Privacy Policy

Last updated October 30, 2023

Risk Ledger collects and processes personal data relating to visitors to this website, in relation to the services we provide, and as part of our general business operations. The data we process, how we process it, and who receives it, varies depending on your interactions with us (details of which are set out below).

For circumstances in which Risk Ledger is a controller of personal data, the following items apply.

Details of controller

Risk Ledger Limited is the controller, is registered as a controller with the UK’s Information Commissioner’s Office (“ICO”) under number ZA485622 and has its registered office at Adam House, 7-10 Adam Street, London WC2N 6AA. For data protection matters we can be contacted by email at data@riskledger.com.

Transfers outside of the EEA

All application and corporate data are stored within the EEA by our cloud providers: AWS (Ireland, EU region) and Google (Europe region). We use a small number of other third party services to enable us to deliver our product and services, some of which are based outside of the EEA. We choose our third party providers very carefully and where international transfers are made, we have ensured the use of appropriate safeguards including adequacy decisions made, or standard contractual clauses approved, by the European Commission. To request further information about the safeguards used for such transfers, or to request a full list of the third parties used by Risk Ledger, please email data@riskledger.com.

What we collect and use

Our processing of personal data as a controller falls into the categories below:

  • Visitors to riskledger.com;
  • Users of Risk Ledger’s services;
  • Candidates for jobs and other engagements with Risk Ledger;
  • Business contacts.

Visitors to riskledger.com

When you browse this website, we collect and use data in the following ways.

Data we process:

Data on how you use the site. What pages you visit, the means you use to visit (browser version, time zone, operating system, etc.), the length of your visit, how often you visit, and information on how you navigate the site.

Identifying information:

Your IP address and unique identifiers tied to cookies.

What we do with that data:

Site optimisation, analysing aggregated data to update the site’s content and layout to improve visitors’ experience.

Basis for processing:

Legitimate interests (better understanding user behaviour to improve the way users can access the site).

Processing period:

Data holding periods are determined by cookie expiry times.

Data recipients:

Website analytics vendors and marketing automation providers.

Risk Ledger users

Data we process:

Name, email address, phone number, your employer and job role, your platform activity and IP address.

What we do with that data:

Name and job details we use for account creation and management within your organisation’s account on Risk Ledger. Contact details we use for account authentication (including multi-factor authentication) and customer support purposes. If you opt-in to marketing communications, we’ll use your email address to send broader updates about Risk Ledger. Platform activity data is recorded as audit trails for security monitoring, logging activity to maintain software quality, and site analytics to help us to improve our services.

Basis for processing:

Other than marketing communications, which rely on consent, we process this data on the grounds of our legitimate interest in providing a secure service with user attribution and industry-standard software logs.

Processing period:

All personal data associated with the service is deleted upon request by the user. The data may be held in backups for a period of 1 month after the deletion request.

Data recipients:

Our back-end infrastructure and hosting providers, logging providers, service desk software providers, and email marketing tools.

Job candidates

This includes all recruitment related data that candidates provide to us.

What we do with that data:

Contact you about your candidacy, assess your suitability for the role applied for, and to assess your suitability for relevant future roles.

Basis for processing:

We conduct this processing on the basis of our legitimate interest in finding and selecting the most suitable candidates to join our team.

Processing period:

We store your information for 12 months after we disqualify your candidacy for the role applied for. Successful candidates’ information becomes subject to our employee privacy policy/notice.

Data recipients:

Our applicant tracking system provider, testing providers used in the assessment process, and our business communication/storage providers.

Business contacts

This includes all data that is provided to us during the normal course of business (business cards, email addresses of leads, mobile numbers of leads, data collected from marketing platforms etc.).

What we do with that data:

Corresponding with you in relation to our services before and after a sale.

Basis for processing:

If you request that we contact you to provide more information on our services to you, we’ll process your data and contact you based on your request prior to entering into a contract.

Otherwise, we rely on legitimate interests for contracting and billing as part of our business operations, retaining copies of our business correspondence, and tracking consents and other notices given for data protection purposes. If at some point you opt into marketing emails, we’ll rely on your consent for processing related to that process.

Processing period:

We hold this data for 6 years from the date of the last correspondence.

Data recipients:

Cloud storage providers, marketing automation tools, our accounting providers, e-signature providers, and customer support/servicing tools.

Your rights

You can request that we correct, erase, or grant you access to personal data we hold relating to you. Where processing is based on your consent, you can withdraw that consent to our processing of your personal data at any time. To ask questions about your rights, or to request to exercise them, email data@riskledger.com.

If you’re concerned that Risk Ledger is handling your personal data improperly, you have the right to make a complaint to the ICO, which is our data protection supervisory authority.

Sub-processors - Risk Ledger Platform

Risk Ledger processes a minimal amount of personal data on behalf of the organisations who have created an account on the Risk Ledger platform. This could include: names and email addresses of supplier contacts or client users. The sub-processors used for this data are as follows.

Sub-processor: Amazon Web Services

Data processed: All data within the Risk Ledger platform

Purpose: Cloud hosting provider for the Risk Ledger production site

Location: Dublin, Ireland (EU)

Sub-processor: Google

Data processed: Names and email addresses of Risk Ledger users

Purpose: Google Workspace; used for internal business operations, including email

Location: Europe

Sub-processor: Intercom Inc.

Data processed: Names and email addresses of Risk Ledger users

Purpose: Customer support chat function

Location: United States

Sub-processor: Segment.io Inc.

Data processed: Names and email addresses of Risk Ledger users

Purpose: Platform & Analytics (Frontend)

Location: United States

Sub-processor: Salesforce

Data processed: Names, email addresses and contact numbers of Risk Ledger users

Purpose: Customer support

Location: Dublin, Ireland (EU)

Sub-processors - Risk Ledger website analytics

Risk Ledger processes a minimal amount of cookie data to understand how visitors use our website. What pages you visit, the means you use to visit (browser version, time zone, operating system, etc.), the length of your visit, how often you visit, and information on how you navigate the site are data used to improve our website to better support visitors to find the information they seek.

Sub-processor: Hubspot Inc.

Data processed: Website visitors’ device/browser data (cookie metadata)

Purpose: Website use analysis

Duration: Up to 180 days

Location: United States

Sub-processor: Zoominfo Technologies LLC

Data processed: Website visitors’ device/browser data (cookie metadata)

Purpose: Website use analysis and resilience (bot detection)

Duration: 1 day

Location: United Kingdom

Sub-processor: LinkedIn

Data processed: Website visitors’ device/browser data (cookie metadata)

Purpose: Website use analysis and resilience (bot detection)

Duration: up to 1 year

Location: United States

Sub-processor: Google Doubleclick

Data processed: Website visitors’ device/browser data (cookie metadata)

Purpose: Correlation of website visitors arriving from clicked advertisements.

Duration: up to 1 year

Location: United States

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.