Applies to Riva Bookings and Riva Sales Engagement features like Cadences, Email Burst, Opens & Clicks, and Email Templates.
Contained in this article:
Riva Bookings - Statement on Data Storage and Employee / Customer Privacy
Riva Bookings does not store a copy of the user’s calendar. The Microsoft Exchange calendar web services API is used to perform encrypted "live data queries" to check the user’s availability.
The calendar availability data is queried and processed using a "minimal data view". This minimalized view and resulting available slots are calculated based on the configured business rules.
Only metadata for appointments that are booked via the Bookings are maintained within the application to ensure that the meeting can be updated and or canceled.
No Outlook data that may contain personally identifiable or confidential information is retrieved during the availability lookups and available time calculations. Existing calendar meetings and appointment details (fields like subject, body, attachments, recipients, and attendees) that are created in Outlook are never stored by Riva Bookings.
Statement on Data Security
- Deployed to dedicated Riva Bookings customer environment on Amazon Web Services
- Region: N. Virginia (US-East-1)
- End-to-End Network Encryption
- HTTPS with TLS 1.2
- Support for new HTTP/2
- Authentication via Microsoft 365 Modern Authentication
- Compatible with MFA
- Supports third-party Identity Providers like Okta, OneLogin, Active Directory Federated Services
- Additional Integrations:
- Microsoft Teams online meeting integration via Microsoft Graph “Online Meetings” API
- Zoom Meeting online meeting integration via Zoom API (available via Zoom Marketplace)
Is there a SOC 2 attestation that covers Riva Sales Engagement?
Yes. As part of Riva’s compliance and trust program, all customer offerings are included in our SOC 2 program. Further information on our Third-Party Security Certifications can be accessed here.
The latest SOC 2 Type 2 report included three Trust Services Categories: Security, Availability, and Confidentiality. This third-party assessment and attestation is completed by an independent AICPA firm, Schellman and Company.
Customers may request the latest copy of our SOC 2 report by submitting a request to: privacy@rivaengine.com.
Is there a third-party penetration test that covers Riva Sales Engagement?
Yes. As part of Riva’s compliance and trust program, all customer offerings are included in our security and vulnerability program.
Riva’s secure software development policy ensures that all development teams leverage static code analysis (Sonar), and automated vulnerability scanning tools (Qualys), all Riva applications are rigorously tested.
Disclosure of any vulnerability can be submitted following our Vulnerability Disclosure Policy.
The latest third-party penetration test is completed by an independent AICPA firm, Schellman and Company. Customers may request the latest copy of the report by submitting a request to: privacy@rivaengine.com.
Does Riva support Single Sign-On (SSO) for Riva Sales Engagement?
Yes. Riva supports multiple different types of authentications including “Login with Salesforce” and “Login with Microsoft 365”.
These modern authentication methods (OAuth 2.0) leverage an organization's existing identity infrastructure.
Typically, no additional identity management customer configuration is required. All access is governed by appropriate “scope consent”.
Is Riva Sales Engagement data encrypted at rest and transit?
Yes. Data is encrypted at rest and transit.
For data in transit, Riva uses the latest versions of TLS as well as HSTS. These capabilities are provided using the latest Amazon Web Services Application Web Firewall (WAF) and Application Load Balancing (ALB) technologies.
For data at rest, Riva leverages the Amazon Key Management Service (KMS).
Encryption keys are automatically rotated.
Is the Riva Sales Engagement application single or multi-tenant? And where is the primary located?
Every customer has a dedicated single-tenant “container” that is isolated to each customer.
Each customer’s configuration and application data is isolated and maintained in per-customer “document collection”.
The primary Riva Engagement “Container Cluster” is located in the AWS Region of “us-east-1”.
The application cluster and configuration are configured to ensure high-availability and for in high-usage scenarios, can also be set to allow auto-scaling.
Does the solution leverage only modern integration patterns?
Yes. Riva Sales Engagement has been built and deployed using the latest in continuous integration, continuous delivery, and continuous testing patterns as well as the latest in “DevOps” methodologies leveraging containers, modern applications, and modern authentication principles.
Are there any restrictions for which internet browsers and versions are supported with the Riva Sales Engagement application?
Riva Sales Engagement frontend is built using the latest in web application technologies and leverages the Vue.js application framework providing a highly responsive desktop-like user experience.
What deployment scalability and stability patterns and methods does Riva use regarding resiliency and redundancy?
Riva Sales Engagement is deployed into the Riva Cloud managed cloud service which is backed by an Amazon Web Services infrastructure using the latest in Container-based application delivery methodologies ensuring a highly resilient and scalable solution.
How are storage and processing volumes determined?
Riva Sales Engagement accesses the Microsoft 365 Exchange Online mailboxes to determine real-time availability. Access to the calendar available search is architected in a way to minimize the use of API calls, and impact on the Microsoft Exchange infrastructure. The same infrastructure is used by Riva Sync and Riva Insight.
What information about meetings and calendars does Riva Booking store?
Riva Bookings does not store a copy of the user’s calendar. The Microsoft Exchange calendar web services API is used to perform encrypted "live data queries" to check the user’s availability.
The calendar availability data is queried and processed using a "minimal data view". This minimalized view and resulting available slots are calculated based on the configured business rules.
Only metadata for appointments that are booked via the Bookings are maintained within the application to ensure that the meeting can be updated and or canceled.
Riva Cloud – What AWS region does Riva Cadence run in for production? Is there a Disaster Recovery region or a DR available for Cadence?
The primary workload “Container Cluster” is located in the AWS Region of “us-east-1”.
The application cluster is configured to ensure high availability and fault tolerance by using multiple "Availability Zones" within a region. This can also be set to allow auto-scaling in high-usage scenarios.
Are the following metrics supported:
- 99% SLA for availability.
- Recovery Time Objective is 4 days up to 2 weeks.
- Recovery Point Objective is 1 to 3 days or best effort
Yes, 99% SLA for availability is supported. Please see a link to our Cloud Master Service Agreement (MSA) for further details: https://rivaengine.com/legal/cloud-eula/
- Recovery point objective (RPO) – 1 day (24 hours)
- Recovery time objective (RTO) – Highly available (5 minutes)
Does the Riva Cadence portal backup and restore our BMO database in case of disaster? Daily – realtime?
- Daily backup
- Real-time multi-node replication
How long will Cadence store the analytics and other data in the portal on AWS portal (7 years?) Does Cadence purge the data?
Every customer’s data is shared/isolated from other customer data. When a customer requests a subscription cancellation, customer data is deleted as per our MSA.
What happens to user cadence data when an employee leaves? Can the data be reassigned to another active user or employee? Or does the data get purged?
When a user is deactivated or terminated, the activity history remains in the customer-specific data store.
- The data cannot currently be reassigned. Existing Cadences can be managed by multiple users.
- No data is automatically purged when a user leaves.
Where will data be stored?
- Pilot: Stored in Riva's SaaS Infrastructure - AWS Cloud USE1
- GA (March): Stored in Riva's SaaS infrastructure - AWS Cloud - (optional Montreal, Canada (optional future Calgary, Alberta
Is customer data stored in Riva Cadences?
In addition to the application-generated data, Riva uses the following data entity types
- Employee contact data (first name, last name, email address, job title, manager, etc.)
- Prospect and contact data (first name, last name, email address, job title, company name, etc.)
- Household and Accounts (Firmographic information
Riva processes no financial data
Customer-facing communication (eg: Emails and appointments are sent directly from Microsoft 365)
Can Riva Cadences know if the customer opens the email or specific attached document?
- Email Analytics include visibility of: Replies, Opens, link clicks
- Email Analytics does not yet show when an attachment is downloaded or viewed.
How does Authentication work?
- Authentication is via Single Sign-On using Microsoft 365 Entra ID authentication (Oauth2.0)
- Refer to: Riva Bookings and Riva Cadences Auth Security Details (2023-09)
Can we enable MFA for Cadences admin users via our business email?
Yes, if it uses Microsoft 365 / Business Email
Will you leverage IP Whitelisting to limit Riva Cadence UI access to proxy IP addresses?
Supported upon request, IP Whitelisting can be used.
How does Riva Cadence access the scope to Exchange? Can it be limited to a subset of users?
Yes, our knowledge base has articles on how to limit scope to specific users.
What access is required for the service account? Is there a way to scope our access to just users that will participate?
- A service account is not required, we use a Microsoft Entra ID Application which uses application permissions that can be scoped to specific users.
What is the password policy for the Riva Cadence Portal?
- This isn't applicable since we use Microsoft 365 Entra ID and do not store passwords
Is there a password history to prevent the use of the same passwords?
- This isn't applicable since we use Microsoft 365 Entra ID and do not store passwords
Is there a lock-out policy? How many attempts?
- This isn't applicable since we use Microsoft 365 Entra ID and do not store passwords
Can the password be reset via an email link?
- This isn't applicable since we use Microsoft 365 Entra ID and do not store passwords
Is there a Password expiry? (eg 90 days)
- This isn't applicable since we use Microsoft 365 Entra ID and do not store passwords
What is the session timeout for the Riva Cadence Portal?
- Cookie-based user session / 60 minutes.
