Security

Riven AI is built for production workloads. We follow industry best practices for application security, infrastructure security, and operational controls. This page summarises the program; if you need additional detail, contact security@riven.dev.

We welcome reports from security researchers. Email security@riven.dev with a clear reproduction. We aim to acknowledge reports within 2 business days and to keep researchers informed of remediation progress.

Good-faith research conducted under this policy is not subject to legal action by Riven AI. Do not access data that does not belong to you, do not degrade service, and do not publicly disclose details before we have had reasonable time to remediate.

• In transit: TLS 1.2+ on all customer-facing and internal endpoints. HTTPS is enforced; HTTP redirects to HTTPS.
• At rest: AES-256 encryption on databases, object storage, and backups using AWS KMS-managed keys.
• Key management: AWS KMS. Production keys are scoped per workload via IAM and IRSA; rotation policies follow AWS defaults.

• Hosting: AWS (primary region us-east-1).
• Compute: Amazon EKS with workload-scoped IAM via IRSA. No shared root credentials in pods.
• Databases: Amazon RDS PostgreSQL with encryption at rest and automated backups.
• Container images: Stored in Amazon ECR with immutable tags and vulnerability scanning enabled.
• Edge: Cloudflare for DNS, WAF, and DDoS mitigation. Cloudflare Turnstile gates public form submissions.

• Authentication via Better Auth with EdDSA-signed JWTs and JWKS-based key rotation. Tokens have short expiration windows; refresh tokens are rotated on use.
• Authorization via OpenFGA, an open-source implementation of Google's Zanzibar relationship-based access control model. Every privileged request is checked against an authoritative authorization model.
• Server-side sessions use secure, HTTP-only, SameSite cookies. Cross-subdomain session sharing is scoped to .riven-ai.dev.
• MFA (TOTP) available for administrative accounts.
• Internal admin access to bo.riven-ai.dev is restricted to tailnet-only via Tailscale subnet routing.
• Audit logs cover privileged actions; sensitive endpoints record both subject and resource.

• All code changes require pull request review before merging.
• CI runs typecheck, unit tests, and dependency-vulnerability scans on every PR.
• Secrets are detected at commit-time and never committed to source.
• Production deploys are gated; we never deploy unreviewed code.

• Metrics: Prometheus + Grafana dashboards covering request latency, error rates, queue depth, and resource saturation.
• Logs: Loki for structured log aggregation across services and infrastructure.
• Tracing: OpenTelemetry-instrumented services for end-to-end request visibility.
• Alerting on anomalous behaviour (error-rate spikes, latency regressions, repeated authentication failures).
• VPC isolation with private subnets — internal services are not directly exposed to the public internet; all ingress passes through the API gateway and edge controls.

Riven AI follows the security controls described above. We are not currently SOC 2, ISO 27001, or HIPAA certified. We do not make compliance claims we have not earned. If you require formal attestation as part of procurement, contact legal@riven.dev — we are happy to discuss the roadmap.

Security questions: security@riven.dev. Procurement and questionnaire requests: legal@riven.dev.