FAQ: Riva Sales Engagement - Statement on Security & Privacy

  • Updated

This article applies to the Riva Sales Engagement Portal and related features like Bookings, Cadences, Email Bursts, Opens & Clicks, and Email Templates.

1. Statement on Data Security 

  • Riva Sales Engagement is deployed using a per-customer isolated Amazon Web Services environment. 

  • Default Region: N. Virginia (US-East-1)

  • Customer using the "Dedicated Cloud" offering, can select a region based on their data residency requirements.

  • End-to-End Network Encryption  

  • Support for HTTPS with TLS 1.2 and TLS 1.3 

  • Support for HTTP/1 and newer HTTP/2

  • Authentication via Microsoft 365 Modern Authentication 

  • Compatible with MFA  

  • Supports third-party Identity Providers like Okta, OneLogin, Active Directory Federated Services 

  • Additional Integrations:

    • Microsoft Teams online meeting integration via Microsoft Graph “Online Meetings” API

    • Zoom Meeting online meeting integration via Zoom API (available via Zoom Marketplace)

See also Privacy.

 

2. Riva Bookings - Statement on Data Storage and Employee / Customer Privacy 

Riva Bookings does not store a copy of the user’s calendar.  The Microsoft Exchange calendar web services API is used to perform encrypted "live data queries" to check the user’s availability.   

The calendar availability data is queried and processed using a "minimal data view".  This minimalized view and resulting available slots are calculated based on the configured business rules.

Only metadata for appointments that are booked via the Bookings are maintained within the application to ensure that the meeting can be updated and or canceled.

Outlook data is queried in a way that ensure personally identifiable or confidential information is never retrieved during the availability lookups and available time calculations. Existing calendar meetings and appointment details (fields like subject, body, attachments, recipients, and attendees) that in Outlook calendars are never stored by Riva Bookings.   

 

4.Compliance

Is there a SOC 2 attestation that covers Riva Sales Engagement? 

Yes.  As part of Riva’s compliance and trust program, all customer offerings are included in our SOC 2 program. Further information on our Third-Party Security program can be accessed here

The latest SOC 2 Type 2 report included three Trust Services Categories: Security, Availability, and Confidentiality.  This third-party assessment and attestation is completed by an independent AICPA firm, Schellman and Company.  

Customers may request the latest copy of our SOC 2 report by submitting a request to: privacy@rivaengine.com

Is there a third-party penetration test that covers Riva Sales Engagement? 

Yes.  As part of Riva’s compliance and trust program, all customer offerings are included in our security and vulnerability program. 

Riva’s secure software development policy ensures that all development teams leverage static code analysis (eg:Sonar), and automated vulnerability scanning tools (eg: Zap, Qualys), all Riva applications are rigorously tested.  

Disclosure of any vulnerability can be submitted following our Vulnerability Disclosure Policy. 

The latest third-party penetration test is completed by an independent AICPA firm, Schellman and Company.  Customers may request the latest copy of the report by submitting a request to: privacy@rivaengine.com.
 

Does the solution leverage only modern patterns?

Yes.  Riva Sales Engagement has been built and deployed using the latest in continuous integration, continuous delivery, and continuous testing patterns as well as the latest in “DevOps” methodologies leveraging containers, modern applications, and modern authentication principles. 

What deployment scalability and stability patterns and methods does Riva use regarding resiliency and redundancy? 

Riva Sales Engagement is deployed into the Riva Cloud managed cloud service which is backed by an Amazon Web Services infrastructure using the latest in container-based application delivery methodologies ensuring a highly resilient and scalable solution. 

 

Riva Cloud – What AWS region does Riva Sales Enagement run in for production? Is there a Disaster Recovery region or a DR available?

The primary workload “Container Cluster” is located in the AWS Region of “us-east-1”.

Customer using the "Dedicated Cloud" offering, can select a region based on their data residency requirements.

The application cluster is configured to ensure high availability and fault tolerance by using multiple "Availability Zones" within a region.  This can also be set to allow auto-scaling in high-usage scenarios.

Are there any restrictions for which internet browsers and versions are supported with the Riva Sales Engagement application? 

Riva Sales Engagement frontend is built using the latest in web application technologies and leverages the Vue.js application framework providing a highly responsive desktop-like user experience. 

 

5. Authorization and Access Control

How does Authentication work?

  • Authentication is via Single Sign-On using Microsoft 365 Entra ID authentication (OAuth2.0)
  • Refer to: Riva Bookings and Riva Cadences Auth Security Details (2023-09) 

Does Riva support Single Sign-On (SSO) for Riva Sales Engagement? 

Yes.  Riva supports multiple different types of authentications including “Login with Salesforce” and “Login with Microsoft 365”.  

These modern authentication methods (OAuth 2.0) leverage an organization's existing identity infrastructure.  

Typically, no additional identity management customer configuration is required.  All access is governed by appropriate “scope consent”. 
 

Can we enable MFA for Cadences admin users via our business email?

Yes.  Riva uses Microsoft modern authentication patterns and fully supports customers with MFA. 

 

Will you leverage IP Whitelisting to limit Riva Cadence access to proxy IP addresses? 

Supported upon request, IP Whitelisting can be used.

 

How does Riva Cadence access the scope to Exchange? Can it be limited to a subset of users?

Yes.  Our knowledge base has articles on how to limit the application scope to specific users.

 

What access is required for the service account? Is there a way to scope our access to just users that will participate?

A service account is not required, we use a Microsoft Entra ID Application which uses application permissions that can be scoped to specific users. 

 

What is the password policy for the Riva Sales Engagement Portal? 

This is not applicable.  Riva Portal products use a "password-less" architecture instead leveraging existing Identity Providers like Microsoft Entra ID.

 

Is there a password history to prevent the use of the same passwords? 

This is not applicable.  Riva Portal products use a "password-less" architecture instead leveraging existing Identity Providers like Microsoft Entra ID.

 

Is there a lock-out policy? How many attempts? 

This is not applicable.  Riva Portal products use a "password-less" architecture instead leveraging existing Identity Providers like Microsoft Entra ID.

 

Can the password be reset via an email link?

This is not applicable.  Riva Portal products use a "password-less" architecture instead leveraging existing Identity Providers like Microsoft Entra ID.

 

Is there a Password expiry? (eg 90 days)

This is not applicable.  Riva Portal products use a "password-less" architecture instead leveraging existing Identity Providers like Microsoft Entra ID.

 

What is the session timeout for the Riva Sales Engagement Portal?

Cookie-based user session / 60 minutes. 

 

6. Data storage and recovery

Is Riva Sales Engagement data encrypted at rest and transit?   

Yes.  Data is encrypted at rest and transit.   

For data in transit, Riva uses the latest versions of TLS as well as HSTS (when available).  These capabilities are provided using the latest Amazon Web Services Application Web Firewall (WAF) and Application Load Balancing (ALB) technologies. 

For data at rest, Riva leverages the Amazon Key Management Service (KMS).  

Encryption keys are automatically rotated. 

 

How are storage and processing volumes determined? 

Riva Sales Engagement accesses the Microsoft 365 Exchange Online mailboxes to determine real-time availability.  Access to the calendar availability search is architected in a way to minimize the use of API calls, and impact on the Microsoft Exchange infrastructure.  The same infrastructure is used by Riva Sync and Riva Insight. 

 

What information about meetings and calendars does Riva Booking store?

Riva Bookings does not store a copy of the user’s calendar.  The Microsoft Exchange calendar web services API is used to perform encrypted "live data queries" to check the user’s availability.   

The calendar availability data is queried and processed using a "minimal data view".  This minimalized view and resulting available slots are calculated based on the configured business rules.

Only metadata for appointments that are booked via the Bookings are maintained within the application to ensure that the meeting can be updated and or canceled.

 

Is the Riva Sales Engagement application single or multi-tenant? 

Every customer has a dedicated “container” that is isolated to each customer.  

Each customer’s configuration and application data are isolated and maintained in per-customer "database" and “document collections”.  

The application clusters and supporting services are configured to ensure high-availability and for in high-usage scenarios, can also be set to allow auto-scaling. 

 

Is customer data stored in Riva Sales Engagement?

In addition to the application-generated data, Riva uses the following data entity types

  • Employee contact data (first name, last name, email address, job title, manager, etc.)

  • Prospect and contact data (first name, last name, email address, job title, company name, etc.)

  • Household and Accounts (Firmographic information)

Riva processes no financial data.

Customer-facing communication (eg: Emails and appointments are sent directly from Microsoft 365)

 

What is the Riva Sales Engagement portal backup and restore disaster recovery schedule?

  • Daily backup
  • All data is replicated in real-time across multi-nodes in different availability zones ensuring high-availability and fault-tollerance.

How long will Riva Sales Engagement store the analytics and other data in the portal?

Every customer’s data is shared/isolated from other customer data. When a customer requests a subscription cancellation, customer data is deleted as per our MSA.

 

What happens to user Sales Engagement Cadence data when an employee leaves?  Can the data be reassigned to another active user or employee? Or does the data get purged?

When a user is deactivated or terminated, the activity history remains in the customer-specific data store. 

  • The data cannot currently be reassigned. Existing Cadences can be managed by multiple users. 

  • No data is automatically purged when a user is deactivated. 

What are Riva Sales Engagement’s availability SLA’s and recovery objectives?

99% SLA for availability is supported.  Please see a link to our Cloud Master Service Agreement (MSA) for further details: https://rivaengine.com/legal/cloud-eula/  

  • Recovery point objective (RPO) – 1 day (24 hours)

  • Recovery time objective (RTO) – Highly available (5 minutes)

Can Email Engagement Analytics know if the customer opens the email or specific attached document?

  • Email Analytics include visibility of: Replies, Opens, Link clicks, Bounces
  • Email Analytics does not yet show when an attachment is downloaded or viewed. 

Was this article helpful?

/