Trust Center
Subprocessors
A subprocessor is a third party that IlluminateRisk, Inc. ("IlluminateRisk") engages to support the delivery of its fraud-investigation platform and that may process Customer Personal Data on our behalf. This page lists every active subprocessor, the service they provide, the categories of data they process, and the region in which the processing takes place.
Downloaded from https://illuminaterisk.ai/trust/subprocessors. The authoritative version is the one currently published at that URL.
Infrastructure & hosting
| Subprocessor | Service | Data categories | Region |
|---|---|---|---|
| Amazon Web Services, Inc. SOC 1/2/3 · ISO 27001/27017/27018 · PCI DSS | Application hosting (Lightsail), object storage (S3) for document uploads, key management (KMS) for at-rest encryption. | Customer-uploaded documents, dataset rows, extracted entities, case metadata, application logs. | United States · us-east-2 (Ohio) |
| Amazon Simple Email Service (SES) Under AWS' SOC / ISO scope | Transactional email delivery — account confirmation, password reset, support and billing notifications. | Recipient email address, message subject, message body. No customer document content. | United States · us-east-2 (Ohio) |
| Amazon Simple Notification Service (SNS) Under AWS' SOC / ISO scope | Receives SES bounce and complaint events and forwards them to IlluminateRisk's suppression-list webhook. | Recipient email address, SES message id, bounce or complaint type. | United States · us-east-2 (Ohio) |
Payments & billing
| Subprocessor | Service | Data categories | Region |
|---|---|---|---|
| Stripe, Inc. PCI DSS Level 1 · SOC 1/2 | Subscription billing, payment-method tokenization (Stripe Elements), invoice issuance, dunning, and webhook event delivery for state synchronization. | Billing contact name & email, company name, tokenized card details (Stripe holds the PAN; IlluminateRisk never sees it), invoice amounts, subscription status. | United States · Global edge |
Security & abuse prevention
| Subprocessor | Service | Data categories | Region |
|---|---|---|---|
| Cloudflare, Inc. (Turnstile) SOC 2 Type II · ISO 27001 | Bot-detection challenge on public marketing forms (lead capture). Gates lead submission before any data lands in our database. | IP address, browser fingerprint, challenge response. No customer account data. | Global edge (anycast) |
Internal operations
| Subprocessor | Service | Data categories | Region |
|---|---|---|---|
| Google LLC (Workspace) SOC 1/2/3 · ISO 27001/27017/27018 | IlluminateRisk staff email and document collaboration. Receives DMARC aggregate reports for the illuminaterisk.ai domain. | Internal staff email, attachments authored by IlluminateRisk personnel, DMARC report metadata. Customer Personal Data is not stored in Workspace as part of normal operations. | United States |
On-demand processors (used only when a specific feature is enabled)
| Subprocessor | Service | Data categories | Region |
|---|---|---|---|
| OpenStreetMap Foundation (Nominatim) Non-profit; covered by OSMF Privacy Policy | Forward-geocoding of physical addresses extracted from customer documents — only when an analyst opens the case Map view. Each address is resolved once and cached locally; subsequent lookups never re-hit OSM. | Free-text postal address. No identifier tying the address back to a specific case or user. | Germany (Karlsruhe) |
What's not a subprocessor
For completeness, the following components run entirely on infrastructure that IlluminateRisk operates and do not transmit Customer Personal Data to any third party:
- ClamAV — antivirus scanning of uploaded documents. The scanner runs as a local daemon on our own host; signatures are pulled from the public ClamAV mirror by the host itself, with no document content leaving the box.
- PdfPig, RapidOCR (PP-OCR v5), SkiaSharp, ML.NET — text extraction, optical character recognition, image manipulation, and the rules/ML classifier. These are embedded libraries that execute inside the IlluminateRisk Platform process.
- PostgreSQL 16 — the primary application database. Runs as a Docker container co-located with the Platform host; data is stored on AWS-provisioned block storage (covered by the AWS entry above).
Notification of changes
IlluminateRisk will provide at least thirty (30) days' advance notice before engaging a new subprocessor or expanding an existing subprocessor's role in a way that materially changes the categories of Customer Personal Data processed. Notice is sent to each customer's designated billing contact and posted on this page.
Customers who object to a new subprocessor on reasonable data-protection grounds may, within thirty (30) days of notice, terminate the affected portion of their subscription on the terms described in the Data Processing Addendum.
Contact
Questions about this page or our use of subprocessors: support@illuminaterisk.ai. For a copy of the executed Data Processing Addendum, contact support@illuminaterisk.ai.