Security
Last updated: June 15, 2026

Security is fundamental to how Rivet is built.

Rivet helps businesses understand and optimize the economics of their card payments by analyzing payment performance and fee data. This page describes how we protect that data.

01

Data handling

Rivet is built around data minimization: we ingest only the data we need, on a read-only basis. From a customer's payment platforms, Rivet retrieves:

  • Tokenized references — non-sensitive tokens that stand in for payment credentials and cannot be used to reconstruct a card number.
  • Interchange and fee-level reporting data — the transaction economics Rivet analyzes to identify savings and optimization opportunities.

Rivet's integrations are designed to accept only tokenized data. Our systems do not accept card numbers or security codes, and our product documentation instructs customers not to send them. Rivet has read-only access to the data it ingests and does not initiate, modify, or move funds.

Data Rivet Receives

Rivet receives only tokenized references and fee reporting data, on a read-only basis.

Diagram showing read-only data flow from your payment environment into Rivet. Tokenized references and fee reporting data flow in via read-only API. Card numbers and CVV stay within the payment environment and never enter Rivet.
02

Encryption

All data is encrypted in transit and at rest:

  • In transit: data exchanged with Rivet is encrypted using TLS 1.2 or higher.
  • At rest: data stored by Rivet is encrypted using AES-256.
03

Hosting and infrastructure

Rivet is hosted on Amazon Web Services (AWS). We rely on AWS's certified, enterprise-grade infrastructure for the physical security, availability, and environmental controls of the data centers that host our systems, and we build our application-level controls on top of that foundation.

04

Access controls

Access to Rivet systems and data is restricted on a least-privilege basis:

  • Access is granted only to personnel who require it, and only at the level needed to do their work.
  • Multi-factor authentication (MFA) is required for access to production systems.
  • Access follows role-based controls and is reviewed and revoked as roles change.
05

Monitoring and logging

Rivet logs and monitors activity across its systems to detect and respond to unusual or unauthorized activity, and maintains internal processes for investigating and responding to potential security events.

06

Compliance

Rivet is designed so that PCI data never enters our systems. Because Rivet does not store, process, or transmit PCI data such as card numbers or security codes (CVV), Rivet's systems fall outside the scope of the Payment Card Industry Data Security Standard (PCI DSS).

07

Responsible disclosure

We welcome reports from security researchers. If you believe you have found a security vulnerability in a Rivet system, please contact us at security@rivetbps.com so we can investigate and respond promptly.

08

Contact us

If you have questions about Rivet's security practices or this page, please contact us at:

Rivet BPS Inc.
835 Fifth Ave
San Rafael, CA 94901
Email: security@rivetbps.com