Rivet helps businesses understand and optimize the economics of their card payments by analyzing payment performance and fee data. This page describes how we protect that data.
Rivet is built around data minimization: we ingest only the data we need, on a read-only basis. From a customer's payment platforms, Rivet retrieves:
Rivet's integrations are designed to accept only tokenized data. Our systems do not accept card numbers or security codes, and our product documentation instructs customers not to send them. Rivet has read-only access to the data it ingests and does not initiate, modify, or move funds.
Rivet receives only tokenized references and fee reporting data, on a read-only basis.
All data is encrypted in transit and at rest:
Rivet is hosted on Amazon Web Services (AWS). We rely on AWS's certified, enterprise-grade infrastructure for the physical security, availability, and environmental controls of the data centers that host our systems, and we build our application-level controls on top of that foundation.
Access to Rivet systems and data is restricted on a least-privilege basis:
Rivet logs and monitors activity across its systems to detect and respond to unusual or unauthorized activity, and maintains internal processes for investigating and responding to potential security events.
Rivet is designed so that PCI data never enters our systems. Because Rivet does not store, process, or transmit PCI data such as card numbers or security codes (CVV), Rivet's systems fall outside the scope of the Payment Card Industry Data Security Standard (PCI DSS).
We welcome reports from security researchers. If you believe you have found a security vulnerability in a Rivet system, please contact us at security@rivetbps.com so we can investigate and respond promptly.
If you have questions about Rivet's security practices or this page, please contact us at: