Security Practices

Vulnerability Management

Rivery has implemented a continuous vulnerability program for early detection and remediation of vulnerabilities. We combine an internal scanning process leveraging AWS tools (e.g., Amazon Inspector) to automatically assess for exposure and vulnerabilities within our network and infrastructure, as well as performing external vulnerability scanning using third-party security vendors for the identification of potential vulnerabilities in externally facing assets. Vulnerabilities are remediated by applying patches, making code or infrastructure changes, or other procedural means as needed.

Penetration Testing

Annual penetration testing is performed on our application and its underlying infrastructure, using a gray-box methodology and covering the OWASP Top10 as a minimum. Our customers receive executive summaries of penetration test reports (Under NDA).

These reports include test results as well as any measures taken to address any concerns that were discovered.

Configuration and Patch Management

Rivery employs centrally managed configuration management systems, including infrastructure-as-code systems through which predefined configurations are enforced on its servers, as well as the desired patch levels of the various software components.

Physical Security

Rivery relies on AWS located in US global infrastructure, including the facilities, network, hardware, and operational software (e.g., host OS, virtualization software) that support the provisioning and use of basic computing resources storage.

This infrastructure is designed and managed according to security best practices as well as a variety of security compliance standards: FedRAMP, HIPAA, ISO 27001:2013, AICPA SOC 1, SOC2, SOC 3, PCI-DSS, and more. AWS constantly updates its compliance programs. For a full and up-to-date list see here:

1. AWS Compliance Programs
2. Compliance Controls

Physical access to Rivery’s offices is restricted to authorized personnel using a designated access control system. The access is available to the company’s employees only. Visitors at the offices are accompanied by the company’s employees while on-premises.

Third-Party Functionality

Rivery may combine personal information you provide with information obtained from other sources, such as our Customers, data providers, business partners, such as joint marketing partners and event co-sponsors, and publicly accessible sources, such as social media platforms. However, Rivery does not gather PII through these services.
Our privacy policy provides further information.

Organizational Security

Rivery had established a set of organizational measures that follow leading practices and ensure our security posture is maintained with rigid controls and processes such as:

Organizational Structure:

security issues are paramount to our business and are supervised by our dedicated CISO. Security issues are reported directly to the company’s management which includes the co-founder and chief architect as well as the company’s co-founder and CTO as well as the CEO on strategic issues. Rivery has founded a dedicated committee to discuss infosec and risk issues on a quarterly basis which included all relevant stakeholders.

Information Security Policies:

Rivery maintains a comprehensive and clear acceptable use policy, which is communicated to all employees and contractors. The policies outline the acceptable use of all equipment, information, electronic mail, computing devices and network resources. We ensure that its employees understand and comply with information security policies to minimize the risk of virus attacks, legal issues and compromised systems or services. All Rivery’s security policies are maintained and annually reviewed as part of the SOC certification.

Vulnerability Awareness Training:

Our key focus for our employees is security education.
All of our employees are well-versed in security best practices and good habits in order to avoid ransomware and malware.

Risk Assessment Framework:

The process of Risk Assessment is a critical component of Rivery’s internal control system. The purpose of Rivery’s Risk Assessment process is to identify, assess and manage risks that affect the organization’s ability to achieve its objectives. As part of the Risk Assessment process, a specific procedure had been taken to identify, assess, and minimize security and privacy risks of projects, systems, or policies that involve the collection, use, or disclosure of personal data (“Data Protection Impact Assessments”).

Confidentiality Procedures

Rivery has implemented security measures to ensure the confidentiality of its customers’ sensitive personal information (SPI). The security measures aim to prevent unauthorized access, disclosure, alteration, or destruction of sensitive personal information.
Customer data has a single classification according to Rivery’s information security policy. The company obtains commitments from vendors and other third parties that may have access to personal information processed by the systems. Third-party infrastructure providers sign confidentiality agreements with Rivery to maintain system confidentiality, which conforms to Rivery’s confidentiality policy.

Breach Management & Notifications

Rivery creates and retains a complete, accurate, and timely record of detected or reported unauthorized disclosures (including breaches) of personal information.

We obtain commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in accordance with established incident response procedures.

While organizations like Rivery do everything possible to protect against and prevent data breaches, they may occur. In the event of a breach, it’s important to feel confident that you will be notified in a timely manner. When a data breach is discovered, Rivery notifies the individuals who are affected. We are strong believers in transparency.

Network Security

We design our networks and access control policies very carefully, following the principle of least privilege within our system. Our data pipeline is designed to ensure that data is always encrypted, whether at rest or in motion.

• Network Segregation is used to isolate critical and sensitive systems into network segments separate from those with less sensitive systems thus mitigate an attacker’s ability to access unauthorized resources and perform lateral movement.

• AWS Virtual Private Cloud (VPC) - Rivery makes use of an AWS VPC. Rivery's production environment is only accessible to authorized individuals who meet the job function and have the least privilege.

• Rivery's VPC network is private, and we only provide client access to our console.rivery.io and API services. We connect to the internet via NAT Gateway.

• Restricted AWS Security Groups safeguard all servers, allowing only the bare minimum of connectivity to and between them. AWS Security Groups can only be configured by authorized individuals.

• Intrusion Prevention – Monitoring tools are implemented to detect unusual or unauthorized activities and conditions at ingress and egress points. These tools monitor server and network usage, port scanning activities, application usage and unauthorized intrusion attempts.

• Denial of Service (DOS) Protection – AWS security monitoring tools can identify a variety of denial of service (DoS) threats, including distributed, flooding, and software/logic attacks. As a mitigation layer, we use AWS WAF. The AWS incident response mechanism is launched when a DoS attack is discovered. Each region has redundant communications providers and additional capacity to protect against DoS assaults in addition to the DoS preventive mechanisms.

• Identity and Access Management (IAM) – IAM web service is used to control users' access privileges and to interact securely with AWS resources.

• Anomaly Detection - anomaly-based security monitoring has been deployed to continuously collects cloud configuration and audit events as well as network/process information and container-related vulnerabilities to establish a baseline of normal expected behavior.

• Multi Factor Authentication – All Rivery employee accounts with access to sensitive resources require 2-factor authentication.

Application Security

• Web Application Firewall (WAF) – Deployed and protects Rivery’s sensitive domains against application-level attacks such as OWASP Top 10 listed as additional visibility to web vulnerabilities.

• Privacy by Design ‘Shift left’ - To help ensure the delivery of highly secure services to customers, security and privacy by design are an inherent part of Rivery’s Software Development Life Cycle. We follow the ‘shift left approach that integrates the security from earlier phases of development.

  For applications to be designed and implemented with proper security requirements, secure coding practices that focus on privacy and security risks are integrated into day-to-day operations and in the development processes. Changes affecting the level of security, privacy, availability, and confidentiality issues within the production environment are reviewed as part of risk assessment sessions.

• Strong Password Policies – Rivery’s strong password policy requirements govern the creation, protection, and frequency of password changes. These requirements follow industry best practices and serve as a baseline or minimum recommended password requirement.

  Additional measures include account lockout policies and anti-bot mechanisms to protect against dictionary-based, brute-force attacks.

• Single sign-on (SSO) and two-factor authentication – Our platform integrates with many SAML2.0 compliant services to provide users with a single sign-on (SSO) solution. When using the SSO integration, organizations can require their employees to use a strong authentication factor, in addition to their password, when they sign in.

• Application session time-out - We help to secure user accounts with an application session time-out. Once an inactive or idle session is timed out, users must re-authenticate to access their account.