Riva Bookings: Security & Privacy

  • Updated

Applies to Riva Bookings.

 

Table of Contents:

Statement on Data Storage and Employee / Customer Privacy 

Riva Bookings does not store a copy of the user’s calendar.  The Microsoft Exchange calendar web services API is used to perform encrypted "live data queries" to check the user’s availability.   

The calendar availability data is queried and processed using a "minimal data view".  This minimalized view and resulting available slots are calculated based on the configured business rules.

Only metadata for appointments that are booked via the Bookings is maintained within the application to ensure that the meeting can be updated and or cancelled.

No Outlook data that may contain personally identifiable or confidential information is retrieved during the availability lookups and available time calculations. Existing calendar meetings and appointment details (fields like: subject, body, attachments, recipients, and attendees) that are created in Outlook are never stored by Riva Bookings.   

Statement on Data Security 

  • Deployed to dedicated Riva Bookings customer environment on Amazon Web Services 
  • Region: N. Virginia (US-East-1) 
  • End-to-End Network Encryption  
  • HTTPS with TLS 1.2 
  • Support for new HTTP/2 
  • Authentication via Microsoft 365 Modern Authentication 
  • Compatible with MFA  
  • Supports third-party Identity Providers like Okta, OneLogin, Active Directory Federated Services 
  • Additional Integrations:
    • Microsoft Teams online meeting integration via Microsoft Graph “Online Meetings” API 
    • Zoom Meeting online meeting integration via Zoom API (available via Zoom Marketplace) 

FAQ
See also Privacy.

Is there a SOC 2 attestation that covers Riva Bookings? 

Yes.  As part of Riva’s compliance and trust program, all customer offerings are included in our SOC 2 program. Further information on our Third-Party Security Certifications can be accessed here

The latest SOC 2 Type 2 report included three Trust Services Categories including: Security, Availability, and Confidentiality.  This third-party assessment and attestation are completed by an independent AICPA firm, Schellman and Company.  

Customers may request the latest copy of our SOC 2 report by submitting a request to: privacy@rivaengine.com
 

Is there a third-party penetration test that covers Riva Bookings? 

Yes.  As part of Riva’s compliance and trust program, all customer offerings are included in our security and vulnerability program. 

Riva’s secure software development policy ensures that all development teams leverage static code analysis (Sonar), and automated vulnerability scanning tools (Qualys), and all Riva applications are rigorously tested.  

Disclosure of any vulnerability can be submitted following our Vulnerability Disclosure Policy. 

The latest third-party penetration test is completed by an independent AICPA firm, Schellman and Company.  Customers may request the latest copy of the report by submitting a request to: privacy@rivaengine.com.
 

Does Riva support Single Sign-On (SSO) for Riva Bookings? 

Yes.  Riva supports multiple different types of authentications including “Login with Salesforce” and “Login with Microsoft 365”.  

These modern authentication methods (OAuth 2.0) leveragesan organization'a existing identity infrastructure.  

Typically, no additional identity management customer configuration is required.  All-access is governed by appropriate “scope consent”. 

Is Riva Bookings data encrypted at rest and transit?   

Yes.  Data is encrypted at rest and transit.   

For data in transit, Riva uses the latest versions of TLS as well as HSTS.  These capabilities are provided using the latest Amazon Web Services Application Web Firewall (WAF) and Application Load Balancing (ALB) technologies. 

For data at rest, Riva leverages the Amazon Key Management Service (KMS).  

Encryption keys are automatically rotated. 

Is the Riva Bookings application single or multi-tenant? And where is the primary located?

Every customer has a dedicated single-tenant “container” that is isolated to each customer.  

Each customer’s configuration and application data is isolated and maintained in per-customer “document collection”.  

The primary Riva Bookings “Container Cluster” is located in the AWS Region of “us-east-1”.  

The application cluster and configuration are configured to ensure high availability and in high-usage scenarios, can also be set to allow auto-scaling.  
 

Does the solution leverage only modern integration patterns?

Yes.  Riva Bookings has been built and deployed using the latest in continuous integration, continuous delivery, and continuous testing patterns as well as the latest in “devops” methodologies leveraging containers, modern applications, and modern authentication principles. 

Are there any restrictions for which internet browsers and versions are supported with the Riva Bookings application? 

Riva Bookings frontend is built using the latest in web application technologies and leverages the Vue.js application framework providing a highly responsive desktop-like user experience. 
 

What deployment scalability and stability patterns and methods does Riva use regarding resiliency and redundancy? 

Riva Bookings is deployed into the Riva Cloud managed cloud service which is backed by an Amazon Web Services infrastructure using the latest in Container-based application delivery methodologies ensuring a highly resilient and scalable solution. 

 

How are storage and processing volumes determined? 

Riva Bookings access the Microsoft 365 Exchange Online mailboxes to determine real-time availability.  Access to the calendar available search is architected in a way to minimize the use of API calls, and impact on the Microsoft Exchange infrastructure.  The same infrastructure is used by Riva Sync and Riva Insight. 
 

What information about meetings and calendars does Riva Booking store?

Riva Bookings does not store a copy of the user’s calendar.  The Microsoft Exchange calendar web services API is used to perform encrypted "live data queries" to check the user’s availability.   

The calendar availability data is queried and processed using a "minimal data view".  This minimalized view and resulting available slots are calculated based on the configured business rules.

Only metadata for appointments that are booked via the Bookings is maintained within the application to ensure that the meeting can be updated and or cancelled.

 

 
 
 

Was this article helpful?

/

Comments

0 comments

Article is closed for comments.