Up to 25% off all subscriptions until 31 May 2026
Riven

Security

Report a Security Concern

If you believe you have found a security vulnerability in Riven, or if you have concerns about the security of your data, please report it to us immediately.

Email: security@riven.page

We take all reports seriously and will acknowledge your email within 24 hours.

What to Include

To help us investigate quickly, please include as much of the following as possible:

  • A description of the issue
  • Steps to reproduce the problem
  • Any supporting evidence (screenshots, URLs, error messages)
  • Your contact details so we can follow up

What Happens Next

  1. We acknowledge your report within 24 hours
  2. We investigate and classify the severity of the issue
  3. We take immediate steps to contain and fix the problem
  4. We notify affected users if their data was involved
  5. We notify the relevant authorities (HMRC and/or the ICO) if required

How We Protect Your Data

  • All sensitive data (NINO, HMRC tokens) is encrypted at rest using AES-256-GCM
  • All connections use HTTPS/TLS encryption in transit
  • Row Level Security is enforced on all database tables
  • Authentication is required on all API endpoints
  • HMRC OAuth tokens are never exposed to the browser
  • Application hosted in the UK (Vercel London region) with EU database (Supabase London)

Responsible Disclosure

We ask that you give us reasonable time to investigate and address any reported vulnerability before disclosing it publicly. We are committed to working with security researchers and will not pursue legal action against anyone who reports a vulnerability in good faith.