Trust & Security

PDPA Compliance

Rivorix processes personal data in accordance with the Malaysian Personal Data Protection Act 2010 (PDPA). We implement data minimisation principles, purpose limitation, and provide mechanisms for data subject access and deletion requests. Call recordings and transcripts are subject to configurable retention policies.

Data Residency

Customer data is processed and stored in the Asia-Pacific region. For clients with specific data residency requirements, we support configurable storage locations to meet regulatory obligations under BNM and PDPA guidelines.

Encryption

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Call recordings, transcripts, and personally identifiable information are encrypted with customer-specific keys where required.

AI & LLM Security

Our AI models do not train on customer call data. LLM inference runs on dedicated infrastructure — customer conversations are never used to improve third-party models. The Compliance Firewall ensures AI never discloses material product terms, quotes rates, or executes regulated transactions.

Recording & Transcript Retention

Call recordings and transcripts are retained per client-specific policies, with a default retention period aligned to PDPA data minimisation requirements. Automated purging is configurable. Clients retain full ownership of their call data at all times.

BNM & Regulatory Alignment

Rivorix is designed to align with Bank Negara Malaysia (BNM) conduct guidelines and PIAM/LIAM requirements for outbound financial product marketing. The AI-to-human handoff is architected specifically to ensure all regulated activities (product disclosure, takaful explanations, sales execution) remain in human hands.

SOC 2