RiskPrep

Privacy Policy

Effective date: March 20, 2026

1. What We Collect

When you create an account or use RiskPrep, we collect:

  • Account information — email address and hashed password (managed by Amazon Cognito).
  • Organization data — a friendly codename (drawn from a curated word list and used as a display alias in place of your legal company name), subscription tier, selected frameworks, and team member email addresses.
  • Plan content — answers you provide in wizard questionnaires and scoping forms. We encourage you to use generic placeholders rather than real company-specific details.
  • Usage data — page views, feature usage, and error logs collected via Sentry for debugging purposes.
  • Payment information — processed entirely by Stripe. We do not store credit card numbers.

2. How We Use Your Data

  • To provide and improve the RiskPrep service.
  • To generate compliance plans, assessments, and recommendations tailored to your inputs.
  • To send transactional emails (account confirmation, team invitations) via SendGrid.
  • To process payments and manage subscriptions via Stripe.
  • To monitor application health and fix errors via Sentry.

3. Data Storage & Security

Your data is stored in an Amazon Aurora PostgreSQL database. Row-level security (RLS) policies scope reads and writes to the organization you belong to. Data in transit is encrypted via TLS; data at rest is encrypted by the underlying AWS managed services (Aurora and S3). Session tokens are time-boxed on our side and are further subject to idle-timeout rules configured on our authentication provider (Amazon Cognito).

Our application sets security headers on every response: Content Security Policy (CSP) with a per-request nonce, Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Mutating API routes are additionally protected by rate limiting and origin verification.

4. Third-Party Services

  • Amazon Web Services (AWS) — authentication (Cognito), database (Aurora PostgreSQL), hosting (ECS/CloudFront), and infrastructure.
  • Stripe — payment processing and subscription management.
  • SendGrid — transactional email delivery.
  • Sentry — error monitoring and performance tracking.

Each third-party service processes only the data necessary for its function. We do not sell your data to any third party.

5. Cookies

We use cookies for authentication session management (Cognito-issued session tokens stored as httpOnly, Secure, SameSite=Strict cookies). These are essential cookies required for the application to function. We do not use advertising or tracking cookies.

6. Your Rights

You may:

  • Access your data at any time through the application.
  • Export your plans in PDF or DOCX format (Pro, Business, and MSP tiers).
  • Request deletion of your account and all associated data by contacting us.
  • Withdraw consent for non-essential data processing at any time.

7. Data Retention

We retain your data for as long as your account is active. If you delete your account, we remove your personal data within 30 days. Anonymized usage statistics may be retained for service improvement.

8. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to registered users. Continued use of the service after changes constitutes acceptance.

9. Contact

For privacy-related questions or data deletion requests, contact us at privacy@riskprep.com.