Privacy Policy

Effective Date: January 01, 2025
Last Updated: September 25, 2025

1. Our Commitment to Privacy

At DE RISC Group, we take your privacy seriously and are committed to protecting all personal information you share with us. Whether you provide us with information via email, while visiting our website at https://www.riscgroup.co/, or through our client portal at www.portalderiscgroup.co, we ensure that it remains confidential and secure. This includes personal details from clients, vendors, potential business partners, employees, job seekers, and consumers.

Controller Information:
DE RISC Group is the controller of your personal data. Our full legal name is DE RISC Group, and our registered address is 104-A Regus House, 4 Admiral Way, Doxford International Business Park, Sunderland, SR3 3XW, United Kingdom. For data protection inquiries or to exercise your rights, you can contact us at info@riscgroup.co.

Data Processing:
DE RISC Group also acts as a data processor on behalf of our clients. If you have any questions about this role or our data processing activities, please don't hesitate to reach out.

Data Protection Officer (DPO):
If you wish to contact our appointed Data Protection Officer (DPO), you can reach them at kiran.masroor@riscgroup.co.

2. What Personal Information We Collect

We may collect different types of personal information when you interact with our website or use our services.

2.1. Information You Provide to Us – Account, Profile, and Registration Details

When you create an account with us—either directly through our website or via one of our representatives—you will be asked to provide certain details. These may include a unique username and password, along with your contact and business information, such as your name and employer.

We collect and process this information to fulfil our contractual obligations to you. To protect your data, we implement appropriate technical and organizational measures, for example, passwords are securely hashed and never stored in plain text.

a. Site Visitor Information
If you're a visitor to our website, you may voluntarily provide personal information—for example, by subscribing to newsletters, SMS alerts, webinars, or demos. This may include your name, email address, and phone number.

b. Telephone Communication
When you contact DE RISC by phone, your call may be recorded and monitored for quality assurance and compliance purposes. These recordings help us ensure your queries are addressed appropriately and support the training of our staff.

c. Billing and Payment Information
When you buy one of our services, we need some basic billing details — like your name, email, postal address, payment method, card information and billing address — so that we can process your order and keep accurate records of your transactions. We use this information because it's necessary to deliver what you've asked for and to meet our accounting and tax obligations under the law.

For security reasons, we never keep your full card details ourselves. Payments are handled by trusted providers who comply with the PCI-DSS security standard, and every transaction is encrypted and processed through secure channels. We keep billing and transaction records only as long as needed to provide the service, meet legal retention periods (usually between six and ten years, depending on where you live) and resolve any disputes. After that, the data is securely deleted or anonymised. We only share your billing details with the people who need them to process payments, such as our payment partners, banks, accountants or regulators if required, and we never sell or rent this information to anyone.

d. Messages and Feedback
We collect information you provide when you reach out to us directly—such as through web forms, chatbot interactions, or by giving feedback about our services.

2.2. Information Collected Automatically

When you visit a DE RISC office, your presence may be captured via CCTV surveillance at entry points and within designated office areas. These recordings are processed on the basis of our legitimate interests in ensuring workplace safety, protecting property, and maintaining security.

Clear signage is displayed at CCTV-monitored locations to inform visitors of the surveillance in line with regulatory guidance.

2.3. Information Received from Third Parties

a. Service-Related Data
As part of providing services to our customers, we may collect personal information from external sources, including:

  • Customers: Clients may provide your personal information to us for purposes such as initiating contact or conducting background checks.
  • Public Sources: We may lawfully obtain information from government agencies, court systems, correctional departments, and publicly available news or media sources.
  • Third-Party Vendors: We may collaborate with trusted providers such as credit bureaus, drug testing companies, motor vehicle record providers, and verification databases to validate employment, education, or other relevant details.

We process this information where necessary to perform a contract with our clients, to comply with legal obligations, or in pursuit of our legitimate interests. When personal data is obtained indirectly, we provide notice to data subjects.

Where the processing involves special categories of data (e.g., health data from drug testing) or criminal conviction/offense data (e.g., results of background checks), such processing is carried out in strict accordance with GDPR, based on applicable legal conditions and safeguards. To protect this information, we apply enhanced confidentiality controls, restricted access, and strict data handling procedures in line with ISO 27001 security standards.

b. Marketing Information
We may also collect personal data to inform you about relevant services, through:

  • Marketing Partners: We may obtain personal information from third-party marketing agencies or platforms to identify and engage potential customers.
  • Social Media Platforms: If you interact with us via social media, we may collect insights and analytics about your engagement, as permitted by the platform's tools and privacy settings.

3. How DE RISC Uses Personal Information

The way we use your personal information depends on the nature of your relationship with us, the services you receive, how you interact with our website, and any legal obligations we must follow. Generally, we use personal data for the following purposes:

a. Account Management
We use your information to create and manage your account, enhance your experience on our website, and handle administrative matters. This may include sending communications related to technical support, billing, compliance, and account updates. Such processing is necessary for the performance of our contract with you.

In addition, we may process certain account-related information for our legitimate interests in maintaining service quality, improving user experience, and notifying you about optional features or enhancements.

b. Customer Communication
Your personal information may be used to contact you through different channels—such as email, social media, direct mail, prerecorded messages, AI-generated responses, or live calls—to provide requested information or respond to your inquiries.

c. Service Delivery
We use your personal data to provide, operate, and manage the services you have requested from us. This processing is necessary for the performance of our contract with you.

In addition, we may process certain information to support our legitimate interests in enhancing service efficiency, improving quality, and ensuring a secure and reliable user experience.

d. Enhancing Our Website and Services
We may use your data to improve the functionality and user experience of our site and services. For example, we may use previously entered data to pre-fill forms during future visits.

e. Security and Fraud Prevention
We use personal information to safeguard our website and services, detect and prevent fraudulent activity, and ensure overall security. This includes analyzing information to identify potential risks, suspicious activity, or unauthorized transactions.

Such processing is carried out where necessary to comply with applicable legal obligations and regulatory requirements and in pursuit of our legitimate interests in protecting our systems, services, and users from harm.

Where fraud detection involves automated profiling or monitoring, we ensure that human review is available before any decision with legal or significant effects is made, in accordance with GDPR.

To protect this data, we apply robust technical and organizational measures, including encryption, continuous monitoring, access controls, and ISO 27001-aligned security practices, to minimize risks and maintain a secure environment.

f. Marketing and Promotions
We do not sell or trade your personal information. With your consent, we may occasionally send you updates about our services, new features, or changes to our offerings via email, SMS, or other electronic communications.

You may withdraw your consent or object to receiving marketing communications at any time. Every marketing email we send contains an unsubscribe link, and you may also opt out by contacting DE RISC Group directly.

Importantly, we do not share the personal information of job seekers, employees, or individuals featured in data reports with third parties for marketing purposes.

g. Legal and Regulatory Compliance
We may process your personal data where necessary to comply with applicable laws, regulations, legal proceedings, or government requests, in accordance with GDPR. This may include obligations relating to tax reporting, anti–money laundering (AML) checks, employment laws, data protection regulations, or responding to lawful requests from courts and regulatory authorities.

Any disclosures made under these obligations are strictly limited to what is legally required and are handled with appropriate safeguards to protect your information.

4. How DE RISC Shares/Discloses Personal Information

DE RISC Group does not share/disclose your personal information with third parties except where it is necessary, lawful, and proportionate. All disclosures are limited to the minimum data required for the stated purpose, and recipients are either bound by legal obligations of confidentiality or contractual Data Processing Agreements (DPAs) to ensure your data is protected. Where international transfers occur, safeguards outlined in Section 8 apply.

We may share your information under the following circumstances:

  • With Customers (Clients): To deliver services effectively as a part of our contractual obligation, personal data may be shared with our customers. For example, if a customer initiates a background screening request, we may provide the relevant candidate's details in the final report.
  • With Service Providers and Verification Partners: We may share personal data with trusted vendors such as schools, universities, employers, courts, professional bodies, or data providers (e.g., credit bureaus, drug testing companies) for legitimate purpose. These parties assist in validating credentials and delivering accurate reports.
  • With Authorized Representatives and Affiliated Companies: In some cases, for our legitimate interests we may share information with affiliated companies, agents, or representatives who support our business operations and service delivery.
  • Legal and Regulatory Obligations: We may disclose information to comply with laws, court orders, subpoenas, tax regulations, anti-money laundering (AML) obligations, or requests from regulators and government agencies. Information may also be shared with legal counsel in the context of litigation, mediation, or arbitration.
  • Fraud Prevention and Enforcement of Terms: Where necessary, we may share data to investigate, prevent, or respond to fraud, suspected illegal activity, or breaches of DE RISC's terms and conditions.
  • Emergency Situations: Where necessary to protect vital interests, we may disclose personal information in urgent situations involving threats to life, health, or property, or where illegal activity is suspected.
  • Debt Recovery: If a customer fails to pay for services rendered, we may share their information with a debt recovery agency.
  • With Your Consent: Where none of the above lawful bases apply, we will only share/disclose your personal information with third parties when you have provided explicit consent, which you may withdraw at any time.

5. Data Retention

DE RISC Group retains personal information only for as long as is necessary to fulfil the purposes for which it was collected, and always in accordance with applicable laws, and contractual obligations with our customers. Retention periods are defined by legal, regulatory, and business requirements. Where retention is no longer justified, data is securely deleted or anonymised.

Our standard retention periods include:

  • Account / Contract Data: Retained for the duration of the contract plus 6 years thereafter.
  • Billing and Payment Records: Retained for 6 years following the end of the financial year.
  • CCTV Footage: Normally retained for 30 days, unless extended due to an active investigation.
  • Job Applicant Data: Retained for 6 months after the close of recruitment where the application is unsuccessful.
  • Customer Communications and Support Tickets: Retained for 1 year following resolution.

Retention schedules are periodically reviewed, and in cases of conflicting requirements, the longest lawful retention period will apply.

6. Your Rights as a Data Subject

Your rights regarding your personal data depend on the applicable data protection laws and the role DE RISC plays in processing your information.

  • When DE RISC acts as a data processor on behalf of our clients (the data controllers), you should exercise your rights directly with the relevant controller. If you contact DE RISC directly, we will promptly forward your request to the controller.
  • When DE RISC acts as a data controller (for example, where we collect information directly from you), the rights below are available to you, subject to applicable legal or contractual limitations.

Your Data Protection Rights include:

  • Right of Access: To obtain confirmation whether your personal data is being processed and to access that data.
  • Right to Rectification: To correct inaccurate or incomplete personal information.
  • Right to Erasure: To request deletion of your personal data where processing is no longer necessary or lawful.
  • Right to Restrict Processing: To request that processing of your data be limited in certain circumstances.
  • Right to Data Portability: To receive your data in a structured, commonly used, and machine-readable format and transfer it to another controller.
  • Right to Object: To object to processing based on legitimate interests, including direct marketing.
  • Rights in relation to Automated Decision-Making: To not be subject to decisions based solely on automated processing, including profiling, where such decisions produce legal or significant effects.

How to Exercise Your Rights:
You may contact us at info@riscgroup.co to exercise your rights. Before responding, we may require additional information to verify your identity. We will respond to valid requests without undue delay and in any event within one month. This period may be extended by two further months where necessary, depending on request complexity, but we will notify you of any extension.

Right to Lodge a Complaint:
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK or with the data protection authority in your country of residence.

7. How DE RISC Safeguards Your Personal Information

DE RISC Group is committed to protecting the security and confidentiality of your personal information. We implement a combination of physical, technical, and administrative safeguards designed to prevent unauthorised access, use, alteration, or disclosure of data.

Our security measures include:

  • Encryption in Transit and at Rest: Personal data is encrypted during transmission and when stored, to protect against interception or unauthorised retrieval.
  • Access Controls and Authentication: Multi-factor authentication, strict access rights, and role-based controls limit access to authorised personnel only.
  • Operational Safeguards: Regular staff training on data protection and security awareness, ongoing security audits, and penetration testing to identify and mitigate risks.
  • DE RISC adheres to recognised standards and frameworks, including ISO/IEC 27001 (Information Security Management System), compliance with the Fair Credit Reporting Act (FCRA), and membership with the Professional Background Screening Association (PBSA), reflecting our commitment to industry best practices and robust security controls.

Breach Response and Notification:
In the unlikely event of a personal data breach, DE RISC follows the procedures required under GDPR. This includes:

  • Assessing the severity and impact of the breach.
  • Notifying the Information Commissioner's Office (ICO) within 72 hours where the breach is likely to result in a risk to the rights and freedoms of individuals.
  • Informing affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

These safeguards are reviewed regularly to ensure they remain appropriate given the nature, scope, context, and purposes of processing.

8. Data Transfer

8.1. Transfer of Information Outside Your Country of Residence

As an international organization, DE RISC provides services to clients across the globe. To support these operations, we may process or transfer your personal information to countries outside of your country of residence.

Where such transfers occur, we ensure that appropriate safeguards are in place to protect your data in accordance with applicable data protection laws, including:

  • Transfers to countries that the UK Government or European Commission has deemed to provide an adequate level of protection;
  • Use of Standard Contractual Clauses (SCCs) approved by the European Commission, as applicable;
  • Implementation of Binding Corporate Rules (BCRs) or equivalent frameworks where relevant.

These safeguards ensure your personal information continues to be protected to the standards required under the UK GDPR, EU GDPR, and other applicable laws. You may request further information about these safeguards, or obtain a copy, by contacting us at info@riscgroup.co.

Please note that such transfers may apply either to all users or only to certain services, depending on the nature of our engagement with you or our clients.

8.2. Disclosure of Personal Information: Within the United States and Internationally

When DE RISC operates as an investigative consumer reporting agency, we may transfer personal information collected from clients outside the United States in the following circumstances:

  • To third parties from whom we are required to obtain or verify personal information in order to deliver Services requested by a customer;
  • To service providers assisting us in delivering Services outside the United States on behalf of a customer who has requested those Services (if applicable); and
  • To our affiliates and service providers who support us in providing the Services (if applicable).

All third-party recipients, whether within the United States or internationally, are subject to a rigorous vetting process and are contractually bound through Data Processing Agreements (DPAs) or equivalent safeguards. These agreements require recipients to implement appropriate technical and organizational measures to ensure that personal information remains protected and is used solely for the purposes specified by DE RISC.

Where personal information is transferred to the United States or other jurisdictions with different data protection laws, DE RISC applies additional safeguards to maintain an equivalent level of protection to that required under the UK GDPR, EU GDPR, and other applicable privacy laws. These safeguards may include:

  • The use of Standard Contractual Clauses (SCCs);
  • Contractual obligations on U.S.-based recipients to notify DE RISC of any legally binding disclosure requests and to challenge such requests where possible;
  • Periodic reviews of vendor security practices, audits, and compliance certifications.

9. Policy Changes

DE RISC Group may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or regulatory obligations.

  • Effective Date: This policy is effective as of January 01, 2025.
  • Last Updated: September 25, 2025.

Any material changes to this policy will be communicated proactively. Where you maintain an active account or ongoing relationship with DE RISC, we will provide advance notice of significant updates via email or other direct communication channels. For all other users, updates will be published on our website with the revised Privacy Policy clearly marked.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect and use your personal information.