Legal · EU/UK
GDPR statement.
Effective 2026-05-08 · Last updated 2026-05-08
This statement explains how IlluminateRisk meets its obligations under the EU General Data Protection Regulation 2016/679 (the "GDPR") and the UK Data Protection Act 2018, and how data subjects whose information is processed through the Service can exercise their rights. Read with the privacy policy for the full picture; this statement covers EU/UK-specific commitments only.
1. Controller and processor
For the personal data IlluminateRisk holds about you as our customer (your account email, billing email, IP at sign-up, etc.) we are the data controller.
For the personal data inside your workspace — names of parties you've opened a case on, contents of documents you upload, addresses in your datasets — we are the data processor and you (or your organization) are the data controller. We process that data only on your documented instructions, which the product UI captures (rule selections, party links, exports, etc.).
A Data Processing Addendum (DPA) incorporating the EU Standard Contractual Clauses is available for customers who require one. Email privacy@illuminaterisk.ai with your company legal name and we'll send a counter-signature copy within two business days.
2. Legal bases for processing
- Account & billing data — necessary for performance of the contract you accepted (Art. 6(1)(b)).
- Workspace data you upload as the controller — processed on your instructions (Art. 28); your own legal basis applies to your end-data subjects.
- Audit logs & security telemetry — legitimate interest in service security and SOC 2 compliance (Art. 6(1)(f)).
- Marketing email to leads — consent at the point of submitting our public lead form (Art. 6(1)(a)). Withdraw at any time by replying "unsubscribe."
3. International transfers
IlluminateRisk hosts in the United States (Amazon Web Services, us-east-2 region, Ohio). Personal data of EU/UK data subjects transferred to the US relies on the European Commission's Standard Contractual Clauses (Module 2: controller to processor) as the transfer mechanism, supplemented by the contractual and technical measures listed in our DPA.
We do not currently offer EU-region hosting. If your DPA review requires data residency in the EU, we'd like to know — email privacy@illuminaterisk.ai; we use that signal to prioritize a future EU-hosted deployment.
4. Sub-processors
The list below is the complete set of sub-processors with access to customer personal data.
| Sub-processor | Purpose | Region |
|---|---|---|
| Amazon Web Services, Inc. | Hosting (Lightsail), object storage (S3), email delivery (SES) | us-east-2 (United States) |
| Stripe, Inc. | Payment processing, card tokenization, invoicing | United States (with EU sub-processors) |
| Cloudflare, Inc. | Bot prevention (Turnstile) on the public lead form. Activated only when configured. | Global edge network |
New sub-processors are announced by email at least 30 days before they gain access to customer workspace data. You may object during that window; if we can't agree on a substitute, you may terminate without penalty and recover any prepaid unused fees.
5. Data subject rights
As a data subject you have the rights set out in Articles 15–22 of the GDPR:
- Access (Art. 15) — request a copy of your data.
- Rectification (Art. 16) — correct inaccurate data.
- Erasure (Art. 17) — request deletion.
- Restriction (Art. 18) — pause processing while a dispute is resolved.
- Portability (Art. 20) — receive your data in a structured, machine-readable format.
- Objection (Art. 21) — object to legitimate-interest processing.
- Automated decision-making (Art. 22) — IlluminateRisk does not make solely-automated decisions with legal or significant effect about data subjects. Findings emitted by the rule library are advisory inputs to a human investigator, not automated decisions.
How to exercise your rights:
- If you are a customer of IlluminateRisk (you signed
up for an account), use the in-product
/portal/orgs/{slug}/exportfor portability and/portal/orgs/{slug}/deletefor erasure of your workspace. - If you are a data subject inside a customer's workspace (your name appears in a party record, your address in a dataset), contact the customer organization directly — they are the controller of that data. We will help them respond as their processor.
- For any other request, email privacy@illuminaterisk.ai. We respond within 30 days, free of charge for most requests (manifestly excessive requests may incur a fee, per Art. 12(5)).
6. Retention
Workspace data is retained for the life of the subscription and for 30 days after cancellation (read-only) before deletion. Customer export from the in-product page during that window is unrestricted.
Audit-log entries are retained indefinitely as a SOC 2 control. When a user is erased their actor identifier in audit rows is replaced with an irreversible sentinel; the action history persists but the identity does not.
7. Personal data breach notification
Where a personal data breach is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and at the latest within 72 hours of becoming aware (Art. 33). Customer Admins receive notice by email to the address on file.
8. Supervisory authority complaints
You may lodge a complaint with the supervisory authority of your EU/EEA member state, the UK Information Commissioner's Office (ICO), or the Swiss FDPIC at any time. We'd appreciate the chance to address concerns directly first — email privacy@illuminaterisk.ai.
9. Contact
IlluminateRisk has not appointed a Data Protection Officer because the conditions in Art. 37(1) do not apply to our processing activities. Privacy inquiries are handled by:
Privacy team
IlluminateRisk Inc.
privacy@illuminaterisk.ai
We have not appointed an EU representative under Art. 27 because the threshold conditions in Art. 27(2) currently apply (occasional processing, low-risk categories). We will reassess if our customer base or processing volumes change.
Last reviewed 2026-05-08. Questions: privacy@illuminaterisk.ai.