Rivyt← Back to home

Data Processing Addendum

Last updated: April 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between Naveiyra LLC (“Processor”) and the customer (“Controller”) using the Rivyt service, and governs the processing of personal data subject to applicable data protection laws (including GDPR and CCPA).

1. Definitions

Terms such as “Personal Data”, “Processing”, “Data Subject”, “Controller”, and “Processor” have the meanings given in applicable data protection law.

2. Scope and Purpose

The Processor will process Personal Data solely to provide the Rivyt service as described in the Terms of Service and any applicable pilot agreement.

3. Categories of Data

  • Data Subjects: authorized users of the Controller's Rivyt workspace, and any individuals mentioned in documents uploaded to the workspace
  • Data Categories: names, email addresses, employment role, and any personal data contained in uploaded documents or queries

4. Subprocessors

Controller authorizes the following subprocessors, each bound by contractual data protection obligations:

  • Anthropic PBC (LLM inference)
  • Voyage AI (embeddings)
  • Pinecone Systems Inc. (vector storage)
  • Supabase Inc. (database, auth, file storage)
  • Railway Corp. (backend hosting)
  • Vercel Inc. (frontend hosting)
  • Formspree (form submissions)
  • Cloudflare Inc. (DNS, DDoS)

Processor will provide 30 days' notice of any new subprocessors and will allow Controller to object.

5. Security Measures

Processor maintains the technical and organizational measures described in the Security page, including encryption in transit and at rest, per-tenant isolation, role-based access control, audit logging, and incident response procedures.

6. Data Subject Rights

Processor will assist Controller in responding to Data Subject requests (access, rectification, erasure, portability, objection) within the time frames required by applicable law.

7. Breach Notification

Processor will notify Controller without undue delay (target: within 72 hours) upon becoming aware of a Personal Data breach, with relevant details and mitigation steps.

8. International Transfers

Where Personal Data is transferred outside the jurisdiction of origin, Processor and its subprocessors rely on appropriate transfer mechanisms, including the EU Standard Contractual Clauses where applicable.

9. Audits

Processor will make available to Controller, upon reasonable request, information necessary to demonstrate compliance with this DPA. Processor may satisfy this obligation by providing relevant third-party audit reports (such as SOC 2) once available.

10. Return or Deletion

Upon termination of the service, Processor will, at Controller's choice, return or delete all Personal Data within 30 days, except where retention is required by law.

11. Term

This DPA is effective for the duration of the service agreement and survives termination with respect to any Personal Data still held by Processor.

12. Contact

privacy@getrivyt.com
Naveiyra LLC, Delaware, USA