Trust & Security

How RiskLens handles your data

We analyse risk registers, not the people named in them. This page describes the measures actually in place today — written plainly, with no claims we can't stand behind.

How we handle your data

  • Your risk registers and assessments belong to you. They are processed solely to provide the service and are isolated to your organisation's workspace.
  • Your data is never used to train AI models — neither ours nor any third party's.
  • You can export or request deletion of your data at any time.

AI & personal data

RiskLens uses Anthropic's Claude to analyse mitigation quality. Before any register content is sent for analysis, we automatically remove or replace personal identifiers — named risk and action owners, email addresses, and personal names detected in free text — with neutral tokens (for example, [PERSON_1]).

The AI analyses the risk and mitigation wording without ever seeing who is named. Names are restored locally, inside our own systems, only when results are shown back to you. If our checks ever detect that an identifier was not removed, the analysis is stopped rather than sent — a personal identifier never knowingly leaves our boundary.

This protects not only account holders but also third parties named in uploaded registers, who have not consented to processing.

Sub-processors

We use a small set of trusted providers to operate the service:

  • Anthropic — AI analysis (receives only minimised, de-identified register content)
  • Stripe — payment processing
  • Vercel & Railway — application hosting and database
  • Upstash — rate limiting and caching

The authoritative, current list is maintained in our Privacy Policy and Data Processing Agreement.

Security measures in place

  • Encryption in transit (TLS) and at rest
  • Organisation-workspace data isolation enforced at the data layer
  • Personal-identifier minimisation before any AI processing (described above)
  • Role-based access controls and authentication
  • Single sign-on available via Google (OIDC)

Working towards

We are building towards formal security certification and additional identity options (including SAML single sign-on). These are in progress and are listed here honestly — we do not claim certifications we have not yet achieved. If you have a specific security-review requirement, please get in touch.

Your rights & contact

You — and individuals named in a register — have rights over personal data under UK GDPR. See our Privacy Policy and Terms for how to exercise them or raise a data-subject request.