Data Security Policy

This Data Security Policy (“Policy”) describes measures to protect user data and system integrity on the “Rivrox” service (“Service”). Its goal is to ensure confidentiality, integrity, and availability of information.

1. Security Principles

Data protection complies with Russian law, EU GDPR, and international security standards (ISO/IEC 27001). Core principles:

  • lawfulness and transparency;
  • data minimization;
  • restricted access and privilege control;
  • incident accountability and documentation.

2. Encryption and System Architecture

  • All traffic uses HTTPS (SSL/TLS);
  • User passwords are stored using salted bcrypt hashing;
  • API keys credentials are encrypted in environment variables;
  • Daily backups are encrypted with AES-256;
  • Sensitive data is never logged or shared without legal basis.

3. Authentication and Access Control

  • Authentication uses one-time codes and/or passwords with optional 2FA;
  • All user actions are logged in with IP and timestamp;
  • Admin access is restricted via VPN and named accounts;
  • Three failed logins trigger temporary IP lockout;
  • Sessions expire after 30 minutes of inactivity.

4. Data Storage and Localization

Personal data of Russian citizens is stored in Russia. EU user data may be processed within or outside the EEA with adequate protection (Art. 45–46 GDPR). Database access is strictly role-based.

5. Incident Response

The Service monitors activity and alerts on anomalies or DDoS. Upon security incident detection, the Administration:

  • immediately restricts system access;
  • investigates and restores integrity;
  • notifies authorities and affected users within 72 hours (Art. 33 GDPR);
  • documents and remediates root causes.

6. Third-Party Processors

Data may be processed only by:

  • authorized hosting and payment providers under Data Processing Agreements (DPA);
  • partners with adequate technical and organizational safeguards.
Disclosure to authorities occurs only on legal grounds (Art. 6 GDPR, Art. 6 FZ-152).

7. User Responsibility

Users must:

  • keep login credentials confidential;
  • use strong passwords (min. 8 chars, mixed case + digits);
  • report suspicious activity to info@rivrox.com.

8. Data Retention

Data is retained only as long as necessary for its purpose. Security logs — 12 months; backups — 90 days; account data — until deleted per Account Deletion Policy.

9. Training and Review

The Service Administration periodically reviews security settings, data handling processes and protection measures, and updates them where necessary to reflect service development and legal requirements. External security specialists may be involved when needed. Information about data protection measures may be provided to competent supervisory authorities upon request.

10. Policy Updates

This Policy may be updated without notice. The latest version is available at /data-security.

11. Contact

For security inquiries: info@rivrox.com

Last updated: 5 November 2025

Report
0:00
0:00