Customer data is controlled
Workspace data is scoped to the customer organisation and protected by authenticated access controls.

Security & Privacy
RiskRight handles commercially sensitive supply-chain context: suppliers, sites, inputs, routes, risks, actions and planning notes. This page summarises the current controls for teams reviewing RiskRight.
Last updated: 30 June 2026
Workspace data is scoped to the customer organisation and protected by authenticated access controls.
Supplier lists, uploaded exposures and workspace content are not used by RiskRight to train foundation models.
RiskRight can provide a security overview, subprocessor list and questionnaire responses for vendor review.
Current controls
RiskRight is a cloud-hosted web application. Workspace data is stored in managed database and authentication infrastructure. Exact hosting, storage and region details can be confirmed during procurement review.
Traffic is served over HTTPS with HSTS. Application data is stored in managed cloud infrastructure that supports encryption at rest and in transit. Secrets are held in deployment environment variables, not exposed to browser clients.
Users sign in through managed authentication. Organisation-scoped database policies are designed to restrict workspace data to authorised users, with privileged service access reserved for server-side operations.
Supplier, input, site, route and exposure information is used to generate and monitor company-specific risk context. Upload endpoints cap request size and require authenticated workspace access in configured production environments.
Internal access to customer data is limited to support, operations and security needs. Additional enterprise assurance requirements can be discussed during vendor review.
Security issues can be reported to security@riskright.ai. RiskRight maintains a public security.txt file and will triage, contain and communicate material incidents affecting customer data.
Vendor review
RiskRight uses reputable infrastructure, authentication, billing, email, AI and risk-signal services to operate the platform. The detailed provider list, data-flow notes and any customer-specific restrictions can be shared during vendor review or under NDA.
Public materials stay focused on data-handling commitments, while procurement and security teams can still get the operational detail they need before sensitive supplier data is uploaded.