RiskNote
Security & Trust

Secure by default. EU by design.

RiskNote hosts all your data in Stockholm, Sweden, applies GDPR and EU AI Act obligations from the first line of code, and never uses your risk content to train AI models. Every AI suggestion is advisory — you decide what enters the register.

Privacy PolicyReport a security issue

EU-hosted in Stockholm

All service data stays on Elastx infrastructure in Sweden — ISO 27001-certified, EEA-only.

GDPR-native

Documented legal basis per purpose. In-app data export, rectification, and 30-day deletion.

Your data never trains AI

Anthropic's Commercial Terms prohibit training on API inputs and outputs. PII never reaches the model.

AI is advisory only

Every suggestion requires your explicit acceptance before it enters your register (GDPR Art. 22).

GDPREU AI Act Art. 50GDPR Art. 22ISO 31000 processISO 27001 infra (Elastx)DPF + SCCs for non-EU transfers
01

Data residency & hosting

All service data — accounts, risk notes, risks, and logs — is hosted in Stockholm, Sweden on Elastx infrastructure. Elastx holds an ISO 27001 certification for its data centres and operations. RiskNote itself does not hold ISO 27001; we rely on certified infrastructure and keep our own posture transparent.

Where your data lives

Primary database, object storage, and application servers are all inside the EEA. No EU data is transferred outside the bloc except for the specific sub-processors listed in section 06, each under GDPR-compliant safeguards (DPF and/or SCCs).

Backups

Encrypted nightly backups are retained for 30 days and stored on Elastx infrastructure in the same EU region. Restore procedures are tested periodically.

Transparent sub-processors

Any change to our sub-processor list is reflected in the Privacy Policy. A dedicated changelog with email notifications is on the roadmap (see section 11).
02

Encryption & transport

In transit

TLS 1.2+ is enforced for every connection. HTTP is redirected to HTTPS. HSTS is enabled at the edge.

At rest

Database volumes and object storage are encrypted at rest on Elastx infrastructure. Passwords are hashed with bcrypt.

Secrets handling

API keys and credentials live in environment variables, never in source control, and are excluded from application logs. Access is scoped to the production environment.
03

Tenant isolation

RiskNote is a multi-tenant SaaS with logical isolation. There is no cross-account visibility.

Scoped at the ORM layer: Every query against user-owned resources is filtered by the authenticated user's ID at the query builder level.

Policy-gated access: Laravel authorisation policies gate every sensitive resource — controllers cannot return another user's data even if a route parameter is tampered with.

Explicit sharing only: Risk notes are private by default. Shared risk notes (Pro and Business plans) require an explicit invitation; access is revocable at any time.

04

Authentication

Email + password

Minimum 8 characters, mixed case with a digit. Stored as bcrypt hashes. Password reset links expire after 60 minutes.

OAuth 2.0

Sign in with Google, Microsoft, or Apple. We receive your name, email, and provider user ID. We do not store OAuth access tokens.

Sessions

Session cookies are strictly necessary and therefore exempt from consent under ePrivacy Art. 5(3) / the Swedish LEK, Chapter 6, Section 18.

Why not magic links

We evaluated and rejected magic-link authentication. For enterprise and municipal buyers, deliverability risk through aggressive mail filters outweighed the UX benefit.
05

AI by design

AI is the most privacy-sensitive part of any modern SaaS. We built RiskNote's AI path assuming every choice would be audited.

Data minimisation: Only the risk note name, description, selected risk areas, and your organisation context (industry, company size, role, goals, challenges) are sent to Anthropic. We never send email, name, IP address, billing data, tokens, or data from other users.

No training on your data: Processing goes through Anthropic's Claude API under its Commercial Terms, which prohibit using customer inputs or outputs to train or improve models.

Advisory only (GDPR Art. 22): The AI produces suggestions with likelihood and consequence scores. Every suggestion requires your explicit acceptance before it enters the register. No decisions with legal or similarly significant effect are made by automated means.

AI origin labelling (EU AI Act Art. 50): Every user-facing surface that displays AI-generated content marks it as such — in the in-app UI, in the PDF export's Source column and disclosure footer, and in the upcoming CSV export (V1.1). The AI model identifier is preserved and shown in exports.

Prompt-injection hardening: User-supplied fields are truncated before being concatenated into prompts, limiting the surface for prompt-injection attempts via oversized input.

Rate limited: AI analyses are capped at 20 per hour per user, plus a per-plan monthly allocation, to prevent abuse and to manage cost predictability.

06

Sub-processors & international transfers

The canonical list lives in the Privacy Policy, section 5.

ProcessorPurposeLocationSafeguard
ElastxBackend & frontend hostingStockholm, SEEEA
AnthropicAI risk analysisUSADPF + SCCs
StripeWeb paymentsUSA / EUDPF + SCCs
RevenueCatMobile subscriptionsUSASCCs

Copies of Standard Contractual Clauses are available on request from privacy@risknote.io.

07

Data retention & deletion

Active account: Data is retained for as long as your account is active.

Deletion: Account deletion is self-service from the Account page. All personal data and risk assessment content is permanently erased within 30 days.

Billing records: Retained for up to 7 years in accordance with the Swedish Accounting Act (Bokföringslagen, SFS 1999:1078).

Anonymised feedback: Optional feedback provided at account deletion is anonymised and not linked to your identity.

08

Your rights & portability

Under the GDPR you have the following rights. The full statement is in the Privacy Policy, section 7.

AccessRequest a copy of your personal data (Art. 15).
RectificationCorrect inaccurate data from account settings or via email (Art. 16).
ErasureDelete your account and all data in-app, any time (Art. 17).
PortabilityExport assessments as PDF or CSV; structured JSON available on request (Art. 20).
RestrictionRequest that we limit processing of your data (Art. 18).
ObjectObject to processing based on legitimate interest, including AI analysis (Art. 21).
Withdraw consentWhere processing is based on consent, withdraw at any time (Art. 7(3)).
ComplaintLodge a complaint with the Swedish Authority for Privacy Protection (IMY, imy.se).
09

Incident response & vulnerability disclosure

Reporting a vulnerability

Email privacy@risknote.io with reproduction steps. We do not operate a separate security@ mailbox at this stage — reports are monitored directly by the founder. Please avoid actions that could affect other users' data during testing.

Acknowledgement

We aim to acknowledge valid reports within 3 business days. We will keep you informed while we triage and remediate.

Breach notification

Under GDPR Art. 33, we notify the Swedish supervisory authority (IMY) within 72 hours of becoming aware of a personal-data breach where required. Under Art. 34, we notify affected users without undue delay when the breach is likely to result in high risk to their rights and freedoms.

Bug bounty

We do not run a public bounty programme yet. We're grateful for responsible disclosure and will credit reporters who prefer attribution.
10

Compliance & legal basis

A clear view of what RiskNote complies with, aligns to, and relies on — distinguished honestly.

FrameworkTypeHow it applies to RiskNote
GDPRRegulation we comply withData controller for all service data. See Privacy Policy for full statement.
ePrivacy / LEK 6:18Regulation we comply withSwedish implementation governs cookie consent. Analytics cookies are opt-in.
EU AI Act Art. 50Regulation we comply withAI-generated content is labelled in UI, PDF, and CSV (V1.1) outputs.
GDPR Art. 22Regulation we comply withNo automated decisions; every AI suggestion requires user acceptance.
Swedish consumer lawRegulation we comply with14-day right of withdrawal handled in-app with automatic Stripe refund.
ISO 31000Standard we align toIdentify → analyse → evaluate → treat → monitor. Not certified (no ISO 31000 certification exists).
ISO 27001Certification we rely onHeld by our hosting provider Elastx, not by RiskNote itself.
11

On our roadmap

Honest forward look. None of these are live today.

Third-party penetration testplanned post-launch once the hosted environment stabilises.

Sub-processor changeloga public page listing changes to our sub-processor list, with email notifications for subscribers.

CSV export with AI-origin columnshipping with V1.1.

Business-tier SSO (SAML / OIDC)tied to the Business plan rollout, not V1.

SOC 2 Type IIwe'll consider this once enterprise demand justifies the cost and operational footprint. We won't claim it before it's real.

12

Contact

Security & privacy: privacy@risknote.io

General support: support@risknote.io

VER&IT AB · Nygatan 71, 462 32 Vänersborg, Sweden · Org.nr: 556985-1206

    Security & Trust — RiskNote | RiskNote