Trust Center / Data Processing Addendum
Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the agreement between IlluminateRisk, Inc. ("IlluminateRisk", "we") and the customer ("Customer", "you") under which IlluminateRisk provides the IlluminateRisk fraud-investigation platform (the "Service"). It governs IlluminateRisk's processing of Customer Personal Data and reflects the controls described elsewhere in this Trust Center.
Downloaded from https://illuminaterisk.ai/trust/dpa.
1. Roles of the parties
For Customer Personal Data contained in the documents and datasets you upload while investigating cases (for example: names, addresses, government identifiers, employment and payment records), you are the controller and IlluminateRisk is the processor. IlluminateRisk processes that data only to provide the Service and only on your documented instructions, which include this DPA and your use of the product's features.
For account data we collect directly from you to operate the Service (a user's email, password hash, role, organization, billing contact), IlluminateRisk is the controller; that processing is described in our Privacy & data handling page.
2. Definitions
"Personal Data", "processing", "controller", "processor", and "data subject" have the meanings given in applicable data-protection law (including the GDPR and UK GDPR where applicable). "Customer Personal Data" means Personal Data within Customer content that IlluminateRisk processes as a processor on Customer's behalf. "Subprocessor" means a third party engaged by IlluminateRisk to process Customer Personal Data. "Standard Contractual Clauses" or "SCCs" means the clauses approved by the European Commission for transfers of Personal Data to processors established in third countries.
3. Scope and purpose of processing
IlluminateRisk processes Customer Personal Data solely to provide and support the Service: ingesting and storing the documents and datasets you upload, extracting and classifying entities, running the structured- and document-rule engines, producing findings and reports, and making that work product available to your authorized users. The subject matter, duration, nature, purpose, categories of data, and categories of data subjects are set out in Annex I.
4. IlluminateRisk's obligations
- Instructions. We process Customer Personal Data only on your documented instructions, including with regard to international transfers, unless required to do otherwise by law — in which case we will inform you first unless that law prohibits it.
- Confidentiality. Personnel authorized to process Customer Personal Data are bound by confidentiality obligations and access it only as needed to provide the Service. Every access to Customer Personal Data by IlluminateRisk personnel is audit-logged at the row level.
- Security. We implement and maintain the technical and organizational measures described in Annex III and in our Security overview.
- No secondary use. We do not sell Customer Personal Data, do not use it for our own purposes, do not use it to train AI models, and do not send it to third-party LLM providers. Report-commentary features run on a language model hosted on infrastructure we operate.
- Assistance. Taking into account the nature of the processing, we assist you — by appropriate technical and organizational measures and insofar as possible — in fulfilling your obligations to respond to data-subject requests and to ensure security, breach notification, and data-protection impact assessments.
5. Subprocessors
You provide general authorization for IlluminateRisk to engage the Subprocessors listed on our Subprocessors page, which forms Annex II to this DPA. We impose data-protection obligations on each Subprocessor that are no less protective than those in this DPA, and we remain responsible for their performance.
We will give you advance notice of any intended addition or replacement of a Subprocessor by updating the Subprocessors page (you can subscribe to change notices there). If you reasonably object to a new Subprocessor on data-protection grounds, contact us and we will work with you in good faith; if we cannot resolve the objection, you may terminate the affected portion of the Service.
6. International transfers
All Customer Personal Data is stored in the United States (AWS
us-east-2, Ohio). Where IlluminateRisk processes Customer
Personal Data subject to the GDPR or UK GDPR, the parties agree that the
Standard Contractual Clauses (module one controller-to-processor, with the
UK Addendum where applicable) are incorporated into this DPA by reference and
completed using the information in the Annexes. To execute the SCCs as a
signed package, contact
support@illuminaterisk.ai.
7. Data-subject requests
Individuals whose Personal Data appears in your content (for example, a person named in an investigation) should direct their requests to you, the controller. If such a request reaches IlluminateRisk directly, we will not respond to it ourselves except on your instruction, and we will promptly forward it to you. The Service's export and deletion features let you fulfill access, rectification, and erasure requests yourself; we assist on a reasonable-effort basis where the features do not suffice.
8. Personal-data breach notification
We maintain an incident-response process (see the Security overview). On becoming aware of a personal-data breach affecting Customer Personal Data, we will notify you without undue delay and in any event within seventy-two (72) hours, and provide the information reasonably available to help you meet your own notification obligations: the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed.
9. Audits
We make available the information necessary to demonstrate compliance with this DPA — including this Trust Center, our SOC 2 reporting as it becomes available (see Compliance status), and reasonable responses to security questionnaires. Where applicable law gives you an audit right, the parties will arrange the scope, timing, and confidentiality of any audit in advance so as not to disrupt the Service or compromise other customers' data.
10. Return and deletion of data
During the subscription you can export your data at any time through the
in-product export flow. On termination, Customer Personal Data is retained
for thirty (30) days to allow export, then deleted — or deleted immediately
on your written request — by an OrgErasureService pass that
removes case data, documents, datasets, findings, and party records for the
organization. Audit-log entries and billing records are retained for the
periods stated in the Privacy page so the
deletion itself remains accountable. Backups are encrypted and expire on
their normal rotation schedule.
11. Liability and term
This DPA is subject to the limitations and exclusions of liability set out in the underlying agreement between the parties. It takes effect when incorporated into that agreement and remains in force for as long as IlluminateRisk processes Customer Personal Data on your behalf. If any provision of this DPA conflicts with the underlying agreement on the subject of data protection, this DPA controls.
Annex I — Details of processing
| Item | Detail |
|---|---|
| Subject matter | Provision of the IlluminateRisk fraud-investigation platform. |
| Duration | The term of the subscription, plus the post-termination deletion window in §10. |
| Nature & purpose | Storage, entity extraction, classification, rule evaluation, finding and report generation, and access for the Customer's authorized users. |
| Categories of data subjects | Individuals named in Customer's uploaded documents and datasets — e.g. employees, vendors, payees, claimants, customers of the Customer. |
| Categories of Personal Data | Identifiers (names, addresses, phone, email), government identifiers (e.g. SSN, EIN), and financial/transactional records, as contained in Customer content. Sensitive fields are encrypted at rest (see Annex III). |
| Controller | The Customer. |
| Processor | IlluminateRisk, Inc. |
Annex II — Subprocessors
The authorized Subprocessors, with their processing categories, regions, and our change-notice policy, are maintained on the Subprocessors page, which is incorporated here as Annex II and updated as the list changes.
Annex III — Technical & organizational measures
The security measures IlluminateRisk maintains are described in full on the Security overview page and summarized here:
- Encryption in transit (TLS) and at rest, including field-level encryption of sensitive Customer Personal Data with per-tenant keys.
- Tenant isolation — data, blob storage, and queries are scoped per organization.
- Identity & access controls with role-based authorization and row-level audit logging of access to Customer Personal Data.
- Malware scanning of uploads and content-type verification.
- Network hardening, rate limiting, and HSTS-enforced TLS across all hosts.
- Encrypted, regularly-taken backups with a tested restore procedure.
- Vulnerability management and a published responsible-disclosure process.
How to execute this DPA
To put a signed DPA (including the SCCs where applicable) in place for your organization, contact support@illuminaterisk.ai. Absent a separately signed document, this DPA applies to the extent IlluminateRisk processes Customer Personal Data on your behalf.