RiskRight
Back to home

Security & Privacy

Built to answer supplier-data security questions before upload.

RiskRight handles commercially sensitive supply-chain context: suppliers, sites, inputs, routes, risks, actions and planning notes. This page summarises the current controls for teams reviewing RiskRight.

Last updated: 30 June 2026

Customer data is controlled

Workspace data is scoped to the customer organisation and protected by authenticated access controls.

Not used to train RiskRight AI

Supplier lists, uploaded exposures and workspace content are not used by RiskRight to train foundation models.

Security review ready

RiskRight can provide a security overview, subprocessor list and questionnaire responses for vendor review.

Current controls

What buyers usually ask first.

Hosting and storage

RiskRight is a cloud-hosted web application. Workspace data is stored in managed database and authentication infrastructure. Exact hosting, storage and region details can be confirmed during procurement review.

Encryption

Traffic is served over HTTPS with HSTS. Application data is stored in managed cloud infrastructure that supports encryption at rest and in transit. Secrets are held in deployment environment variables, not exposed to browser clients.

Access control

Users sign in through managed authentication. Organisation-scoped database policies are designed to restrict workspace data to authorised users, with privileged service access reserved for server-side operations.

Supplier and exposure uploads

Supplier, input, site, route and exposure information is used to generate and monitor company-specific risk context. Upload endpoints cap request size and require authenticated workspace access in configured production environments.

Operational access

Internal access to customer data is limited to support, operations and security needs. Additional enterprise assurance requirements can be discussed during vendor review.

Incident contact

Security issues can be reported to security@riskright.ai. RiskRight maintains a public security.txt file and will triage, contain and communicate material incidents affecting customer data.

Vendor review

Detailed service-provider information is shared in review.

RiskRight uses reputable infrastructure, authentication, billing, email, AI and risk-signal services to operate the platform. The detailed provider list, data-flow notes and any customer-specific restrictions can be shared during vendor review or under NDA.

Public materials stay focused on data-handling commitments, while procurement and security teams can still get the operational detail they need before sensitive supplier data is uploaded.