RivetAI

Trust center

Your script. Locked down.

Built for filmmakers who treat unreleased work as sacred. Your screenplay stays in your workspace: encrypted, permission-gated, and never used to train AI models.

Contact security teamSee data flow
No AI model trainingAES-256 encryptionRole-based access control

Share link

Scoped external access

PasswordRequired
Invite listOptional
PermissionView only
Expires7 days
WatermarkOn
app.rivetai.com/workspace/security

Workspace activity

Live
Elena ParkOpened script · Scene 12
now
Share linkExternal reader · view only
2m
UPMProduction lock enabled
5m
Marcus ReedUpdated Scene 8 dialogue
11m

Script protection

{  "script_id": "sc_8f2a…",  "share_link": "password · view_only · 7d",  "production_lock": true,  "ai_training": false}
AES-256 encryption

Data handling

How your script is handled

From first draft to locked production: the path your screenplay takes through RivetAI.

Step 01

Write & import

Draft in RivetAI or bring your script, with TLS in transit

Step 02

Store

Cloud storage scoped to your workspace, with AES-256 at rest

Step 03

Process

Scoped AI in your workspace: never used for model training

Step 04

Protect

Roles, MFA, and gated share links for external readers

Your screenplay is protected by TLS in transit, encrypted cloud storage, multi-tenant workspace isolation, and role-based access controls at every stage.

Procurement or security review? Request documentation

Technical foundation

Cryptography and authentication in practice

The standards and algorithms behind how RivetAI stores credentials, protects MFA secrets, and secures cloud infrastructure.

Infrastructure

TLS 1.2+ in transit

All client connections to RivetAI use TLS 1.2 or higher.

Infrastructure

AES-256 at rest

Cloud database and file storage use infrastructure-layer AES-256 encryption by default.

Credentials

Argon2 credential hashing

Passwords, share-link passwords, and API key secrets are hashed with Argon2; never stored in plain text.

Credentials

AES-256-CBC

MFA secrets are encrypted at rest with AES-256-CBC and scrypt-derived keys.

Authentication

WebAuthn / FIDO2

Passkey authentication follows the WebAuthn standard for phishing-resistant login.

Authentication

SAML & OIDC

Enterprise workspaces support SAML and OpenID Connect single sign-on.

Authentication

TOTP (RFC 6238)

Time-based one-time passwords for multi-factor authentication via authenticator app.

Infrastructure

API rate limiting

Scoped API keys are rate-limited (600 requests per minute per key by default) to protect workspace infrastructure.

In the product

Controls you can see and configure

How RivetAI's security model shows up inside your workspace, so your team can verify, not just trust.

Script & IP protection

Unreleased screenplays are your most sensitive asset. RivetAI treats script security as the primary trust boundary.

  • Production lock freezes script state during principal photography
  • Share links with password, invite list, scope limits, expiry, and optional watermark

Warehouse Draft v4

External share view

Production lock

14.

Password required

INT. WAREHOUSE - NIGHT

Rain hammers the skylights. MARCUS REED (30s) crouches between shipping crates, listening.

MARCUS

(whispering)

Who's there?

Remaining pages masked

Share link

Password required

Gate before the script opens

Modern authentication

MFA, passkeys, and enterprise SSO, configured in your workspace security settings.

  • MFA via authenticator app (TOTP) and WebAuthn passkeys
  • Enterprise SAML/OIDC SSO

Multi-factor auth

Enabled

Authenticator app (TOTP)

Passkey

Registered

MacBook Pro · Touch ID

Enterprise SSO

Ready

SAML / OIDC · Okta · Entra ID

Login history

Track sign-in activity across devices for account and workspace security visibility.

  • Device and location metadata for each sign-in
  • Workspace admins can review member login activity

MacBook Pro

Current

Chrome · Los Angeles, CA

iPhone 15

Safari · Los Angeles, CA

iPad Pro

Safari · New York, NY

Audit & compliance

Operational transparency for security and procurement teams.

  • Workspace activity log for access and admin changes
  • Privacy-conscious analytics: screenplay content is not written to server logs or analytics events; session replay masks script-sensitive areas

Share link

08:52

External reader opened script

UPM

08:01

Enabled production lock

System

Yesterday

MFA challenge passed

API key

Mon

Scoped key created

Workspace API keys

Scoped API keys for Studio integrations: permission-bound, revocable, and audited.

  • Studio or Enterprise licensed project required
  • Show-once secrets hashed with Argon2; revoke stops access immediately
rivetai integrations
live
Key
rvt_live_4f8a••••••••••••
Scopes
read:projectswrite:scheduleread:breakdown

Roles & permissions

Workspace and project roles with custom permissions and least-privilege defaults.

  • Custom workspace and project roles
  • Granular permission matrix per role
18 perms
ResourceViewActionsControl
Workspace
Members
Billing
Projects
API keys
Assigned projects
Script
Exports
AI runs

Frequently asked questions

No. AI features send only the excerpts needed to Google Gemini to generate outputs you request, within your workspace. Your screenplay is never used to train RivetAI's models, third-party models, or shared data pools. Your creative IP stays yours.

Questions for security or procurement?

We provide documentation for vendor review and respond within one business day.

Contact security team

Related

DevelopersPrivacy policyTerms of serviceEnterprise
Security & Trust Center | RivetAI · RivetAI