1.

3. Scope and Duration of Processing

Subject matter: provision of the Riivet platform.
Nature and purpose: as described in the Agreement: customer and project management, estimating, documents, workflow automation, AI assistance.
Duration: the term of the Agreement plus any post-termination period required to return or delete data in accordance with this DPA.
Categories of Data Subjects and Personal Data: see Annex 1.

4. Processor Obligations

Processor will:

Process Personal Data only on Controller's documented instructions, including international transfers, unless required by applicable law (in which case Processor will notify Controller where legally permitted).
Ensure personnel with access to Personal Data are bound by appropriate confidentiality obligations.
Implement and maintain the technical and organizational measures described in Annex 2.
Assist Controller in responding to Data Subject requests (access, correction, deletion, portability) by providing appropriate technical features as set out in Section 8.
Notify Controller without undue delay, and within 72 hours, upon becoming aware of a Security Incident, with information sufficient for Controller to meet its own notification obligations.
Make information reasonably available to Controller to demonstrate compliance, and cooperate with audits per Section 9.

Processor will not: sell Personal Data; share Personal Data for cross-context behavioral advertising; use Personal Data to train AI models; or process Personal Data outside the purposes documented in this DPA and the Agreement.

5. Sub-processors

Controller authorizes Processor to engage Sub-processors to provide the Service. Our current list of Sub-processors is maintained in Annex 3 below.

Processor will: flow down equivalent data-protection obligations to Sub-processors; remain liable for Sub-processor acts and omissions to the same extent Processor would be; and notify Controller of proposed new or replacement Sub-processors at least 30 days in advance of their processing of Personal Data, giving Controller a reasonable opportunity to object.

If Controller reasonably objects on data-protection grounds, the parties will cooperate in good faith to resolve the objection; failing which, Controller may terminate the affected services without penalty.

6. International Transfers

To the extent Personal Data of individuals in the European Economic Area, the United Kingdom, or Switzerland is transferred outside jurisdictions recognized as providing adequate protection:

The parties incorporate by reference the European Commission's Standard Contractual Clauses (Commission Implementing Decision 2021/914) Module Two (Controller → Processor).
For transfers of personal data from the United Kingdom, the parties incorporate by reference the UK International Data Transfer Addendum to the Standard Contractual Clauses.
For transfers of personal data from Switzerland, the parties apply the Standard Contractual Clauses with appropriate modifications consistent with the Swiss Federal Act on Data Protection.
The annexes of this DPA populate the corresponding annexes of the Standard Contractual Clauses (Annex I: transfer details; Annex II: technical and organizational measures; Annex III: sub-processors).
Docking clause: the Standard Contractual Clauses apply as if the parties had signed them separately.

7. Security Measures

Processor implements the controls in Annex 2 and maintains them commensurate with the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. Processor will update the control list when a material change occurs. An overview of current controls is available on our Security page.

8. Data Subject Rights Assistance

Processor provides Controller with self-service tooling in the platform (including account deletion and data export capabilities) sufficient to fulfill most Data Subject requests. For requests Controller cannot fulfill via the platform, Processor will provide reasonable assistance on request.

If Processor receives a request directly from a Data Subject, Processor will not respond substantively except to acknowledge receipt, will promptly forward the request to Controller, and will await Controller's instruction.

9. Audits

Processor will make available information reasonably necessary to demonstrate compliance with this DPA, including its most recent SOC 2 report (when available), penetration-test summaries, and its security policies.

Controller may audit Processor's compliance no more than once per year (unless there is a reasonable cause such as a Security Incident), with 30 days' written notice, during business hours, at Controller's expense, and under confidentiality. Remote audits via questionnaire are the default; on-site audits are available on reasonable justification.

10. Return and Deletion

On termination or expiration of the Agreement, Processor will, at Controller's election, return or delete Personal Data within 30 days, except where retention is required by applicable law. Financial and insurance claim records are retained for 7 years to meet tax and statute-of-limitations obligations. Full retention detail is in our Privacy Policy.

11. Liability

Each party's liability under this DPA is subject to the aggregate liability cap in the Agreement. Where Applicable Data Protection Law permits no cap on certain claims, that cap does not apply to those claims.

12. General

Order of precedence. If this DPA conflicts with the Agreement on a data-protection matter, this DPA controls for that matter.
Assignment, notices, governing law, and disputes are as set out in the Agreement.

Annex 1 — Details of Processing

Categories of Data Subjects. Controller's users; Controller's end customers (property owners, insurance adjusters, agents, vendors, subcontractors, referral contacts).
Categories of Personal Data. Name, email, phone number, physical address, role, insurance policy number, claim number, project details, photos (with EXIF and GPS metadata stripped on upload), documents, notes, and financial records (invoices and payments).
Sensitive data. Insurance claim data; payment information (handled by third-party payment processors, not stored in Riivet directly unless integrated by Controller).
Frequency of processing. Continuous, for the duration of the Agreement.
Nature and purpose of processing. Storage, retrieval, display, and transformation of Customer Data to provide the contracted restoration-management service.
Retention. Active-use retention for the duration of the Agreement; 30-day grace period after account deletion; 7-year retention of financial and insurance claim records.

Annex 2 — Technical and Organizational Measures

Summary of controls in place as of the effective date (full detail available on our Security page):

Access control. Role-based access, PostgreSQL Row Level Security enforcing tenant isolation on every customer-data table, multi-factor authentication on administrative accounts, and quarterly access reviews.
Encryption. TLS 1.2+ in transit and AES-256 at rest, with Supabase-managed disk encryption.
Change management. All production changes via pull request with peer review, pre-push automated gates (typecheck, delete-safety, destructive-migration guard, types drift, RLS audit), and tagged git releases.
Backups. Daily encrypted backups plus 7-day point-in-time recovery on the primary database.
Monitoring. External uptime monitoring, application error monitoring (PII-scrubbed), and structured logging.
Incident response. Documented playbook with severity levels and a 72-hour breach-notification commitment.
Secure development. Strict TypeScript mode, input validation on every API route, dependency vulnerability scanning, and documented secret-rotation cadence.
Data minimization. EXIF and GPS metadata stripped from uploaded images before storage; PII scrubbed from error telemetry.
Vendor management. Documented inventory of Sub-processors with risk tier and review cadence.

Annex 3 — Sub-processors

The current list of Sub-processors is set out below as of the effective date.

Sub-processor	Function	Location	Transfer mechanism
Supabase	Database, auth, storage, realtime	US	SCCs (via Supabase DPA)
Cloudflare	CDN, worker runtime	Global	SCCs (via Cloudflare DPA)
Vercel	Application hosting	Global	SCCs (via Vercel DPA)
OpenRouter	AI inference routing	US	Provider training opt-out
Anthropic (via OpenRouter)	AI model inference	US	Provider training opt-out
Resend	Transactional email	US	SCCs
Retell AI	Voice agent / call handling	US	SCCs
Google Maps / Places	Address autocomplete	US / Global	Google's standard terms

Updates to this list are managed under Section 5.

Contact

Questions about this DPA? Contact legal@riivet.ai. Privacy-specific requests: privacy@riivet.ai.