Privacy Policy and Data Processing Framework

Effective Date: December 8, 2024

This Privacy Policy and Data Processing Framework ("Policy") explains how Shavee Enterprises ("DeRisk Hub", "we", "us", or "our") collects, uses, discloses, and protects Personal Data in connection with:

  • The DeRisk Hub SaaS platform and related services;
  • Support portals, knowledge base, and in-app chat; and
  • The DeRisk Hub marketing website and other online properties.

This Policy applies to:

  • Customers and their Authorized Users;
  • Prospective customers and trial users;
  • Visitors to our website and knowledge base; and
  • Individuals whose Personal Data is processed by the Services at the request of our customers.

This Policy is incorporated by reference into the DeRisk Hub Terms of Service (the "TOS"). Capitalized terms not defined in this Policy have the meaning given in the TOS.

Customers who require a standalone Data Processing Addendum (DPA) for the purposes of Article 28 GDPR or equivalent legislation may request one by contacting support@mail.deriskhub.com. Our DPA is consistent with and supplements this Policy.


1. Identity of the Controller and Contact Details

For the purposes of this Policy:

  • Shavee Enterprises acts as:
    • Data Controller for Operational Data (as defined below) and for Personal Data collected via the website, marketing activities, and direct customer relationships; and
    • Data Processor (or equivalent) for Customer Data that we process on behalf of Customers through the Services.

Controller and Main Contact:

Shavee Enterprises

601 Suyog Crystal, 50 Lulla Nagar

Pune 411040, India

Email: info@mail.deriskhub.com

We have assessed our obligation to appoint a Data Protection Officer or equivalent privacy representative under applicable laws. We do not currently appoint a formal DPO. Our designated privacy contact for all data protection queries — including from data subjects globally — is reachable at privacy@deriskhub.com. We will revisit DPO appointment obligations as our processing volumes and geographic footprint grow.


2. Data Categories and Sources

2.1 Customer Data (Processor Role)

Customer Data includes all data that Customers or Authorized Users submit to, upload to, or otherwise make available in the Services. Depending on Customer's use of the Services, this may include:

  • Identification data: names, aliases, dates of birth, places of birth, nationalities, addresses.
  • Government and identification numbers: passport numbers, national IDs, tax IDs, company registration numbers, and similar identifiers.
  • Entity data: company names, legal forms, registration details, ownership information.
  • Vessel and aircraft data: IMO numbers, MMSI, call signs, tail numbers, other identifying information.
  • Customer's own reference identifiers: internal customer IDs, account numbers, external IDs, case IDs.
  • Screening and case data: screening results, match scores, risk classifications, case notes, decisions (true match/false positive), and audit logs.
  • Derived training data: pseudonymised or anonymised representations of screening outcomes, match classifications, and associated metadata, derived by DeRisk Hub from Customer Data for internal model development purposes as described in Section 3.1A.

Customer is solely responsible for determining which data to submit to the Services and for ensuring that it has a lawful basis to process such data.

2.2 Operational Data (Controller Role)

As data controller, we collect and process Operational Data necessary to operate and improve the Services and manage our relationship with Customers. Operational Data includes:

  • Account and profile data: name, email address, job title, role, organization, user preferences, role-based access settings.
  • Authentication data: credentials, password hashes (where applicable), authentication tokens, and security logs (often managed through our authentication provider).
  • Billing and commercial data: billing contact details, company name, tax details, subscription plans, invoices, payment status. Payment card information is typically processed by our payment provider(s) and not stored in full by us.
  • Usage and telemetry data: logs of sign-ins, API calls, configuration changes, feature usage, performance metrics, and error logs, usually in a pseudonymous or aggregated form.
  • Support and communication data: communications via email, in-app chat, and support tickets, including any screenshots or attachments.
  • Device and connection data: IP address, browser type, operating system, device identifiers, approximate location (based on IP), and other standard internet log information.

2.3 Screening Content and Third-Party Sources

We also process and compile Screening Content, which may include:

  • Sanctions and watchlists published by public authorities (e.g., OFAC, UN, EU, UK, and other regulators).
  • Publicly available law enforcement lists (e.g., "Most Wanted" lists).
  • Data obtained from specialized third-party data providers under license.

For such data, DeRisk Hub may act as controller or joint controller of the compiled Screening Content. However, when Screening Content is used within a Customer's Account to screen specific individuals or entities, we act as processor of Customer Data for that Customer.

2.4 Data Sources

We collect Personal Data from:

  • Customers and Authorized Users (e.g., during onboarding, configuration, and use of the Services);
  • Public authorities and public sources (e.g., official sanctions lists, watchlists);
  • Third-party service providers (e.g., hosting providers, analytics providers, payment processors, authentication providers);
  • Visitors and prospective customers (e.g., through website forms, marketing campaigns, events).

3. Purposes and Legal Bases for Processing

3.1 As Data Processor (Customer Data)

For Customer Data, we process Personal Data solely on behalf of and under the instructions of the Customer, for purposes such as:

  • Performing sanctions and watchlist screenings;
  • Calculating match scores and risk classifications;
  • Managing cases, decisions, and audit logs;
  • Providing monitoring, alerts, and re-evaluations;
  • Supporting Customer's compliance, auditing, and reporting processes.

Customer is responsible for determining the legal basis under Applicable Data Protection Laws for processing Customer Data via the Services (for example, legitimate interest, legal obligation, or contractual necessity). Our role, obligations, and processing activities as processor are set out in Section 6 and the Annex (Data Processing Addendum Framework).

3.1A Model Training and AI Development (Dual Role)

DeRisk Hub may derive pseudonymised or anonymised data from Customer Data ("Model Training Data") to develop, train, validate, and improve machine learning models used within or to enhance the Services ("AI-Assisted Features"). For this specific activity, DeRisk Hub acts as an independent data controller, not as a processor acting on Customer's instructions.

Our lawful basis for this processing is legitimate interests: improving the accuracy, reliability, and performance of sanctions screening tools serves both our commercial interests and the broader compliance interests of regulated institutions and the individuals they screen. We apply pseudonymisation or anonymisation before any Customer Data enters training pipelines, and we do not use Model Training Data for any purpose other than improving the Services.

Where applicable law requires consent rather than legitimate interests as the basis for this processing, we will seek that consent separately. Customers may opt out of contributing Customer Data to model training at any time by contacting support@mail.deriskhub.com. Opt-out does not affect access to core Services.

AI-Assisted Features may not be available as yet. If so, this section describes our intended future practice and is disclosed now to ensure transparency at the point of data collection.

3.2 As Data Controller (Operational Data)

For Operational Data, we rely on different legal bases, depending on the context:

  • Contract performance: To register and manage Customer accounts, provide the Services, process transactions, and communicate with Customers and Authorized Users about the Services.
  • Legitimate interests: To monitor and improve the Services; ensure security, prevent fraud and abuse; develop new features; perform analytics and usage statistics; protect our rights and interests.
  • Legal obligations: To comply with applicable tax, accounting, regulatory, and record-keeping obligations.
  • Consent (where applicable): For certain marketing communications or cookies/analytics in jurisdictions where consent is required.

4. Cookies and Similar Technologies

We use cookies and similar technologies on our websites, knowledge base, and product interfaces to:

  • Maintain session and authentication state;
  • Remember user preferences;
  • Collect analytics about use of our websites and Services;
  • Support chat and support widgets;
  • Enhance security and prevent abuse.

We may use both first-party and third-party analytics tools. In jurisdictions where required, we will present a cookie banner that allows you to manage your cookie preferences. The banner will link to this Privacy Policy and/or a separate cookie notice (collectively, "Cookie Notice") that provides more detail about the cookies and similar technologies we use.

You can also manage cookies through your browser settings. Disabling certain cookies may affect the functionality of the Services.


5. Sub-Processors and Service Providers

To deliver the Services, we engage third-party service providers and sub-processors in categories including: cloud infrastructure and hosting; database and storage; authentication and identity management; email delivery; payment processing; analytics and logging; and customer support.

We also intend to engage machine learning infrastructure providers to support AI-Assisted Features. We have not yet selected specific providers. When we do, we will add them to our sub-processor list and provide advance notice to Customers as described below.

Notice and objection: We may update our use of Sub-Processors from time to time, without being required to maintain a public list or provide 30 days' advance notice. Upon Customer's reasonable request, we can provide information about the categories of Sub-Processors we use relevant to that Customer's use of the Services.

All sub-processors are bound by written agreements imposing data protection obligations consistent with this Policy and applicable law, including appropriate safeguards for cross-border transfers where relevant.


6. Data Processing Addendum (DPA) Framework

This Section 6 and the Annex (the "Data Processing Framework") form our data processing addendum (DPA) with Customers where we act as processor of Customer Data that includes Personal Data.

6.1 Subject Matter and Duration

  • Subject matter: Processing of Customer Data, including Personal Data, for purposes of providing the Services described in the TOS and Documentation.
  • Duration: For the Subscription Term and any additional retention period described in this Policy, unless otherwise required by law.

6.2 Nature and Purpose of Processing

We process Customer Data to:

  • Perform screenings and ongoing monitoring;
  • Generate match scores, risk classifications, and alerts;
  • Provide case management, decision tracking, and audit logs;
  • Provide analytics and reporting to Customer;
  • Secure, maintain, and improve the Services;
  • Fulfill Customer's documented instructions as described in this Policy and the TOS;
  • Deriving Model Training Data (in pseudonymised or anonymised form) for developing AI-Assisted Features, as described in Section 3.1A and subject to Customer's opt-out right.

6.3 Categories of Data Subjects and Personal Data

Typical data subjects include:

  • Customers' end customers, clients, counterparties, counterparties' representatives, or beneficial owners;
  • Directors, officers, or shareholders of corporate entities;
  • Individuals listed on sanctions, watchlists, or similar datasets;
  • Customer's employees and Authorized Users (when included in Customer Data).

Typical categories of Personal Data include:

  • Identification and contact information;
  • Government-issued identifiers;
  • Corporate and ownership information;
  • Screening results and risk indicators;
  • Audit logs of actions taken by Customer's users.

6.4 Instructions from Customer

We process Customer Data only on documented instructions from Customer, including as set out in:

  • The TOS and this Policy;
  • The configuration and settings Customer applies in the Services;
  • Any written instructions provided by Customer (e.g., via support channels), to the extent consistent with this Agreement and technically feasible.

If we believe an instruction infringes Applicable Data Protection Laws, we will inform Customer. We are not obliged to comply with instructions that would violate applicable law.

6.5 Confidentiality

We ensure that persons authorized to process Customer Data are subject to appropriate obligations of confidentiality (whether contractual or statutory) and receive appropriate data protection and security training relevant to their role.

6.6 Security Measures

We implement and maintain technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are aligned with industry best practices, without implying any formal certification, and may include:

  • Logical separation and organization isolation;
  • Access controls and least-privilege permissions;
  • Encryption of data in transit and at rest, where appropriate;
  • Regular backups and disaster recovery processes;
  • Logging and monitoring of access and system events;
  • Vulnerability management and secure development practices.

We may update these measures from time to time to maintain or improve overall security, provided that the overall level of protection is not materially diminished.

6.7 Security Incidents

If we become aware of a Security Incident affecting Customer Personal Data, we will:

  • Notify Customer without undue delay after becoming aware of the Security Incident;
  • Provide information reasonably available to us to help Customer assess the impact and meet its own reporting obligations;
  • Take appropriate steps to mitigate the effects and prevent recurrence.

Customer is responsible for compliance with any legal obligations to notify regulators or data subjects of the Security Incident. We will provide reasonable assistance as described in this Policy and as required by Applicable Data Protection Laws.

6.8 Data Subject Rights

When we process Customer Data as processor:

  • Customer is responsible for handling requests from data subjects (e.g., access, rectification, erasure, restriction, objection, portability) and for deciding how to respond.
  • Where Customer cannot fulfill a request through self-service features, Customer may request our assistance. We will provide reasonable and technically feasible assistance, taking into account the nature of the processing and the information available to us.
  • Where deletion or restriction conflicts with legally required retention related to AML/CFT or other Regulatory Compliance Laws, we may retain certain data as required by law and will notify Customer where feasible.

When we process Operational Data as controller:

  • Individuals (including Authorized Users) may contact us directly at info@mail.deriskhub.com to exercise their data protection rights.
  • We will respond in accordance with Applicable Data Protection Laws, typically within one month (subject to lawful extensions).

6.9 International Data Transfers

We primarily host and process Customer Data in data centres in the United States and the European Economic Area. Our team operates primarily from India. Sub-Processors may operate in additional countries.

Where Personal Data is transferred across borders, we apply appropriate safeguards that are recognised under the applicable laws of the originating jurisdiction. These may include: Standard Contractual Clauses (EU/EEA and UK), the UK International Data Transfer Agreement, contractual obligations consistent with applicable privacy principles, or other recognised transfer mechanisms. We assess each transfer relationship and apply supplementary measures (such as encryption and access controls) where the legal environment of the destination country warrants it.

Customers may request details of the transfer safeguards applicable to their data by contacting support@mail.deriskhub.com.

6.10 Audits and Compliance Assistance

Upon Customer's reasonable written request and subject to confidentiality obligations, we will provide information necessary to demonstrate our compliance with the obligations set out in this Data Processing Framework, which may include:

  • Security documentation and technical overviews;
  • Responses to reasonable security and privacy questionnaires;
  • References to independent assessments or audits (where available).

If further on-site or third-party audits are required by Applicable Data Protection Laws or by a competent supervisory authority, we will cooperate in good faith and agree on scope, timing, and cost allocation with the Customer.

6.11 Return and Deletion of Customer Data

Upon termination or expiry of the Subscription Term, we will:

  • Retain Customer Data in an active state for a limited period so that Customer can export its data, as described in the TOS;
  • Thereafter, delete or anonymize Customer Data in accordance with our retention schedules, unless longer retention is required by Regulatory Compliance Laws, tax laws, or other applicable laws (for example, AML/CFT record-keeping obligations).

Where Customer requests earlier deletion and it is technically feasible and lawful, we will delete or anonymize Customer Data earlier, subject to any constraints noted above.

6.12 AI Model Governance

Where we develop AI-Assisted Features using Model Training Data, we commit to: (a) applying pseudonymisation or anonymisation before data enters training pipelines; (b) documenting training data categories and model performance metrics, available to Customers on request; (c) monitoring models for systematic accuracy degradation or bias; and (d) designing AI-Assisted Features as decision-support tools only — final compliance decisions remain with Customer's personnel. Where applicable law (including the EU AI Act) imposes additional conformity or transparency obligations on AI systems used for sanctions screening, we will comply with those obligations before making the relevant features available in affected jurisdictions.


7. Retention Periods

We retain Personal Data only for as long as necessary to fulfill the purposes outlined in this Policy or as required by law.

7.1 Customer Data

  • Active Accounts: We retain Customer Data for the duration of the Subscription Term and to the extent necessary to provide the Services, including ongoing monitoring and audit logs.
  • Post-Termination: After termination or expiry, we retain Customer Data for a limited period to enable export and to support any audits, investigations, or disputes. Thereafter, we delete or anonymize Customer Data, unless longer retention is required by Regulatory Compliance Laws (for example, AML/CFT record-keeping obligations).

Model Training Data derived from Customer Data is retained only for as long as it is actively used in training or validating AI models. Where a Customer opts out of model training, we will cease deriving new Model Training Data from that point. Previously derived Model Training Data that has been incorporated into trained model weights cannot be algorithmically removed, but will be excluded from future training cycles. Fully anonymised model artefacts are not subject to this retention limit.

7.2 Operational Data

  • Account and billing records: Retained for the duration of the customer relationship plus three (3) years following the end of the relationship, or longer if required by applicable tax or accounting laws.
  • Usage logs and telemetry: Retained for a period that typically ranges from several months up to a few years, depending on the type of log and our security, operational, and compliance needs.
  • Support tickets and communications: Retained for a period (for example, up to 24 months or longer where needed) to help resolve issues and maintain an audit trail of support interactions.
  • Marketing records: Retained as long as necessary for the marketing purpose, subject to your right to opt out, and for a limited time thereafter for record-keeping.

We may retain anonymized or aggregated data indefinitely, provided it does not identify individuals or Customers.


8. Automated Screening, Profiling, and Decision-Making

The Services perform automated matching, scoring, and classification, including:

  • Comparing Customer Data against sanctions and watchlists;
  • Calculating similarity and risk scores;
  • Triggering alerts, monitoring events, and case creation.

This qualifies as profiling under certain data protection laws. However:

  • The Services are intended to support Customer's own compliance decisions;
  • DeRisk Hub does not make binding decisions about whether an individual or entity should be onboarded, approved, rejected, or blocked;
  • Final decisions are made by Customer's compliance or risk teams.

Customers are responsible for implementing appropriate human review and oversight of automated outputs from the Services.

DeRisk Hub intends to introduce AI-Assisted Features that use machine learning models to suggest classifications of screening results. When introduced, such features will constitute profiling under applicable data protection laws. They will not constitute solely automated decision-making with legal effects, because final match decisions will remain with Customer's compliance personnel. Customers will be able to disable AI-Assisted suggestions without loss of core functionality.


9. Marketing Communications

We may send:

  • Transactional communications related to the Services (e.g., account notices, security alerts, billing and renewal notifications, service or feature updates required to operate the Services). You generally cannot opt out of these while maintaining an active Subscription because they are necessary for the Services.
  • Marketing communications, such as newsletters, product updates, or invitations to events, where permitted by applicable law.

You may opt out of marketing communications at any time:

Opting out of marketing communications will not affect your receipt of transactional communications.


10. Children's Data

Our Services, website, and related offerings are not directed to children and are intended for business and professional use. We do not knowingly collect Personal Data from children under the age at which consent is required in their jurisdiction (for example, under 16 in many jurisdictions). If we become aware that we have inadvertently collected Personal Data from such a child, we will take steps to delete it as soon as reasonably practicable.


11. Your Rights and Choices

Depending on your location and the applicable law, you may have some or all of the following rights in relation to your Personal Data. Rights vary by jurisdiction — not all rights listed below apply in every country. You may exercise rights applicable to you by contacting us at support@mail.deriskhub.com. We may verify your identity before acting on a request and will respond within the timeframe required by your applicable law (typically 30 days, subject to lawful extension).

  • Right of access;
  • Right to rectification (correction);
  • Right to erasure (deletion);
  • Right to restriction of processing;
  • Right to object to processing;
  • Right to data portability;
  • Right to withdraw consent (where consent is the legal basis);
  • Right to lodge a complaint with a supervisory authority.

If you are an Authorized User or data subject whose data is processed as Operational Data, you may exercise your rights by contacting us at info@mail.deriskhub.com. We may need to verify your identity before fulfilling your request.

If your Personal Data is processed as part of Customer Data, DeRisk Hub processes it on behalf of the relevant Customer (the data controller). Requests relating to such data should be directed to that Customer. We will assist Customers in responding to data subject requests where required.


12. Complaints and Supervisory Authorities

If you believe that our processing of your Personal Data infringes Applicable Data Protection Laws, you may:

  • Contact us first at info@mail.deriskhub.com, so we can try to address your concerns; and/or
  • Lodge a complaint with your local data protection authority or supervisory authority, where such a right exists under your local law.

You may also lodge a complaint with the data protection supervisory authority in your country of residence or where the alleged infringement occurred. We will cooperate with any competent supervisory authority in the resolution of complaints.


13. Changes to This Policy

We may update this Policy from time to time, for example to reflect changes to our Services, legal requirements, or processing practices.

  • For material changes, we will notify Customers via email and/or through an in-app notice.
  • The updated Policy will be effective on the date indicated at the top ("Effective Date"), unless a different effective date is specified.

Your continued use of the Services after the effective date of any updated Policy signifies your acceptance of the updated Policy.

If you do not agree with the changes, you should stop using the Services and may exercise any termination or data export rights available under the TOS.


Questions or Concerns?

If you have any questions about these Terms, this Privacy Policy, or our data protection practices, please contact us at info@mail.deriskhub.com