Privacy Policy
Effective Date: March 1, 2026
Last Updated: 26 Mar 2026
Version 1.0 | DRisk Privacy Policy | Digital400 (Private) Limited
DRisk is a product of Digital400 (Private) Limited
For enquiries: info@driskglobal.com
This Privacy Policy describes how DRisk, a product of Digital400 (Private) Limited ("DRisk","we", "us", or "our"), collects, uses, discloses your rights and choices with respect to thatinformation.
DRisk is an AI powered risk and compliance management platform. DRisk utilizes machine learning models to identify risks and automate compliance mapping.Your name
How AI Uses Data: We use de identified and aggregated Usage Data to train and improve our internal algorithms.
Customer Data Isolation: Personal information or proprietary Customer Data uploaded to the Service is never used to train "public" AI models. Your data remains siloed within your organization's instance.
Automated Decision Making: DRisk provides recommendations; however, all final risk and compliance determinations are designed to be made by human users. We do not engage in "solely automated" decision making that has legal or similarly significant effects on individuals.
This Privacy Policy applies to personal information collected through the DRisk platform, our website at http://driskglobal.com and any related subdomains (collectively the "Website"), as well as through any other interactions you may have with us, including customer service communications, trial registrations, sales inquiries, marketing activities and events.
For the purposes of applicable data protection laws, DRisk acts as a data controller in relation to personal data collected directly from users of the Website and through the above interactions.
A separate agreement governs the provision of DRisk's subscription services to customers (the "Subscription Agreement"), including the processing of personal information and compliance data that customers upload to the platform ("Customer Data").
To the extent DRisk processes Customer Data on behalf of its customers, DRisk acts as a data processor, and such processing is governed exclusively by the Subscription Agreement [Link: Subscription Agreement]and any applicable Data Processing Addendum (DPA) [Link: Data Processing Addendum (DPA)]. This Privacy Policy does not apply to such processing.
Customers are solely responsible for:
Ensuring that they have a valid legal basis for collecting and uploading Customer Data to the platform; and
Complying with applicable data protection and privacy laws in relation to such Customer Data.
Important Notice
This Privacy Policy does not apply to third party applications, tools, or services that integrate with the DRisk platform. You should review the privacy policies of those third parties separately. If you are unsure whether this policy applies to a particular interaction, please contact us at info@driskglobal.com.
Who We Are
DRisk is a compliance and risk management platform developed and operated by Digital400 (Private) Limited, a software development organization. References to "DRisk" in this Privacy Policy refer to the platform and the entity operating it.
Registered Name: Digital400 (Private) Limited
Product: DRisk (http://driskglobal.com )
Privacy Contact: info@driskglobal.com
Information We Collect
DRisk collects personal information in several ways depending on how you interact with us, the platform and the website. The categories of personal information we collect are described below.
2.1 Information You Provide Directly
Account and Registration Data. When you register for a DRisk account or sign up for a trial, or when your organization grants you access to the platform as an authorized user, we collect the necessary personal information to set up and manage your account, which may include, your full name, email address, job title, company name, phone number and account login credentials.
Billing and Payment Information: If you or your organization subscribes to a paid DRisk plan, we or our authorized payment processors collect billing details including billing name and address, transaction and subscription details, credit or debit card information, and bank account details. DRisk does not store full payment card numbers on its systems.
Communications: When you contact DRisk through our website, support channels, or by email, we collect the content of those communications along with your contact information, the nature of your inquiry and any supporting documentation you may provide.
Trial and Demo Requests: When you register for a free trial or request a product demonstration, we collect contact information, company details and information about your compliance requirements to facilitate that process.
Event and Webinar Registrations: If you register for a DRisk event, webinar, or educational session, we collect registration and participation information. Where permitted by applicable law, sessions may be recorded, and participants will be notified in advance where recording takes place.
2.2 Information Collected Automatically
When you access the DRisk Website or platform, we and our technology partners automatically collect certain information, including:
Usage Data: Information about how you interact with the platform, including features accessed, actions taken, session duration, pages viewed and other behavioral data that helps us understand and improve functionality of the product and enhance user experience.
Log Data: Our servers automatically record information when you access the Website or platform, including your Internet Protocol (IP) address, browser type and version, device and operating system, referring and exit URLs, date and time of access and other diagnostic and performance data.
Device Information: We collect information about the device you use to access DRisk, including device type, operating system and version, browser configuration, unique device identifiers and crash reports or error logs.
Approximate Location: We may infer your approximate geographic location from your IP address or business address. We do not collect precise GPS location data.
Cookies and Tracking Technologies: We use cookies and similar tracking technologies on our website. Please refer to Section 11 (Link: Cookie Policy ) for full details on how we use these technologies and your options.
2.3 Information from Third Party Sources
We may receive personal information about you from the following third party sources:
Business partners, resellers and referral partners who introduce DRisk to potential customers.
Publicly available sources such as professional networks and networking platforms, company websites and business directories, to identify and understand potential customers and business needs.
Data enrichment and analytics providers supplement our existing records with additional professional, demographic or firmographic data.
Third party integrations that you or your organization connect to the DRisk platform, such as Jira or Confluence, where those integrations involve the transfer of user identifying information.
DRisk will process such personal data in accordance with applicable data protection laws and, where required, ensure that appropriate legal bases and transparency obligations are satisfied.
2.4 Customer Data Processed on Behalf of Customers
When organizations subscribe to DRisk and upload their compliance data, risk registers, audit evidence, documents and related records to the platform, DRisk processes this Customer Data as a data processor acting on the instructions of the customer as data controller. This Privacy Policy does not govern the processing of Customer Data. Customers should refer to the DRisk Data Processing Agreement and Subscription Agreement for details on how Customer Data is handled.
3. How We Use Your Information
DRisk uses personal information for the following purposes:
Purpose of Processing
Legal Basis
Account & Identity
Contractual Necessity
Billing
Contractual Necessity / Legal Obligation
Platform Security
Legitimate Interest
Product Improvement
Legitimate Interest
Direct Marketing
Consent / Legitimate Interest
Legal Compliance
Legal Obligation
3.1 Providing and Operating the Platform
To create and manage your account and provide you with access to the DRisk platform.
To process subscription orders, manage billing and administer your account.
To deliver the features and services you use within the platform.
To authenticate your identity and maintain the security of your account.
3.2 Customer Support and Communications
To respond to your inquiries, support requests and feedback.
To send you service related communications including account notifications, security alerts, product and system updates and administrative messages. These communications are part of the service and cannot be opted out while your account is active.
To contact you in connection with your trial, onboarding, service related matters or account renewal.
3.3 Product Improvement and Development
To analyze how users interact with the platform in order to improve or develop functionality, performance, and usability of the platform.
To conduct internal research, user testing product analytics and product development.
To monitor platform performance, diagnose and troubleshoot technical issues and maintain reliability.
3.4 Marketing and Promotional Communications
To send you marketing communications about DRisk products, features, updates, events and relevant industry content, where you have opted in or where we have a legitimate interest in doing so.
You may opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email or by contacting us at info@driskglobal.com.
Opting out of marketing communications does not affect the delivery of transactional or service related messages.
3.5 Security and Fraud Prevention
To detect, investigate and prevent fraudulent transactions, unauthorized access, misuse of the platform and other illegal or harmful activity.
To enforce our Terms of Service and other applicable policies.
To protect the rights, property and safety of DRisk, our customers and others.
3.6 Legal and Regulatory Compliance
To comply with applicable laws, regulations, legal processes and enforceable governmental or regulatory requests.
To establish, exercise or defend legal claims.
To respond to lawful requests from courts, law enforcement authorities or regulatory authorities.
3.7 Legal Bases for Processing (EEA, UK and Switzerland)
Where data protection law requires a legal basis for processing, DRisk relies on the following:
Contractual necessity: Processing required to perform our contract with you or your organization, including account management, billing and service delivery.
Legitimate interests: Processing necessary for our legitimate business interests, including platform improvement, security, marketing to existing customers and fraud prevention, where such interests are not overridden by your rights.
Legal obligation: Processing required to comply with applicable laws, tax obligations and regulatory requirements.
Consent: Where we rely on your consent, for example for certain marketing communications or cookies, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
4. How We Share Your Information
DRisk does not sell your personal information. We may share your personal information in the following circumstances:
4.1 Service Providers and Sub processors
We engage trusted third party service providers to support our business operations and platform delivery. These providers may process personal information on our behalf and are contractually required to ensure appropriate data protection safeguards . Such providers may include:
Cloud infrastructure and hosting providers.
Payment processors.
Customer support and communication platforms.
Analytics and performance monitoring tools.
Marketing and communication providers and platforms.
A list of DRisk's sub processors is available upon request at info@driskglobal.com.
4.2 Third Party Integrations
Where you or your organization connects a third party tool or service to the DRisk platform (such as Jira, Confluence, etc.) DRisk may exchange information with that service as required to operate the integration. DRisk does not control the privacy practices of third party services. You should review their privacy policies before enabling any integration.
4.3 Corporate Affiliates
DRisk may share personal information with Digital400 (Private) Limited and any related entities for internal business and operational purposes, subject to confidentiality obligations consistent with this Privacy Policy.
4.4 Business Transfers
If DRisk or Digital400 (Private) Limited undergoes a merger, acquisition, asset sale, corporate restructuring, financing or similar transaction, personal information may be transferred as part of that transaction. We will take reasonable steps to ensure that appropriate confidentiality protections are in place and will notify affected individuals where required by applicable law.
4.5 Legal Requirements and Protection of Rights
We may disclose personal information where required to do so by applicable law, court order, or in response to lawful requests from law enforcement or government authorities. We may also disclose information where necessary to protect the rights, property or safety of DRisk, our customers or others, to prevent fraud, or to enforce our agreements and policies.
Where a law enforcement or government authority requests information about a customer, DRisk will, where legally permitted, attempt to direct the authority to request that information directly from the customer and will provide the customer with reasonable notice before disclosing their information.
4.6 Aggregated and De identified Data
DRisk may use and share aggregated or de identified information that cannot reasonably be used to identify you for product development, research, analytics, and business purposes.
5. Data Retention
DRisk retains personal information for as long as is necessary to fulfil the purposes set out in this Privacy Policy, or as required or permitted by applicable law. The factors we consider when determining retention periods include:
The duration of your relationship with DRisk and the active term of your subscription.
legal and regulatory retention requirements.
The need to retain information to resolve disputes, enforce agreements or defend legal claims.
The nature and sensitivity of the information and the risk associated from unauthorized access or use of data.
When personal information is no longer required, DRisk will securely delete, de identify or anonymize it in accordance with our internal data retention and disposal procedures. Where deletion is not immediately possible (for example, where information is held in backup archives), we will isolate it from further processing until deletion is feasible.
Upon account termination or expiry, DRisk will make Customer Data available for export for a period of thirty (30) days following termination. After this period, Customer Data will be deleted in accordance with our Data Retention Policy unless retention is required by law.
6. Data Security
DRisk takes the security of your personal information seriously. We implement and maintain administrative, technical and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration and destruction. Our security measures include:
Encryption: All data transmitted through the platform is encrypted using industry standard encryption protocols. Customer data and sensitive personal information stored on our systems are also encrypted at rest using encryption algorithms. AES 256 encryption at rest and TLS encryption in transit.(Access Control: Role based access controls and least privilege access policies limiting access to personal information to authorized personnel only.
Multi factor authentication: We require multi factor authentication for users accessing the platform to add an additional layer of security.
Security Testing: Regular internal and independent security testing and vulnerability assessments are carried out to identify and mitigate potential security threats.
Incident Response: DRisk maintains a comprehensive security incident detection and response procedure to identify, investigate, and respond to security breaches.
Employee Training: We provide regular security awareness training for our employees and enforce strict confidentiality obligations to minimize human risk.
DRisk's platform is designed to be used for compliance management, and we hold ourselves to the same security standards we have helped our customers achieve. DRisk maintains its own information security program aligned with ISO 27001 principles.
Security Incident Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, DRisk will notify you and any applicable regulatory authority in accordance with our obligations under applicable data protection law. If you believe your personal information has been compromised, please contact us immediately at info@driskglobal.com.
7. International Data Transfers
DRisk is operated by Digital400 (Private) Limited, based in Sri Lanka. If you are accessing our platform from the European Economic Area (EEA), United Kingdom, Switzerland, or any other jurisdiction that imposes restrictions on cross border data transfers, please be aware that your personal data may be transferred to and processed in countries outside your jurisdiction, including Sri Lanka. These countries may not provide the same level of data protection as your home jurisdiction.
In the event of such data transfers, DRisk is committed to ensuring that your personal information remains protected in accordance with applicable data protection laws. We implement appropriate safeguards to mitigate any risks associated with such transfers. These safeguards include, but are not limited to, the use of Standard Contractual Clauses (SCCs), or other legally recognized mechanisms, to ensure that your personal data is processed securely and in compliance with data protection regulations.
We take your privacy seriously and are dedicated to safeguarding your personal data across all jurisdictions. If you have any questions or concerns about the international transfer of your personal information, or if you wish to learn more about the safeguards we apply, please do not hesitate to contact us at info@driskglobal.com
8. Your Privacy Rights
Depending on your location and applicable data protection law, you may have the following rights with respect to your personal information:
8.1 Rights Available to All Users
Right to access: You may request a copy of the personal information DRisk holds about you, subject to certain exceptions
Right to correct: You may request that we correct inaccurate or incomplete personal information.
Right to deletion: You may request that we delete your personal information, subject to our legal obligations and legitimate business needs to retain certain information.
Right to object to marketing: You may opt out of marketing communications at any time.
8.2 Additional Rights for EEA, UK and Swiss Residents
Right to restriction: You may request that we restrict the processing of your personal information in certain circumstances.
Right to data portability: Where processing is based on your consent or a contract, you may request a copy of your personal information in a structured, machine readable format.
Right to object: You may object to processing based on legitimate interests where you believe your rights and freedoms override those interests.
Right to withdraw consent: Where we rely on consent for processing, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint: You have the right to lodge a complaint with your local data protection authority if you believe we have processed your personal information in breach of applicable law.
8.3 Rights for California Residents (CCPA/CPRA)
If you are a California resident, you have the following additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:
The right to know: You have the right to request the categories and specific pieces of personal information DRisk has collected about you, as well as the purposes for which the information was used.
The right to delete: You may request that we delete personal information that we have collected from you, subject to certain exceptions.
The right to correct: You may request that we correct any inaccurate or incomplete personal information we hold about you.
The right to opt out of the sale or sharing: DRisk does not sell personal information. However, if we engage in certain sharing activities under the CCPA/CPRA framework, you can opt out.
The right to limit: You may request restrictions on the use of sensitive personal information. Right to Non Discrimination: We will not discriminate against you for exercising your rights under the CCPA/CPRA.
8.4 How to Exercise Your Rights
To exercise any of your privacy rights, please submit a request to:
Email: info@driskglobal.com
Subject Line: Privacy Rights Request
We will respond to your request within three (3) days. (Unless verifications are required for any complex requests) We will not discriminate against you for exercising your private rights.
9. Third Party Services and Integrations
The DRisk platform supports integrations with third party tools and services including Jira, Confluence, Microsoft Azure Active Directory, etc. When you enable these integrations, the third party provider may have access to certain information required to operate the connection.
DRisk does not control and is not responsible for the privacy practices of these third party services. You should review the privacy policies and terms of each third party service before enabling integration. DRisk's responsibility is limited to the information it processes within its own platform.
Our website may also contain links to third party websites. These links are provided for your convenience and do not represent endorsement. DRisk is not responsible for the privacy practices of any linked websites and encourages you to review the privacy policies of these websites independently.
10. Children’s Privacy
The DRisk platform and Website are not intended for individuals under the age of 18, and we do not knowingly collect personal information from minors.
Children Under 13: In line with international data protection standards, we do not knowingly collect or process personal information from children under the age of 13 without verifiable parental or guardian consent. If such data is identified, we will take immediate steps to delete it.
Unintentional Data Collection: If you believe that a child under 18 has provided us with personal information, or that we have inadvertently collected such information, please contact us at info@driskglobal.com. We will promptly investigate and remove the data from our systems.
Parental and Guardian Rights: Parents or legal guardians who believe their child has submitted personal information may request access to, or deletion of, that information by contacting us at the email above.
11. Cookies Policy and Tracking Technologies
DRisk uses cookies and similar tracking technologies on our website to enable core functionality, analyze website usage, and support marketing and analytics activities. The types of cookies we use are:
Strictly Necessary Cookies: These cookies are essential for the Website and platform to function properly. They enable core features such as security, network management, and accessibility. Disabling them may impact the performance and functionality of the Website.
Analytics Cookies: These cookies help us understand how visitors use our Website by collecting information such as pages visited, time spent on the site, and any errors encountered. This data is aggregated and used to improve the overall user experience.
Functional Cookies: These cookies allow the Website to remember your preferences and settings (such as language or region) to provide a more personalized experience on future visits.
·Marketing Cookies: These cookies are used to deliver relevant advertisements and measure the effectiveness of marketing campaigns. They are only activated if you have provided your consent.
You can manage your cookie preferences through the cookie consent banner on our website or through your browser settings. Please note that disabling certain cookies may affect the functionality of the Website. For detailed information on the specific cookies we use, please refer to our Cookie Policy at link.
12. Changes to This Privacy Policy
DRisk may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or for other legitimate business reasons. When we make changes, we will update the effective date at the top of this document.
If we make material changes that significantly affect your privacy rights, we will provide additional notice, such as by posting a prominent notice on our website, sending an email to the address associated with your account, or both. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
Your continued use of the DRisk platform or Website following the posting of changes constitutes your acknowledgment of the updated Privacy Policy. If you do not agree with the changes, you should discontinue use of the platform and contact us to close your account.
13. Contact Us
If you have any questions, concerns or requests regarding this Privacy Policy or the way DRisk handles your personal information, please contact us:
Privacy Contact
Email: info@driskglobal.com
Product: DRisk (http://driskglobal.com )
Operator: Digital400 (Private) Limited
For data subject requests, complaints or any privacy related enquiry, please email[YW3] info@driskglobal.com with the subject line "Privacy Request" and we will respond within 5 working days.
Legal Notice
This document has been prepared for DRisk by Digital400 (Private) Limited. It is intended as a working draft and should be reviewed by qualified legal counsel before publication to ensure it accurately reflects DRisk's specific data processing activities, applicable legal obligations and jurisdiction specific requirements.