Rivora Product OS is designed to help teams work with valuable product, customer and technical context. Protecting that context is part of how we design and operate the service.

Rivora is currently in controlled early access. This page explains the controls operating today, where data is processed, and the assurance work still in progress.

Product and access security

Workspace-scoped access

Customer content is organised into tenant and workspace boundaries. Rivora applies authenticated, role-aware and workspace-scoped authorization so users can access only the workspaces and product information available to their account.

Access to customer content by Rivora personnel is limited to authorised access required to operate, secure or support the service.

Managed authentication

Rivora uses Auth0 for authentication and validates signed identity tokens before allowing API access. Multi-factor authentication is enforced for client users. Enterprise single sign-on is planned but is not currently available.

Human-controlled handoff

AI-generated feature-pack content is presented as draft material for review. Rivora's workflow keeps approval explicit before content becomes ready for controlled export or downstream handoff.

Cloud and data security

Hosting and data location

Rivora's production backend, core application database and customer artefact storage are hosted in the AWS Sydney region. The AWS deployment operates across two availability zones to reduce dependence on a single zone. The marketing website and product frontend are delivered through Vercel.

Selected providers involved in authentication, AI processing, analytics and email may process limited data outside Australia. Our Privacy Policy explains these providers and purposes in more detail.

Encryption

Core customer data is encrypted in transit using TLS and encrypted at rest in managed database and object-storage services. Customer artefacts are stored in private object storage with public access blocked. Time-limited signed links are used where the product needs to provide controlled file access.

Network and secrets protection

The production database is not exposed through a public internet endpoint. Application secrets are stored in managed secret-storage services rather than in source code, and AWS workloads use role-based credentials where supported.

Customer content and AI

Rivora sends selected context to approved AI providers only when needed to perform requested generation or retrieval functions.

Rivora does not use customer content to train general-purpose AI models and does not opt in to provider training using customer API data. AI-generated content remains subject to human review because model outputs can be incomplete or inaccurate.

Product memory, review history and retrieval data are maintained within the relevant customer workspace to support that customer's Rivora workflows.

Reliability and operational controls

Availability, backups and recovery

Rivora operates across two AWS availability zones and has tested failover switching between them.

Rivora maintains automated database backups and point-in-time recovery for the configured retention period. Backup restoration procedures are tested and reviewed as the service develops.

Monitoring and auditability

Rivora uses automated infrastructure and application monitoring with alerting for operational issues. Key product and infrastructure actions are logged to support investigation, troubleshooting and accountability.

Incident response

Rivora maintains an incident-response process to investigate and contain security events, preserve relevant evidence and notify affected customers where required by law or contract.

Secure development

Rivora separates production from non-production environments and uses automated tests and code-review controls in its delivery workflow. Dependencies and production configuration are reviewed as part of ongoing security maintenance.

Customer production content is not intentionally copied into local or test environments except where specifically authorised and protected for support or incident investigation.

Privacy, exports and deletion

Customers can export supported feature-pack outputs in the formats available within Rivora. Customers may also request access to, correction of or deletion of applicable personal information and workspace content.

Deletion requests are handled subject to security logs, legal obligations, contractual requirements and the normal expiry of protected backups. See our Privacy Policy and Terms of Service for more information.

Compliance status

Rivora is an early-stage platform built on AWS security best practices. Rivora is not currently SOC 2 or ISO 27001 certified. We are happy to discuss our security practices in detail and to work with your team's security requirements during a pilot.

Security questions and vulnerability reports

For security questions or to report a suspected vulnerability, contact anurag@rivoraconnect.com.au.

Please do not include sensitive customer content, credentials or exploit details in an initial email. We will arrange an appropriate channel if additional information is needed.