Skip to content
Security

Your data is protected at every layer

We take data protection, scraping ethics, and AI transparency seriously. This page explains exactly how we handle your data and your competitors' data.

AES-256 + TLS 1.3
Encryption
30 days
Session lifetime
15 minutes
Magic link expiry
12 months
Audit log retention

Data Protection

Encryption at rest

All customer data is stored in managed PostgreSQL (Neon) with AES-256 encryption at the storage layer. Backups are encrypted with the same standard.

Encryption in transit

All traffic between your browser and RivalBeam is encrypted via TLS 1.3. Internal service communication uses TLS on all channels.

Organization isolation

Every query in the database is scoped to an orgId. There are no shared tables without tenant-scoped filtering. Cross-tenant data access is architecturally impossible at the query level.

HTTP-only session cookies

Authentication tokens are stored in HTTP-only, Secure, SameSite=Lax cookies. They are never exposed to client-side JavaScript.

Access Control (RBAC)

Role-based access

RivalBeam supports four roles per organization: Owner, Admin, Analyst, and Viewer. Each role has strictly defined permissions enforced at the API layer.

Principle of least privilege

Viewers cannot modify any data. Analysts can create and update competitive records but cannot manage billing or team members. Only Owners and Admins can manage webhooks, API keys, and settings.

Audit log

All significant actions (competitor additions, battlecard updates, Deep Research requests, settings changes) are written to an immutable audit log with user ID, timestamp, and IP address.

Session management

Sessions expire after 30 days. Users can view and revoke all active sessions from account settings. Magic link tokens expire after 15 minutes and are single-use.

Scraping Compliance

Public data only

RivalBeam only monitors publicly accessible information. We never attempt to access content behind authentication, rate-limit bypass, or CAPTCHA circumvention.

robots.txt compliance

Our crawler respects robots.txt directives on every monitored domain. Paths marked Disallow are never fetched. We re-read robots.txt periodically to respect changes.

Crawl rate limiting

We crawl competitor pages on a user-configured schedule (hourly, daily, or weekly) — never continuously. Total request volume per domain is kept well within normal human browsing rates.

User-Agent transparency

Our crawler identifies itself with a descriptive User-Agent string that includes a link to our crawler policy page. We do not mask our identity.

AI Transparency

What our AI models see

AI models receive the competitor's public web content, job listings, review summaries, and change diffs that we have collected. They never see your internal documents, CRM data, or private competitive strategy.

Data sent to OpenAI

Competitive intelligence context is sent to OpenAI's API for brief and battlecard generation. This is subject to OpenAI's data processing agreement. We do not use OpenAI's zero-retention API tier by default; contact us if your compliance requirements demand it.

Data retention

Raw page snapshots are retained for 90 days. AI-generated content (briefs, battlecards) is retained for the life of your account. Change logs are retained for 12 months on Starter and above.

No training on your data

Your competitive intelligence data is never used to train RivalBeam's models or shared with any third party for model training purposes.

Infrastructure

Hosting

RivalBeam runs on Fly.io with application servers in the US-East region. Database is managed by Neon (PostgreSQL). Both providers maintain SOC 2 Type II certifications.

Background job isolation

Monitoring jobs run in isolated BullMQ workers backed by Redis. Job queues are org-scoped. A failure in one org's monitoring job does not affect others.

Dependency security

We run automated dependency vulnerability scanning on every deployment. Critical CVEs are patched within 24 hours of disclosure.

No third-party tracking scripts

The RivalBeam dashboard does not load third-party tracking or analytics scripts. We use server-side analytics only.

SOC 2 Readiness

Current status

RivalBeam is not currently SOC 2 certified. We follow SOC 2 Type II controls for Security (CC6-CC9) as a matter of practice and are on a certification roadmap for 2026.

Controls in place

We maintain access control policies, change management procedures, incident response runbooks, and vulnerability management processes consistent with SOC 2 Trust Service Criteria.

Enterprise compliance

If your organization requires a signed Data Processing Agreement (DPA), security questionnaire review, or vendor assessment, contact security@rivalbeam.com.

Responsible Disclosure

If you discover a security vulnerability in RivalBeam, we ask that you report it responsibly before public disclosure. We commit to:

  • Acknowledging your report within 24 hours
  • Providing a remediation timeline within 72 hours
  • Crediting researchers who report valid issues (if desired)
  • Not pursuing legal action against good-faith researchers

Send vulnerability reports to security@rivalbeam.com. Encrypt sensitive details with our PGP key (available on request).

Security questions?

For enterprise security assessments, DPA requests, or any other security inquiries, reach us directly.

Contact Security Team