// Trust & Security Report

    RiversideFM, Inc. logo

    RiversideFM, Inc.

    AI-powered platform for recording, editing, and publishing remote audio and video content (podcasts, webinars, interviews, live streams). Core products: Recording Studio, AI Editor, Live Streaming, Podcast Hosting, AI Co-Creator. Heavy AI integration across all features including transcription, auto-clips, captions, audio enhancement, and AI translation.

    Certifications held

    3

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Riverside blog: 'we've officially received our SOC 2 Type 2 audit stamp of approval.' The report 'certifies to the third-party auditors our ability to maintain the operating effectiveness of our security controls,' based on five trust service criteria: 'security, availability, processing integrity, confidentiality, and privacy.' Article last updated December 26, 2023. The AICPA SOC badge also appears on the vendor privacy policy page.

    Verify on riverside.com
    ISO 27001
    HELD

    Vendor business/enterprise page states: 'SOC 2 Type II and ISO 27001 compliant. End-to-end encryption on every call and recording. SSO and additional compliance options available.' Note: the privacy policy (originally cited as source) does not mention ISO 27001, and the previously claimed 'May 2022' certification date is not published on any reachable vendor-domain page.

    Verify on riverside.com
    EU-US Data Privacy Framework (DPF)
    HELD

    Riverside complies with the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (DPF) as set forth by the US Department of Commerce.

    Verify on riverside.com
    > Show 5 unconfirmed / not-held certifications
    GDPR
    NOT CONFIRMED

    No public GDPR certification. However, Riverside complies with GDPR through EU-US Data Privacy Framework (EU-US DPF), UK Extension to EU-US DPF, and Swiss-US DPF certifications. DPA (Data Processing Addendum v4 December 2024) available at riverside.com/data-processing-addendum. Privacy Policy states compliance with 'EU GDPR, UK GDPR, Swiss Federal Data Protection Act.'

    source: riverside.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA certification on Riverside's domain. HIPAA mentioned only in blog posts about other recording tools' compliance, not as Riverside's own certification.

    source: riverside.com
    PCI DSS
    NOT CONFIRMED

    No public evidence on Riverside's domain.

    FedRamp
    NOT CONFIRMED

    No public evidence on Riverside's domain. FedRamp mentioned only in blog posts about other platforms (Webex), not as Riverside's own certification.

    source: riverside.com
    CSA STAR
    NOT CONFIRMED

    No public evidence on Riverside's domain.

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Multi-region: United States, Canada, European Union, United Kingdom, Israel, Mexico, Argentina, Philippines. Riverside operates from Israel (EU Commission and UK Secretary of State recognize Israel as offering adequate data protection).

    CONTRADICTION FLAGGED: Privacy Policy states 'Content Data may be used by Riverside for improving the Services, including for training Riverside's Artificial Intelligence (AI) and Machine Learning (ML) models.' However, search results indicate Riverside does NOT use customer content data to train their own models—only metadata. Third-party AI sub-processors (Heygen, Auphonic, Hedra, Pika) are contractually prohibited from using customer data for training. AI features are opt-in; Voice and Face Data are retained only as needed for feature delivery, then permanently destroyed. Business customers may opt-out of some AI post-production tools. The privacy policy language is potentially misleading if actual practice differs from stated policy.

    // Security controls

    Encryption in Transit

    End-to-end encryption on every call and recording for enterprise/business customers

    riverside.com

    Single Sign-On (SSO)

    SSO available with Okta, Microsoft Azure (Entra ID), Google Workspace for enterprise customers

    riverside.com

    Local Recording

    Separate track recording (up to 4K video + uncompressed audio) stored locally on user device first, unaffected by internet connection

    riverside.com

    Biometric Data Handling

    Voice Data and Face Data (biometric identifiers) used only for the specific requested feature, then immediately and permanently destroyed. Not used for advertising, marketing, profiling, or sold.

    riverside.com

    Data Processing Agreement

    DPA v4 (December 2024) available. Includes sub-processor list. Applicable for business and enterprise customers processing personal data.

    riverside.com

    // Products & data scope

    Recording StudioAudio/Video Recording

    data: User recordings, participant data, session metadata. Local recording available.

    Core product. Free plan available. Supports 4K video + uncompressed audio, multiple participants.

    AI EditorContent Editing

    data: Recording content (optional use). Voice and Face Data for AI features if opted in.

    Text-based editing interface. AI-powered features: Magic Clips, auto-captions, speech correction, layout auto-generation, B-roll generation. AI training policy unclear—see privacy contradiction flag.

    Live StreamingLive Distribution

    data: Stream content, audience data, viewer metrics

    HD streaming to multiple platforms simultaneously (YouTube, LinkedIn, Instagram, Twitch, etc.). Webinar-specific features: Q&A, call-ins, registration tracking, HubSpot sync.

    Podcast HostingPublishing & Distribution

    data: Podcast metadata, subscriber data, analytics

    Built-in hosting: RSS feed generation, distribution to Spotify/Apple/YouTube/etc., analytics, auto-generated transcripts, chapters, show notes.

    AI Co-CreatorAI Content Generation

    data: User prompts, generated assets (clips, thumbnails, headlines)

    Generates promotional assets (social clips, thumbnails, headlines, etc.) optimized per platform. Opt-in feature.

    // What to watch

    • AI TRAINING CONTRADICTION: Privacy Policy states Content Data 'may be used' for training AI/ML models, but support documentation and search results indicate Riverside does NOT use customer content data to train their own models—only metadata. Clarification needed from vendor on what 'improving Services' means in practice. If they use anonymized/aggregated data only, privacy policy language should be more precise.
    • NO HIPAA CERTIFICATION: Despite third-party claims (Nudge Security), no direct evidence of HIPAA certification on Riverside's domain. HIPAA mentioned only in blog comparisons of other tools. If Riverside is HIPAA-compliant, they should document this publicly.
    • NO GDPR CERTIFICATION: Riverside has GDPR compliance through DPF frameworks and DPA, but no explicit 'GDPR certified' badge. Listing should clarify 'GDPR compliant via DPA and Data Privacy Framework' rather than claiming certification.
    • NO TRUST CENTER: Unlike peer enterprise tools, no dedicated trust center or security statement page found. Support article URL (https://support.riverside.com) returns 403 (likely requires authentication). Recommend vendor publish public trust center with all certs, DPA, sub-processor list.
    • THIRD-PARTY CLAIMS MISMATCH: Nudge Security profile lists PCI DSS, FedRamp, CSA STAR as Riverside certifications, but no vendor-domain evidence found. Recommend vendor clarify which of these (if any) they hold.
    • VOICE/FACE DATA DESTRUCTION: Privacy policy says Voice and Face Data 'immediately and permanently destroyed' after feature use. Recommend vendor specify exact retention period in days/hours for clarity.
    • EU-ISRAEL DATA TRANSFERS: Riverside operates from Israel and transfers EU data there, relying on EC adequacy finding. This is valid but should be highlighted in procurement materials for data-sensitive customers.

    // At a glance

    Pricing model

    Freemium (Free, Standard, Pro tiers). Enterprise/Business available with custom pricing. Free tier includes core recording; paid tiers unlock editing, hosting, streaming, advanced AI features.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on RiversideFM, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    riverside.com

    > Browse all vendor trust reports