Rivet Rivet
Book a demo
Home / Security

Security

How we protect your data, credentials, and your customers' information across the Rivet platform.

Contents
Infrastructure Encryption Access Controls WhatsApp & Meta Application Security Data Handling Incident Response Disclosure
Encryption at rest
AES-256
Credentials & sensitive fields
Encryption in transit
TLS 1.2+
All API and web traffic
Message log retention
90 days
Configurable per workspace

Infrastructure

Rivet runs on a dedicated VDS hosted in Germany (Hetzner). Data is processed in Germany and transferred to South Africa in accordance with our Privacy Policy. Our infrastructure is managed through code-reviewed deployment pipelines with no direct production access granted to individual engineers outside of audited break-glass procedures.

  • Isolated network boundaries between customer workspaces
  • Automated vulnerability patching for OS and runtime dependencies
  • Database backups taken daily with point-in-time recovery
  • Platform uptime monitored continuously — see status.rivetsoftware.dev

Data Encryption

All sensitive data is encrypted both in transit and at rest. We do not store plaintext credentials anywhere in the system.

At rest

  • WhatsApp access tokens: AES-256
  • Webhook signing secrets: AES-256
  • Database storage: encrypted at the volume level
  • Backups: encrypted before transmission to storage

In transit

  • All web and API traffic: TLS 1.2+
  • Webhook deliveries: HTTPS only, signed payloads
  • Meta Graph API calls: enforced HTTPS
  • Internal service communication: mTLS where applicable

Access Controls

Access to production systems follows the principle of least privilege. Internal access is reviewed regularly and revoked promptly upon role changes.

  • Role-based access control (RBAC) enforced across all workspaces
  • Multi-factor authentication required for all internal accounts
  • Customer data is isolated per workspace — no cross-tenant data access
  • Rivet staff cannot read your WhatsApp message content without explicit audit justification
  • All privileged access is logged and auditable

WhatsApp & Meta Credential Security

Your WhatsApp Business Account credentials are among the most sensitive data we hold. We treat them accordingly.

  • Access tokens obtained via Meta's Embedded Signup are encrypted immediately on receipt using AES-256
  • Tokens are never logged, never stored in plaintext, and never transmitted outside of encrypted channels
  • WABA IDs and phone numbers are stored separately from their associated tokens
  • Token rotation is supported and recommended periodically
  • We comply with Meta's Platform Terms and WhatsApp Business Solution Provider security requirements

Rivet operates as a Meta Business Solution Provider (BSP) and is bound by Meta's data security policies in addition to our own. We do not share your WhatsApp credentials with any third party.

Application Security

Security is built into our development process, not bolted on afterward.

  • All code changes go through peer review before merging to production
  • Dependencies are scanned for known vulnerabilities on every build
  • Input validation and output encoding applied at all API boundaries
  • Rate limiting and abuse detection on all public-facing endpoints
  • API authentication via short-lived tokens — no long-lived shared secrets exposed to client code
  • Security-focused code reviews for any change touching auth, billing, or credential handling

Data Handling & Retention

We collect only what is necessary to run the service and retain it only as long as required.

  • Message logs and automation run data are retained for 90 days by default
  • Retention periods are configurable per workspace on Business and Agency plans
  • Customer data is deleted or anonymised within 30 days of account termination
  • We do not sell customer data or WhatsApp contact lists to any third party
  • Sub-processors (hosting, payments, analytics) operate under data processing agreements

For full details on data collection and use, see our Privacy Policy.

Incident Response

In the event of a security incident affecting customer data, we follow a structured response process.

  • Affected customers are notified as soon as reasonably practicable and no later than required by POPIA
  • Notifications include the nature of the incident, data affected, and steps taken
  • We report to the Information Regulator of South Africa where legally required
  • Post-incident reviews are conducted to prevent recurrence
Check current platform status →

Responsible Disclosure

If you believe you have found a security vulnerability in Rivet, we ask that you report it to us responsibly before making it public. We take all reports seriously and commit to acknowledging receipt within 2 business days.

Report a vulnerability

Please include as much detail as possible: steps to reproduce, potential impact, and any proof-of-concept. We ask that you do not access, modify, or delete customer data during your research.

Email security@rivetsoftware.dev
Response Within 2 business days

We do not currently offer a bug bounty programme, but we genuinely appreciate responsible researchers who help keep our customers safe.