EffortlessRisk
Get Started
Trust Center

Security & Compliance

EffortlessRisk handles sensitive third-party risk data. Here's exactly how we protect it, who processes it, and what regulations we comply with.

Compliance Status

Active

GDPR Aligned

EU data protection regulations. Cookie consent, DSAR support, EU SCC-based DPA.

Active

CCPA Aligned

California Consumer Privacy Act. Right to delete and right to know honored.

Active

SOC 2-Aligned Architecture

Built with SOC 2 Trust Services Criteria controls in mind. Formal Type 1 audit on the roadmap.

Security Practices

Encryption

  • Data encrypted in transit via TLS 1.2+
  • Data encrypted at rest via AES-256 (Supabase / Postgres)
  • Secrets stored in Vercel encrypted environment variables

Access Control

  • Role-based access control (Admin, Manager, Officer, Analyst)
  • Multi-tenant isolation via organization-scoped queries
  • Optional 2FA for user accounts
  • Session-based authentication with secure cookies

Audit Logging

  • All material actions logged with user, timestamp, entity
  • Immutable activity log per organization
  • Log retention: lifetime of the customer account

Data Storage

  • Production data stored in Supabase (Postgres) — US region
  • Daily automated backups with point-in-time recovery
  • Customer data isolation via row-level security

Incident Response

  • Security incidents triaged within 24 hours
  • Customer notification within 72 hours of confirmed breach (GDPR Article 33)
  • Report incidents to security@effortlessrisk.com

Third Party & Supply Chain

  • All subprocessors vetted before engagement
  • Subprocessor list published and updated when changed
  • Major vendors (Vercel, Supabase, Stripe) carry SOC 2 + ISO 27001 themselves

Documents & Resources

Privacy Policy

How we collect, use, and protect personal data

Terms of Service

Customer-facing terms governing use of the platform

Data Processing Agreement

Standard DPA based on EU SCCs — downloadable for execution

Subprocessor List

Third-party services that process customer data on our behalf

Questions about security or compliance?

Procurement teams, security reviewers, and compliance officers can reach us directly.

security@effortlessrisk.comContact Form