Security

Your data is our
highest priority

Riivet is built under the SOC 2 Trust Services Criteria, with controls documented and operating today. We protect restoration data with the same rigor we bring to building the product.

Tenant Isolation

Every customer-data table is protected by PostgreSQL Row Level Security. Organization ownership is derived server-side from the authenticated JWT, never from a client request body, so cross-org reads are impossible by design.

Encryption

All data is encrypted in transit with TLS 1.2+ and at rest with AES-256. File downloads use expiring signed URLs. Admin platform access requires MFA on every service we depend on.

PII Minimization

Image EXIF and GPS metadata are stripped on upload, so property-owner home coordinates never leave the device. Error telemetry is PII-scrubbed before it leaves our infrastructure.

Authentication

Magic-link and OTP authentication. No passwords to phish or leak. Rate limiting on every auth endpoint (per-IP and per-email). JWT verification on every AI worker request.

Backups & Recovery

Daily encrypted backups with 7-day point-in-time recovery on the primary database. Manual snapshots before every destructive migration. Tested recovery procedure documented in our incident response playbook.

Change Management

Every production change requires peer review on a pull request. Automated pre-push gates block typecheck errors, destructive migrations, unsafe deletes, type drift, and RLS regressions. Deploys are explicit and tagged.

Compliance

Built under the SOC 2
Trust Services Criteria

Our current posture

Riivet's security practice is designed to meet the SOC 2 Security, Confidentiality, and Availability criteria. Our written policies cover security, access control, change management, incident response, data retention, vendor management, and secrets rotation. They are documented and in active use. The controls above are operating today.

Type II audit roadmap

We are preparing for our first formal SOC 2 Type II audit. Our observation window is targeted to begin in 2026, with our initial Type II report expected in 2027. Until the signed report is available, we are happy to share our internal security policies and pre-audit documentation with enterprise prospects under NDA.

Data Processing Agreement
Read our DPA
Report a vulnerability
security@riivet.ai

Questions about security?

Enterprise security teams and procurement reviewers can request our security policies and pre-audit documentation under NDA.

Contact Security