This Data Processing Agreement ("DPA") forms part of the agreement between RiskDetect ("Processor") and the organization using the RiskDetect service ("Controller") for the processing of personal data.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person contained within Customer Data.
- "Customer Data" means call transcripts, support emails, chat messages, and other text content submitted to RiskDetect for analysis.
- "Processing" means any operation performed on Personal Data, including analysis, storage, and deletion.
- "Sub-processor" means any third party engaged by RiskDetect to process Customer Data.
2. Scope of Processing
What RiskDetect Processes
| Data Type | Purpose | Retention |
|---|---|---|
| Call transcript text | Risk scoring, signal detection, sentiment analysis | Until account deletion or data deletion request |
| Email/message content | Risk scoring, signal detection | Until account deletion or data deletion request |
| Contact email/phone | Customer identification, journey tracking | Until account deletion or data deletion request |
| Organization name, admin email | Account management, authentication | Until account deletion |
RiskDetect processes Customer Data solely to provide the risk analysis service as described in our documentation. We do not:
- Use Customer Data to train AI models
- Share Customer Data with other customers
- Use Customer Data for advertising or marketing
- Sell Customer Data to third parties
- Access Customer Data except as needed to provide the service
3. Sub-processors
RiskDetect uses the following sub-processors:
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| OpenAI (GPT-4o-mini) | AI risk analysis | Text content (transcripts, emails) | United States |
| Neon (PostgreSQL) | Database storage | All Customer Data | United States (AWS) |
| Vercel | Application hosting | API requests (in transit) | United States (AWS) |
OpenAI Data Usage
RiskDetect uses the OpenAI API (not ChatGPT). Per OpenAI's API data usage policy: API inputs and outputs are not used to train OpenAI models. Data is retained by OpenAI for up to 30 days for abuse monitoring, then deleted. See OpenAI API Data Usage Policies.
4. Security Measures
RiskDetect implements the following technical and organizational measures:
- Encryption in transit: All data transmitted via TLS 1.2+
- Encryption at rest: Database encryption provided by Neon (AES-256 via AWS)
- Authentication: API key authentication with SHA-256 hashed storage
- Access control: Organization-scoped data isolation (each org sees only their data)
- Rate limiting: API rate limits to prevent abuse
- Security headers: CSP, HSTS, X-Content-Type-Options, Referrer-Policy
- SSRF protection: Webhook URLs validated against private IP ranges
- Input validation: Size limits, content validation on all endpoints
5. Data Subject Rights
The Controller may exercise the following rights on behalf of data subjects at any time:
- Access: Export all data via
GET /api/data-export - Deletion: Delete specific customer data via
DELETE /api/data-delete - Account deletion: Delete all data and the account via
DELETE /api/account-delete
All deletion requests are processed immediately and permanently. RiskDetect does not retain backups of deleted data beyond standard database backup windows (up to 7 days via Neon's point-in-time recovery).
6. Breach Notification
In the event of a confirmed data breach affecting Customer Data, RiskDetect will:
- Notify the Controller within 72 hours of becoming aware of the breach
- Provide details of the nature of the breach, data affected, and remediation steps
- Cooperate with the Controller's investigation and notification obligations
7. Data Return and Deletion
Upon termination of the service agreement:
- The Controller may export all data via the API before account closure
- RiskDetect will delete all Customer Data within 30 days of account termination
- Deletion is permanent and irreversible
8. Audit Rights
The Controller may request information about RiskDetect's data processing practices. RiskDetect will respond to reasonable audit requests within 10 business days. For security assessments, we support:
- Questionnaire-based assessments (SIG, CAIQ, custom)
- External penetration testing (with advance notice)
- Architecture review calls
9. Contact
For DPA-related inquiries: morgan@riskdetect.app