Trust Center
The operational facts behind our privacy and DPA commitments.
Security controls, compliance status, sub-processors, and incident response. All in one place. Honest about what is certified, what is in progress, and what is not.
Honest status
Rivolq is not currently SOC 2, ISO 27001, HIPAA, or PCI-DSS certified.
We're executing a SOC 2 Type I readiness program with the intent to pursue Type II attestation. The compliance roadmap below shows where each program stands today. If a specific certification is required for your procurement process, contact security@rivolq.com and we'll tell you what we can deliver in the engagement timeline you need.
Security controls
What we do, in eight categories.
Encryption
TLS 1.2+ in transit. Encryption at rest as provided by the underlying infrastructure (PostgreSQL on Heroku, object storage on Supabase). Passwords stored only as bcrypt hashes; sensitive application secrets encrypted at the application layer.
Authentication
MFA available to every user (TOTP and WebAuthn/passkeys). Enterprise SSO via Google, Microsoft Entra ID, and SAML. Configurable MFA enforcement. Rate limiting on authentication endpoints; Cloudflare Turnstile on signup.
Authorization & isolation
Role-based access control with least privilege. Multi-tenant isolation enforced at the application layer (org-scoped queries) and the database layer (PostgreSQL row-level security). Elevated-privilege access by Rivolq personnel is audited with a documented business reason required.
Logging & audit
Authentication, administrative actions, exports, deletions, and elevated-privilege access recorded in tamper-resistant audit logs. Workspace-level Decision Ledger and activity logs exposed to customers.
Monitoring & incident response
Real-time error and exception monitoring with on-call rotation for severity-1 alerts. Documented incident response procedure. 72-hour breach notification to affected customers, per the DPA.
Resilience
Automated daily database backups retained per host rotation (typically up to 30 days). Documented recovery procedures with periodic restoration testing. Stateless application tier permits horizontal recovery.
Vulnerability management
Static application security testing and linting on every change. Code review required for production. Vulnerability monitoring of third-party dependencies with a documented patching cadence and emergency patching for high-severity findings.
Personnel security
Confidentiality obligations in employment and contractor agreements. Security and privacy training on hire and annually. Access provisioned on least privilege; reviewed periodically and revoked on role change or departure.
Compliance roadmap
Programs, by current status.
| Program | Status | Detail |
|---|---|---|
| SOC 2 Type I | In progress | Readiness program underway; expected Q4 2026. |
| SOC 2 Type II | Planned | Sequenced after Type I; 12-month observation window. |
| GDPR / UK GDPR | Active | EU SCCs Module Two + UK Addendum incorporated into the DPA. |
| CCPA / CPRA | Active | Service-provider commitments in DPA Annex IV. |
| ISO 27001 | Not pursued | No active certification track. May add post-SOC 2. |
| HIPAA / BAA | Available on request | Customer-by-customer BAA negotiation; not a default. |
| PCI-DSS | Not in scope | Rivolq does not store cardholder data; payments via sub-processor. |
Documents
What you can read or hand to your security team.
Privacy Policy
Data we collect, how we use it, your rights.
Terms of Service
Subscription terms, AUP, liability, dispute resolution.
Data Processing Agreement
GDPR Art. 28 processor terms with SCCs, UK Addendum, sub-processor list.
Sub-processors (DPA Annex III)
14 sub-processors with hosting region and data categories.
Technical & organizational measures (Annex II)
Full security control set.
Breach notification commitment (DPA § 6)
72-hour notification with rolling detail.
Contact
Security and privacy questions go to the right people, fast.
Rivolq, operated by Rivolq LLC, Monroe, Louisiana