Information and data protection

This policy declares the way Risk Flow s.r.o. approaches protection of your data. It supplements the Terms and Conditions and the Privacy Policy.

Risk Flow s.r.o. (hereinafter referred to as "Risk Flow" or "we") provides services and products (hereinafter referred to as "products", "services" or "platform") that are intended for professionals, companies and other organizations (hereinafter referred to as "clients" or "you"). Therefore, you use the Products and Services for your business or other operational needs and for storing various business and personal information.

---

I. Statement on the security and protection of your data

1. As a platform provider, we are aware of the importance of the security and privacy of you and your data, which is why protecting it is of top importance to us. We feel fully committed to this.

2. We keep your data safe and protect it from various security threats.

3. Your privacy is a priority for us. We fundamentally treat your data and the data of your users in an ethical manner, so we do not trade with them or share them with any third parties, which would be in violation of the personal data protection policy.

II. How your data is protected

The data stored in Risk Flow is secured by several layers of protection. The system works as a web application built on a three-layer architecture that separates the server with the application, the database and the user environment that is launched from the web browser.

1. Security and data protection in the application

• 1.1. Each client with its own virtual machine has its own database, which ensures data privacy and thus creates a secure environment isolated from the outside world and from the environment of other clients.
• 1.2. Only your users and clients to whom you grant access can log into your environment.
• 1.3. User access is protected by authentication using a username and password. Users have an option of using multi-factor authentication.
• 1.4. Each user must set a strong password before entering the system (according to the set password policy).
• 1.5. You must protect login data on users' devices against their misuse or theft.
• 1.6. Passwords are hashed so that no one can get them except the user to whom the password belongs. Only the user and the administrator can change the password, neither we nor anyone else has access to user passwords.
• 1.7. In case of loss or threat, the user can reset the password. The user also receives information about his activities in his email, so even in the event of a password leak, he can learn about someone else's activity inside the product.
• 1.8. Passwords are hashed and cannot be recovered.
• 1.9. Access rights of individual users to data are defined using roles.
• 1.10. Roles limit the user's access to data (including personal data).
• 1.11. You or your administrator are responsible for the scope of permissions assigned to users.

2. Security and protection of data transmission

• 2.1. Data transmission between the server and the user's device is encrypted using TLS 1.2+.

3. Security and protection of data storage

• 3.1. All data is stored in the database on the servers, the users' devices only display the data. No data is stored on the users' devices. In case of loss of the computer or phone, you will not lose any data.
• 3.2. Přístup ke službám může být chráněn pomocí privátního firemního přístupu a produkty provozované v cloudu tak nemusí být viditelné z běžného internetu (pouze pro plán Enterprise).
• 3.2. Access to services can be protected using private corporate access, and products operating in the cloud may not be visible from the regular Internet (only for the Enterprise plan).
• 3.4. Only professional data centers that ensure a high level of security are used for the cloud.
• 3.5. Due to the architecture of our products, no data center operator can access your data.
• 3.6. Depending on the type of license, we regularly back up your data. We make daily, weekly and bi-weekly backups and keep them for you for 30 days.
• 3.7. Risk Flow offers its services in different data regions, a "data region" is a data center or a set of data centers in a defined geographic region where client data is stored. Client data from Europe, Africa and parts of West Asia are located on storage in the European Economic Area, client data from the Americas region, as well as from the Pacific and other parts of Asia, is located on the data region in the U.S. Customer data is stored at the following data center providers: Akamai Technologies International AG, Grafenauweg 8 , Zug CH-6300, Switzerland

4. Application security - privacy by-design

• 4.1. We try to design system functions from the ground up so that they meet security requirements (Privacy-by-design principle).

5. Definition

• 5.1. "Client", "Customer" or "You" is an entity that has agreed to the terms and conditions and uses our services. You decide on the rights of users and are responsible for their behavior.
• 5.2. A "User" is a specific person who uses a customer account as a specific user of the platform, products or services.
• 5.3. A "Potential Client" is an entity that has expressed interest in one of the services.
• 5.4. A "Visitor" is a person who has visited the website of one of our products or services.