Effective Date: December 8, 2024
This Privacy Policy and Data Processing Framework ("Policy") explains how Shavee Enterprises ("DeRisk Hub", "we", "us", or "our") collects, uses, discloses, and protects Personal Data in connection with:
This Policy applies to:
This Policy is incorporated by reference into the DeRisk Hub Terms of Service (the "TOS"). Capitalized terms not defined in this Policy have the meaning given in the TOS.
Customers who require a standalone Data Processing Addendum (DPA) for the purposes of Article 28 GDPR or equivalent legislation may request one by contacting support@mail.deriskhub.com. Our DPA is consistent with and supplements this Policy.
For the purposes of this Policy:
Controller and Main Contact:
Shavee Enterprises
601 Suyog Crystal, 50 Lulla Nagar
Pune 411040, India
Email: info@mail.deriskhub.com
We have assessed our obligation to appoint a Data Protection Officer or equivalent privacy representative under applicable laws. We do not currently appoint a formal DPO. Our designated privacy contact for all data protection queries — including from data subjects globally — is reachable at privacy@deriskhub.com. We will revisit DPO appointment obligations as our processing volumes and geographic footprint grow.
Customer Data includes all data that Customers or Authorized Users submit to, upload to, or otherwise make available in the Services. Depending on Customer's use of the Services, this may include:
Customer is solely responsible for determining which data to submit to the Services and for ensuring that it has a lawful basis to process such data.
As data controller, we collect and process Operational Data necessary to operate and improve the Services and manage our relationship with Customers. Operational Data includes:
We also process and compile Screening Content, which may include:
For such data, DeRisk Hub may act as controller or joint controller of the compiled Screening Content. However, when Screening Content is used within a Customer's Account to screen specific individuals or entities, we act as processor of Customer Data for that Customer.
We collect Personal Data from:
For Customer Data, we process Personal Data solely on behalf of and under the instructions of the Customer, for purposes such as:
Customer is responsible for determining the legal basis under Applicable Data Protection Laws for processing Customer Data via the Services (for example, legitimate interest, legal obligation, or contractual necessity). Our role, obligations, and processing activities as processor are set out in Section 6 and the Annex (Data Processing Addendum Framework).
DeRisk Hub may derive pseudonymised or anonymised data from Customer Data ("Model Training Data") to develop, train, validate, and improve machine learning models used within or to enhance the Services ("AI-Assisted Features"). For this specific activity, DeRisk Hub acts as an independent data controller, not as a processor acting on Customer's instructions.
Our lawful basis for this processing is legitimate interests: improving the accuracy, reliability, and performance of sanctions screening tools serves both our commercial interests and the broader compliance interests of regulated institutions and the individuals they screen. We apply pseudonymisation or anonymisation before any Customer Data enters training pipelines, and we do not use Model Training Data for any purpose other than improving the Services.
Where applicable law requires consent rather than legitimate interests as the basis for this processing, we will seek that consent separately. Customers may opt out of contributing Customer Data to model training at any time by contacting support@mail.deriskhub.com. Opt-out does not affect access to core Services.
AI-Assisted Features may not be available as yet. If so, this section describes our intended future practice and is disclosed now to ensure transparency at the point of data collection.
For Operational Data, we rely on different legal bases, depending on the context:
To deliver the Services, we engage third-party service providers and sub-processors in categories including: cloud infrastructure and hosting; database and storage; authentication and identity management; email delivery; payment processing; analytics and logging; and customer support.
We also intend to engage machine learning infrastructure providers to support AI-Assisted Features. We have not yet selected specific providers. When we do, we will add them to our sub-processor list and provide advance notice to Customers as described below.
Notice and objection: We may update our use of Sub-Processors from time to time, without being required to maintain a public list or provide 30 days' advance notice. Upon Customer's reasonable request, we can provide information about the categories of Sub-Processors we use relevant to that Customer's use of the Services.
All sub-processors are bound by written agreements imposing data protection obligations consistent with this Policy and applicable law, including appropriate safeguards for cross-border transfers where relevant.
This Section 6 and the Annex (the "Data Processing Framework") form our data processing addendum (DPA) with Customers where we act as processor of Customer Data that includes Personal Data.
We process Customer Data to:
Typical data subjects include:
Typical categories of Personal Data include:
We process Customer Data only on documented instructions from Customer, including as set out in:
If we believe an instruction infringes Applicable Data Protection Laws, we will inform Customer. We are not obliged to comply with instructions that would violate applicable law.
We ensure that persons authorized to process Customer Data are subject to appropriate obligations of confidentiality (whether contractual or statutory) and receive appropriate data protection and security training relevant to their role.
We implement and maintain technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are aligned with industry best practices, without implying any formal certification, and may include:
We may update these measures from time to time to maintain or improve overall security, provided that the overall level of protection is not materially diminished.
If we become aware of a Security Incident affecting Customer Personal Data, we will:
Customer is responsible for compliance with any legal obligations to notify regulators or data subjects of the Security Incident. We will provide reasonable assistance as described in this Policy and as required by Applicable Data Protection Laws.
When we process Customer Data as processor:
When we process Operational Data as controller:
We primarily host and process Customer Data in data centres in the United States and the European Economic Area. Our team operates primarily from India. Sub-Processors may operate in additional countries.
Where Personal Data is transferred across borders, we apply appropriate safeguards that are recognised under the applicable laws of the originating jurisdiction. These may include: Standard Contractual Clauses (EU/EEA and UK), the UK International Data Transfer Agreement, contractual obligations consistent with applicable privacy principles, or other recognised transfer mechanisms. We assess each transfer relationship and apply supplementary measures (such as encryption and access controls) where the legal environment of the destination country warrants it.
Customers may request details of the transfer safeguards applicable to their data by contacting support@mail.deriskhub.com.
Upon Customer's reasonable written request and subject to confidentiality obligations, we will provide information necessary to demonstrate our compliance with the obligations set out in this Data Processing Framework, which may include:
If further on-site or third-party audits are required by Applicable Data Protection Laws or by a competent supervisory authority, we will cooperate in good faith and agree on scope, timing, and cost allocation with the Customer.
Upon termination or expiry of the Subscription Term, we will:
Where Customer requests earlier deletion and it is technically feasible and lawful, we will delete or anonymize Customer Data earlier, subject to any constraints noted above.
Where we develop AI-Assisted Features using Model Training Data, we commit to: (a) applying pseudonymisation or anonymisation before data enters training pipelines; (b) documenting training data categories and model performance metrics, available to Customers on request; (c) monitoring models for systematic accuracy degradation or bias; and (d) designing AI-Assisted Features as decision-support tools only — final compliance decisions remain with Customer's personnel. Where applicable law (including the EU AI Act) imposes additional conformity or transparency obligations on AI systems used for sanctions screening, we will comply with those obligations before making the relevant features available in affected jurisdictions.
We retain Personal Data only for as long as necessary to fulfill the purposes outlined in this Policy or as required by law.
Model Training Data derived from Customer Data is retained only for as long as it is actively used in training or validating AI models. Where a Customer opts out of model training, we will cease deriving new Model Training Data from that point. Previously derived Model Training Data that has been incorporated into trained model weights cannot be algorithmically removed, but will be excluded from future training cycles. Fully anonymised model artefacts are not subject to this retention limit.
We may retain anonymized or aggregated data indefinitely, provided it does not identify individuals or Customers.
The Services perform automated matching, scoring, and classification, including:
This qualifies as profiling under certain data protection laws. However:
Customers are responsible for implementing appropriate human review and oversight of automated outputs from the Services.
DeRisk Hub intends to introduce AI-Assisted Features that use machine learning models to suggest classifications of screening results. When introduced, such features will constitute profiling under applicable data protection laws. They will not constitute solely automated decision-making with legal effects, because final match decisions will remain with Customer's compliance personnel. Customers will be able to disable AI-Assisted suggestions without loss of core functionality.
We may send:
You may opt out of marketing communications at any time:
Opting out of marketing communications will not affect your receipt of transactional communications.
Our Services, website, and related offerings are not directed to children and are intended for business and professional use. We do not knowingly collect Personal Data from children under the age at which consent is required in their jurisdiction (for example, under 16 in many jurisdictions). If we become aware that we have inadvertently collected Personal Data from such a child, we will take steps to delete it as soon as reasonably practicable.
Depending on your location and the applicable law, you may have some or all of the following rights in relation to your Personal Data. Rights vary by jurisdiction — not all rights listed below apply in every country. You may exercise rights applicable to you by contacting us at support@mail.deriskhub.com. We may verify your identity before acting on a request and will respond within the timeframe required by your applicable law (typically 30 days, subject to lawful extension).
If you are an Authorized User or data subject whose data is processed as Operational Data, you may exercise your rights by contacting us at info@mail.deriskhub.com. We may need to verify your identity before fulfilling your request.
If your Personal Data is processed as part of Customer Data, DeRisk Hub processes it on behalf of the relevant Customer (the data controller). Requests relating to such data should be directed to that Customer. We will assist Customers in responding to data subject requests where required.
If you believe that our processing of your Personal Data infringes Applicable Data Protection Laws, you may:
You may also lodge a complaint with the data protection supervisory authority in your country of residence or where the alleged infringement occurred. We will cooperate with any competent supervisory authority in the resolution of complaints.
We may update this Policy from time to time, for example to reflect changes to our Services, legal requirements, or processing practices.
Your continued use of the Services after the effective date of any updated Policy signifies your acceptance of the updated Policy.
If you do not agree with the changes, you should stop using the Services and may exercise any termination or data export rights available under the TOS.
If you have any questions about these Terms, this Privacy Policy, or our data protection practices, please contact us at info@mail.deriskhub.com