Security, privacy and compliance — by design
Everything your security, legal and procurement teams need to evaluate RisQo: certifications, sub-processors, data residency, privacy posture and incident response.
Certifications & frameworks
RisQo is built and operated against internationally recognised standards. Reports and certificates are available under NDA.
Information security management system across platform and operations.
Privacy information management extension built on ISO 27001 controls.
Business continuity management for platform and customer-facing services.
Quality management across product delivery and customer operations.
Security, availability and confidentiality — report Q4 2026.
EU/EEA data processing as both controller and processor, with DPA available.
ICT risk, incident reporting and third-party register for EU financial entities.
KYB, UBO, sanctions and adverse-media workflows with audit trail.
Security controls
Defence-in-depth across our platform, people and processes.
TLS 1.3 in transit and AES-256 at rest. Customer secrets sealed with envelope encryption and per-tenant keys.
SSO (SAML & OIDC), SCIM provisioning, role-based access, granular API scopes and short-lived tokens.
24/7 SIEM, immutable audit logs, anomaly detection on auth and data-export events.
Continuous dependency scanning, quarterly external pen-tests and a coordinated disclosure programme.
Multi-region active-active for the API tier. RPO ≤ 15 min, RTO ≤ 1 hour. DR exercises twice a year.
Background checks, mandatory security training, least-privilege production access with break-glass auditing.
Privacy & GDPR
RisQo processes personal data lawfully, transparently and only where necessary for KYB, AML and risk-management purposes.
Legitimate interest for KYB/AML processing; contract for customer accounts; consent for marketing.
Access, rectification, erasure and objection handled within 30 days via privacy@risqo.ai.
EU SCCs + Transfer Impact Assessments for any data leaving the EEA; UK Addendum where applicable.
Customer records retained per contract; AML evidence retained 5 years per AMLD obligations, then deleted.
Sub-processors
Current list of sub-processors engaged to deliver the RisQo service. Customers are notified of material changes 30 days in advance.
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Primary cloud infrastructure | EU (Ireland, Frankfurt) |
| Cloudflare | Edge network, WAF and DDoS protection | Global edge |
| Supabase | Managed PostgreSQL, auth and storage | EU (Frankfurt) |
| Stripe | Payment processing and invoicing | EU & US |
| Resend | Transactional email delivery | EU & US |
| Sentry | Error and performance monitoring | EU |
| Datadog | Infrastructure and application observability | EU |
| Linear | Engineering ticketing and incident tracking | US |
Subscribe to sub-processor updates at trust@risqo.ai.
Data residency
Default residency for customer data in Frankfurt with EU-only sub-processors where elected.
Available on request for UK financial-services customers under UK GDPR.
Regional residency available via Dubai region for in-scope customers.
Incident response
Live status: status.risqo.ai · Security contact: security@risqo.ai
Responsible disclosure
If you believe you've found a vulnerability, please email security@risqo.ai with a description and reproduction steps. We acknowledge within 2 business days and will not pursue legal action for good-faith research that respects user privacy and service availability.
Our /.well-known/security.txt contact channel is monitored 24/7.