IlluminateRisk Trust Center
DPA · v2026.05

Trust Center / Data Processing Addendum

Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between IlluminateRisk, Inc. ("IlluminateRisk", "we") and the customer ("Customer", "you") under which IlluminateRisk provides the IlluminateRisk fraud-investigation platform (the "Service"). It governs IlluminateRisk's processing of Customer Personal Data and reflects the controls described elsewhere in this Trust Center.

Version
v2026.05
Effective
27 May 2026
Execution
support@illuminaterisk.ai

1. Roles of the parties

For Customer Personal Data contained in the documents and datasets you upload while investigating cases (for example: names, addresses, government identifiers, employment and payment records), you are the controller and IlluminateRisk is the processor. IlluminateRisk processes that data only to provide the Service and only on your documented instructions, which include this DPA and your use of the product's features.

For account data we collect directly from you to operate the Service (a user's email, password hash, role, organization, billing contact), IlluminateRisk is the controller; that processing is described in our Privacy & data handling page.

2. Definitions

"Personal Data", "processing", "controller", "processor", and "data subject" have the meanings given in applicable data-protection law (including the GDPR and UK GDPR where applicable). "Customer Personal Data" means Personal Data within Customer content that IlluminateRisk processes as a processor on Customer's behalf. "Subprocessor" means a third party engaged by IlluminateRisk to process Customer Personal Data. "Standard Contractual Clauses" or "SCCs" means the clauses approved by the European Commission for transfers of Personal Data to processors established in third countries.

3. Scope and purpose of processing

IlluminateRisk processes Customer Personal Data solely to provide and support the Service: ingesting and storing the documents and datasets you upload, extracting and classifying entities, running the structured- and document-rule engines, producing findings and reports, and making that work product available to your authorized users. The subject matter, duration, nature, purpose, categories of data, and categories of data subjects are set out in Annex I.

4. IlluminateRisk's obligations

5. Subprocessors

You provide general authorization for IlluminateRisk to engage the Subprocessors listed on our Subprocessors page, which forms Annex II to this DPA. We impose data-protection obligations on each Subprocessor that are no less protective than those in this DPA, and we remain responsible for their performance.

We will give you advance notice of any intended addition or replacement of a Subprocessor by updating the Subprocessors page (you can subscribe to change notices there). If you reasonably object to a new Subprocessor on data-protection grounds, contact us and we will work with you in good faith; if we cannot resolve the objection, you may terminate the affected portion of the Service.

6. International transfers

All Customer Personal Data is stored in the United States (AWS us-east-2, Ohio). Where IlluminateRisk processes Customer Personal Data subject to the GDPR or UK GDPR, the parties agree that the Standard Contractual Clauses (module one controller-to-processor, with the UK Addendum where applicable) are incorporated into this DPA by reference and completed using the information in the Annexes. To execute the SCCs as a signed package, contact support@illuminaterisk.ai.

7. Data-subject requests

Individuals whose Personal Data appears in your content (for example, a person named in an investigation) should direct their requests to you, the controller. If such a request reaches IlluminateRisk directly, we will not respond to it ourselves except on your instruction, and we will promptly forward it to you. The Service's export and deletion features let you fulfill access, rectification, and erasure requests yourself; we assist on a reasonable-effort basis where the features do not suffice.

8. Personal-data breach notification

We maintain an incident-response process (see the Security overview). On becoming aware of a personal-data breach affecting Customer Personal Data, we will notify you without undue delay and in any event within seventy-two (72) hours, and provide the information reasonably available to help you meet your own notification obligations: the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed.

9. Audits

We make available the information necessary to demonstrate compliance with this DPA — including this Trust Center, our SOC 2 reporting as it becomes available (see Compliance status), and reasonable responses to security questionnaires. Where applicable law gives you an audit right, the parties will arrange the scope, timing, and confidentiality of any audit in advance so as not to disrupt the Service or compromise other customers' data.

10. Return and deletion of data

During the subscription you can export your data at any time through the in-product export flow. On termination, Customer Personal Data is retained for thirty (30) days to allow export, then deleted — or deleted immediately on your written request — by an OrgErasureService pass that removes case data, documents, datasets, findings, and party records for the organization. Audit-log entries and billing records are retained for the periods stated in the Privacy page so the deletion itself remains accountable. Backups are encrypted and expire on their normal rotation schedule.

11. Liability and term

This DPA is subject to the limitations and exclusions of liability set out in the underlying agreement between the parties. It takes effect when incorporated into that agreement and remains in force for as long as IlluminateRisk processes Customer Personal Data on your behalf. If any provision of this DPA conflicts with the underlying agreement on the subject of data protection, this DPA controls.

Annex I — Details of processing

ItemDetail
Subject matter Provision of the IlluminateRisk fraud-investigation platform.
Duration The term of the subscription, plus the post-termination deletion window in §10.
Nature & purpose Storage, entity extraction, classification, rule evaluation, finding and report generation, and access for the Customer's authorized users.
Categories of data subjects Individuals named in Customer's uploaded documents and datasets — e.g. employees, vendors, payees, claimants, customers of the Customer.
Categories of Personal Data Identifiers (names, addresses, phone, email), government identifiers (e.g. SSN, EIN), and financial/transactional records, as contained in Customer content. Sensitive fields are encrypted at rest (see Annex III).
Controller The Customer.
Processor IlluminateRisk, Inc.

Annex II — Subprocessors

The authorized Subprocessors, with their processing categories, regions, and our change-notice policy, are maintained on the Subprocessors page, which is incorporated here as Annex II and updated as the list changes.

Annex III — Technical & organizational measures

The security measures IlluminateRisk maintains are described in full on the Security overview page and summarized here:

How to execute this DPA

To put a signed DPA (including the SCCs where applicable) in place for your organization, contact support@illuminaterisk.ai. Absent a separately signed document, this DPA applies to the extent IlluminateRisk processes Customer Personal Data on your behalf.