Security & privacy
Rightlander is a data processor for regulated businesses. We take our obligations seriously and aim to be transparent about the measures in place to protect your data and ours.
Security overview
The Rightlander platform is hosted on AWS infrastructure within the EU and UK regions. All data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256. Our application layer undergoes periodic penetration testing by an independent third party, and findings are triaged and remediated against an internal risk-severity schedule.
Our security posture is reviewed by our leadership team on a quarterly basis, with a formal risk register updated at each review cycle. We do not make certification claims we have not earned.
Network-level controls include WAF protection provided by Cloudflare, DDoS mitigation and rate limiting at the edge. Internal access to production systems requires multi-factor authentication and is subject to a least-privilege policy. All access events are logged and retained for a minimum of 12 months.
Application-level secrets are stored in a dedicated secrets manager and rotated on a defined schedule. No production credentials are embedded in source code.
Data protection (GDPR, UK GDPR)
Rightlander Limited is registered as a data controller with the Information Commissioner’s Office (ICO) in the United Kingdom. Where we process personal data on behalf of customers, we act as a data processor and operate under a written Data Processing Agreement (DPA). Our standard DPA is available on the DPA page.
We process only the personal data necessary to deliver the contracted service. Data subjects have the right to access, rectify, erase and port their personal data, as well as to object to processing, in accordance with UK GDPR and EU GDPR. Requests should be directed to [email protected].
Where personal data is transferred outside the UK or EU, those transfers are covered by appropriate safeguards, including the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs) as applicable.
We maintain a Record of Processing Activities (RoPA) as required under Article 30 of UK GDPR. Customers may request a copy of the relevant sections pertaining to their data processing by emailing [email protected].
Access controls
Access to the Rightlander platform is controlled at the account level with role-based permissions. Administrators can restrict user access to specific brands, markets and case queues. Single sign-on (SSO) via SAML 2.0 is available for enterprise accounts, enabling customers to enforce their own identity policies including MFA, session length and device policy.
Internal Rightlander staff access to production data follows a documented access request and approval process. Access is reviewed quarterly and revoked upon role change or departure. All privileged access sessions are logged and subject to audit on request.
Data residency
Platform data is stored in AWS data centres located in the EU (eu-west-1, Ireland) and UK (eu-west-2, London). Customers may specify their preferred primary region at the point of onboarding. Backup copies are retained within the same regional grouping.
Operational and support tooling (such as CRM and ticketing) may process limited metadata outside primary AWS regions. These transfers are governed by the SCCs or IDTA as appropriate and are disclosed in our sub-processors list.
Incident response
Rightlander maintains an incident response plan that covers identification, containment, eradication, recovery and post-incident review. In the event of a confirmed personal data breach, affected customers will be notified without undue delay and, where required, no later than 72 hours after we become aware, in accordance with ICO guidance under UK GDPR.
Incident notifications include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and the measures taken or proposed to address the breach. Notifications are sent to the primary account contact and the data protection contact on file.
Security vulnerabilities can be reported to [email protected]. We operate a responsible disclosure policy and aim to acknowledge all reports within two business days.
Vendor management
All third-party vendors with access to personal data are subject to a due diligence review before engagement. Reviews cover data protection practice, security controls and contractual compliance. Material sub-processors are listed on our sub-processors page and customers subscribed to change notifications are informed at least 30 days before a new sub-processor is added.
Vendor relationships are reviewed annually. Where a vendor cannot demonstrate adequate standards, the relationship is terminated or constrained to data-flow patterns that do not expose personal data.
Legal documents
The following legal and policy documents are available to customers and prospective customers. If you have questions about any of these documents, contact [email protected].