IlluminateRisk

Legal · EU/UK

GDPR statement.

Effective 2026-05-08 · Last updated 2026-05-08

This statement explains how IlluminateRisk meets its obligations under the EU General Data Protection Regulation 2016/679 (the "GDPR") and the UK Data Protection Act 2018, and how data subjects whose information is processed through the Service can exercise their rights. Read with the privacy policy for the full picture; this statement covers EU/UK-specific commitments only.

1. Controller and processor

For the personal data IlluminateRisk holds about you as our customer (your account email, billing email, IP at sign-up, etc.) we are the data controller.

For the personal data inside your workspace — names of parties you've opened a case on, contents of documents you upload, addresses in your datasets — we are the data processor and you (or your organization) are the data controller. We process that data only on your documented instructions, which the product UI captures (rule selections, party links, exports, etc.).

A Data Processing Addendum (DPA) incorporating the EU Standard Contractual Clauses is available for customers who require one. Email privacy@illuminaterisk.ai with your company legal name and we'll send a counter-signature copy within two business days.

2. Legal bases for processing

3. International transfers

IlluminateRisk hosts in the United States (Amazon Web Services, us-east-2 region, Ohio). Personal data of EU/UK data subjects transferred to the US relies on the European Commission's Standard Contractual Clauses (Module 2: controller to processor) as the transfer mechanism, supplemented by the contractual and technical measures listed in our DPA.

We do not currently offer EU-region hosting. If your DPA review requires data residency in the EU, we'd like to know — email privacy@illuminaterisk.ai; we use that signal to prioritize a future EU-hosted deployment.

4. Sub-processors

The list below is the complete set of sub-processors with access to customer personal data.

Sub-processor Purpose Region
Amazon Web Services, Inc. Hosting (Lightsail), object storage (S3), email delivery (SES) us-east-2 (United States)
Stripe, Inc. Payment processing, card tokenization, invoicing United States (with EU sub-processors)
Cloudflare, Inc. Bot prevention (Turnstile) on the public lead form. Activated only when configured. Global edge network

New sub-processors are announced by email at least 30 days before they gain access to customer workspace data. You may object during that window; if we can't agree on a substitute, you may terminate without penalty and recover any prepaid unused fees.

5. Data subject rights

As a data subject you have the rights set out in Articles 15–22 of the GDPR:

How to exercise your rights:

6. Retention

Workspace data is retained for the life of the subscription and for 30 days after cancellation (read-only) before deletion. Customer export from the in-product page during that window is unrestricted.

Audit-log entries are retained indefinitely as a SOC 2 control. When a user is erased their actor identifier in audit rows is replaced with an irreversible sentinel; the action history persists but the identity does not.

7. Personal data breach notification

Where a personal data breach is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and at the latest within 72 hours of becoming aware (Art. 33). Customer Admins receive notice by email to the address on file.

8. Supervisory authority complaints

You may lodge a complaint with the supervisory authority of your EU/EEA member state, the UK Information Commissioner's Office (ICO), or the Swiss FDPIC at any time. We'd appreciate the chance to address concerns directly first — email privacy@illuminaterisk.ai.

9. Contact

IlluminateRisk has not appointed a Data Protection Officer because the conditions in Art. 37(1) do not apply to our processing activities. Privacy inquiries are handled by:

Privacy team
IlluminateRisk Inc.
privacy@illuminaterisk.ai

We have not appointed an EU representative under Art. 27 because the threshold conditions in Art. 27(2) currently apply (occasional processing, low-risk categories). We will reassess if our customer base or processing volumes change.

Last reviewed 2026-05-08. Questions: privacy@illuminaterisk.ai.