Privacy Policy
Last updated: 27 March 2026
Riskly ("we", "us", "our") operates the RiskReg platform (the "Application") and the marketing website at riskreg.nl (the "Website"). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under applicable data protection law, including the EU General Data Protection Regulation (GDPR).
1. Data Controller
Riskly
[Address placeholder]
Email: privacy@riskreg.nl
2. What Personal Data We Collect
2.1 Account Data (Application)
When you are invited to the Application or create an account, we collect:
- Name and email address — provided during invitation acceptance or SSO login
- Job title — optionally provided on your profile or extracted from your SSO provider
- Password hash — for local authentication (we never store plaintext passwords)
- MFA secret — encrypted at rest if you enrol in two-factor authentication
- SSO identifiers — OIDC provider name and subject ID if you sign in via Google or Microsoft
2.2 Usage Data (Application)
When you use the Application, we collect:
- Session data — session tokens (hashed), expiry times, and tenant association
- Audit trail — a log of actions you perform (creating, editing, or deleting risks, controls, and reviews), including your user ID, action type, and timestamp
- Uploaded files — any evidence documents or attachments you upload to reviews or controls
2.3 Website Visitor Data
When you visit the Website, we collect only what our infrastructure providers require to serve the pages:
- IP address — processed by Cloudflare to route and protect traffic; not stored by us
- Browser and device metadata — User-Agent string and TLS fingerprint, processed by Cloudflare
We do not use analytics trackers, advertising cookies, or third-party tracking scripts on the Website.
3. Why We Process Your Data (Legal Basis)
| Purpose | Data | Legal Basis (GDPR) |
|---|---|---|
| Provide and operate the Application | Account data, usage data | Performance of contract (Art. 6(1)(b)) |
| Authenticate users securely | Password hash, MFA secret, session tokens | Performance of contract (Art. 6(1)(b)) |
| Maintain an audit trail for compliance | Audit log entries | Legitimate interest (Art. 6(1)(f)) — regulatory compliance |
| Send transactional email (invitations, password resets) | Email address | Performance of contract (Art. 6(1)(b)) |
| Protect infrastructure from abuse | IP address, TLS fingerprint | Legitimate interest (Art. 6(1)(f)) — security |
4. Third-Party Processors (Sub-processors)
We use the following third-party service providers to operate RiskReg. All processors are contractually bound to process data only on our instructions and maintain appropriate security measures.
| Provider | Purpose | Location | Data Processed |
|---|---|---|---|
| Cloudflare, Inc. | Website hosting (Cloudflare Pages), CDN, DDoS protection, and WAF for the backend API | Global edge network (EU-preferred routing) | IP addresses of visitors and API clients — used for routing, caching, and threat detection. HTTP request metadata — URL, method, headers, response status, timing. TLS fingerprint — for bot detection. Browser User-Agent — for analytics and security rules. Cloudflare may temporarily store request/response data in memory at edge nodes. Cloudflare acts as a reverse proxy; encrypted traffic is terminated at their edge, re-encrypted to our origin. See Cloudflare Privacy Policy. |
| Amazon Web Services (S3) | File storage for uploaded evidence documents and attachments | EU (Frankfurt, eu-central-1) | Uploaded files — stored encrypted at rest (AES-256). Object metadata — file name, size, upload timestamp, content type. Access logs — IP address of the uploader, request time, bucket name. No personal data beyond what is contained in the uploaded files themselves. See AWS Privacy Notice. |
| Leaseweb Netherlands B.V. | Hosting of backend application servers and PostgreSQL database | Amsterdam, Netherlands | All application data — the database containing user accounts, risks, controls, reviews, audit logs, and tenant configuration is hosted on Leaseweb infrastructure. Server logs — IP addresses, timestamps, request paths. Leaseweb provides the physical and network infrastructure; they do not access application-level data. See Leaseweb Privacy Statement. |
| Mailgun (Sinch Email) | Transactional email delivery (invitations, password resets, notifications) | EU | Recipient email address — required to deliver the email. Email content — the body of transactional messages (invitation links, reset links). Delivery metadata — open/bounce/delivery status, timestamps, IP of receiving mail server. Mailgun retains message data for a limited period for delivery assurance. See Mailgun Privacy Policy. |
5. Data Transfers Outside the EU
Cloudflare operates a global edge network. While we configure EU-preferred routing, some requests may be processed at non-EU edge nodes. Cloudflare participates in the EU-U.S. Data Privacy Framework and maintains Standard Contractual Clauses (SCCs) for international transfers.
Amazon S3 data is stored exclusively in the EU (Frankfurt, eu-central-1). No cross-border transfer occurs for stored files.
Leaseweb and Mailgun (EU) process data entirely within the European Union.
6. Data Retention
- Account data — retained for the duration of your tenant membership. When a user is disabled, their display name is anonymised to "Anonymised User" after 6 months. The underlying user record is retained for audit integrity.
- Audit trail — retained for the lifetime of the tenant for compliance and regulatory purposes.
- Session tokens — automatically deleted 30 days after creation.
- Invitation and password reset tokens — automatically deleted after expiry (typically 24-72 hours).
- MFA challenge tokens — automatically deleted after 5 minutes.
- Uploaded files — retained for the lifetime of the associated review or control. Deleted when the tenant requests data deletion.
7. Cookies
The Application uses a single session cookie named session.
This cookie is:
- HttpOnly — not accessible to JavaScript
- Secure — transmitted only over HTTPS (in production)
- SameSite=Strict — not sent with cross-origin requests
- Expires after 30 days
This is a strictly necessary cookie required for authentication. No consent banner is needed under the ePrivacy Directive because it is essential for the service.
The Website does not set any cookies. Cloudflare may set a __cf_bm cookie
for bot management, which is classified as strictly necessary.
8. Your Rights
Under the GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate data (you can update your name, email, and title in the Application directly)
- Erasure — request deletion of your personal data, subject to our legal retention obligations
- Restriction — restrict processing in certain circumstances
- Portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interest
To exercise any of these rights, contact us at privacy@riskreg.nl. We will respond within 30 days.
9. Security
We protect your data through:
- Passwords hashed with bcrypt (cost factor 12)
- MFA secrets encrypted at rest with AES-256-GCM
- Session tokens hashed with HMAC-SHA256 before storage
- All traffic encrypted in transit via TLS 1.2+
- Database hosted within private network, not publicly accessible
- Cloudflare WAF and DDoS protection on all public endpoints
- Full audit trail of all data modifications
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via the Application or by email. The "Last updated" date at the top of this page reflects the most recent revision.
11. Contact
For privacy-related questions or requests:
Riskly
Email: privacy@riskreg.nl