Rik.aiRik.ai← Back to home

Legal

Trust Center

Rik Technologies · Last Updated: [Date] · Last Reviewed: [Date] · Version 1.0

Welcome to the Rik.ai Trust Center. This page is our commitment to transparency regarding how we protect your data, secure our systems, and responsibly develop AI. We believe that trust is earned through demonstrable action, not just statements.

Rik.ai is built for organisations that rely on data to make critical business decisions. Security and privacy are not afterthoughts – they are foundational principles embedded into our platform architecture, development lifecycle, and operational practices.

This Trust Center applies to both our marketing website (rikai.tech) and our product platform (customer.rikai.tech and survey.rikai.tech), unless otherwise specified.

1. Security

We take a layered, defence-in-depth approach to security, protecting data at the infrastructure, application, and operational levels.

1.1 Infrastructure Security.

(a)Cloud Hosting: Our platform is hosted on secure, accredited cloud infrastructure providers located in approved jurisdictions (currently in India, Singapore) that maintain industry-standard certifications for physical and network security.

(b)Network Protections: We implement firewalls, intrusion detection and prevention systems (IDPS), distributed denial-of-service (DDoS) mitigation, and network segmentation to limit attack surfaces.

(c)Data Centres: Our cloud providers maintain state-of-the-art data centres with redundant power, climate control, 24/7 monitoring, biometric access controls, and video surveillance.

(d)Encryption in Transit: All data transmitted between users and our platform is encrypted using TLS 1.2 or higher (HTTPS). We enforce secure connections (HSTS) and disable obsolete protocols.

(e)Encryption at Rest: Sensitive data categories (including mobile numbers, transcripts, facial expression scores, and UPI IDs) are encrypted at rest using AES-256-GCM, a strong industry-standard encryption algorithm. Non-sensitive data is encrypted at the storage volume level.

1.2 Application Security.

(a)Secure Development Lifecycle: We follow a secure software development lifecycle (SDLC) that includes threat modelling, static code analysis, dynamic scanning, and peer reviews before any code is deployed to production.

(b)Authentication and Session Management: We use JSON Web Tokens (JWT) stored in HTTP-only, SameSite=Strict cookies to prevent cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. Session timeouts are enforced across all portals based on user role and risk profile.

(c)Password Security: Passwords are securely hashed using industry-standard cryptographic techniques and are never stored in plaintext. We also screen passwords against known breached password databases using a privacy-preserving method (k-anonymity) — your full password never leaves your device.

(d)Rate Limiting and Brute Force Protection: We implement rate limiting, account protection mechanisms, and anomaly detection controls on sensitive operations (including login, registration, OTP requests, and UPI verification) to mitigate brute-force attacks, credential stuffing, and other abusive activity.

(e)Input Validation and Sanitisation: We validate and sanitise all user inputs to prevent injection attacks (SQL injection, command injection, cross-site scripting).

(f)API Security: Our APIs require authentication, enforce least-privilege access controls, and are protected against parameter tampering and replay attacks.

(g)Security Headers: We implement security headers including Content Security Policy (CSP), X-Content-Type-Options, X-Frame-Options (DENY), and Referrer-Policy to mitigate common web vulnerabilities.

(h)Audit Logging: We maintain comprehensive audit logs of authentication events, data access, administrative actions, and security-relevant events.

1.3 Operational Security.

(a)Access Control: Access to production systems is restricted to authorised personnel based on the principle of least privilege. Multi-factor authentication (MFA) is required for all administrative access.

(b)Vendor Risk Management: We conduct due diligence on all third-party service providers before engagement. Each provider signs a data processing agreement that mandates compliance with applicable data protection laws and security standards.

(c)Incident Response: We maintain a documented incident response plan that includes detection, containment, eradication, recovery, and notification procedures. We periodically review and test our response readiness.

(d)Business Continuity and Disaster Recovery: We maintain backups and have documented recovery procedures to ensure platform availability and data integrity in the event of a system failure or disaster.

(e)Regular Security Assessments: We periodically assess our systems for security vulnerabilities through a combination of automated and manual review processes and engage independent professionals for security assessments. Remediation is prioritised based on risk severity.

(f)Employee Training: All employees receive mandatory security and privacy training. Developers receive additional training on secure coding practices.

1.4 Current Certifications and Roadmap.

Rik.ai intends to pursue recognised security certifications, including ISO 27001 and SOC 2, as the organisation matures and customer requirements evolve. In the interim, we operate under industry-standard security practices as described above.

2. Privacy

2.1 Our Privacy Principles.

(a)Data Minimisation: We collect only the personal data that is necessary for the specific purpose for which it is processed.

(b)Purpose Limitation: We use personal data only for the purposes disclosed at the time of collection, or for purposes that are compatible with those original purposes.

(c)Transparency: We provide clear, accessible, and understandable privacy notices (Privacy Policies) for each of our portals – marketing website, customer portal, and participant portal.

(d)User Control: You have rights to access, correct, delete, and withdraw consent for your personal data. We provide mechanisms to exercise these rights.

(e)Data Security: We implement strong technical and organisational measures to protect personal data.

2.2 Data Processing Roles (Under DPDP Act 2023).

Portal / ContextData FiduciaryData Processor (if any)
Marketing Website (rikai.tech)Rik TechnologiesResend (email), HubSpot (CRM)
Customer Portal (customer.rikai.tech) – Portal User dataRik TechnologiesNeon (database), Resend (email)
Customer Portal – Customer Data (Survey configurations, etc.)Customer (the business customer)Rik Technologies (as Service Provider)
Participant Portal (survey.rikai.tech) – Participant DataRik TechnologiesGoogle Cloud Platform, Anthropic, ElevenLabs, Resend, Neon, MSG91

2.3 Data Collection and Use Summaries.

Marketing Website

Name, email, company, phone, demo preferences. Used to respond to enquiries and send demo confirmations. Retention: up to 2 years.

Customer Portal (Portal Users)

Name, work email, company, role, authentication logs. Used to provide platform access and manage accounts. Retention: until account closure + 90 days.

Participant Portal (Participants)

Name, mobile, email, demographics, survey responses, transcripts, voice recordings (transient), facial expression scores (video surveys). Used to conduct surveys, generate aggregate research reports, and disburse payouts. Retention: transcripts 90 days, payout records 7 years, account data until deletion + 30 days.

2.4 Data Subject Rights.

We respect the rights of Data Principals under the DPDP Act 2023:

(a)Right to access your personal data;

(b)Right to correction of inaccurate data;

(c)Right to deletion (subject to legal retention requirements);

(d)Right to withdraw consent;

(e)Right to grievance redressal;

(f)Right to nominate a representative.

To exercise these rights, please contact our Grievance Officer: Partha Roy, Founder & Grievance Officer at contact@rikai.tech.

2.5 Third-Party Sub-processors.

The following reflects the major sub-processors currently engaged by Rik.ai to operate our platform. Each is bound by a data processing agreement, and this list is maintained and updated as changes occur.

Sub-processorPurposeData ProcessedLocation
Neon (PostgreSQL hosting)Database hostingAll stored data (encrypted at rest)AWS ap-southeast-1 (Singapore)
Anthropic (Claude)AI interviewer; aggregate report generation; "Ask Rishi" analyticsAnonymised transcript segments; Portal User queriesUSA
Google Cloud PlatformSpeech-to-text; sentiment analysis; facial expression analysis; text-to-speech; file storageAudio (transient), transcript text, still frames (transient)USA / global
ResendTransactional email deliveryEmail address, name, email contentUSA
MSG91WhatsApp / SMS notificationsPhone number, notification contentIndia
ElevenLabsAI voice (English)Agent response text onlyUSA
HubSpotCRM for marketing leadsName, email, company, phone, demo preferencesUSA

2.6 International Data Transfers.

Some of our sub-processors are located outside India (primarily the United States). When personal data is transferred outside India, we rely on:

Standard Contractual Clauses (SCCs) or equivalent data processing agreements;
Adequacy determinations issued by the Government of India (once notified); and
Your explicit consent (where required).

We take steps to ensure that any cross-border data transfer provides an adequate level of protection comparable to that required under the DPDP Act.

2.7 Data Retention.

Different categories of data are retained for different periods:

Participant session transcripts: 90 days
Raw video frames: deleted immediately after analysis
Participant account data: until deletion + 30-day cooling period
Payout records: 7 years (legal obligation)
Audit logs: 180 days
Customer Data (Survey configs): until account closure + 90 days
Aggregate Reports: indefinitely (anonymised, no personal data)
Marketing website enquiry data: up to 2 years

3. Responsible AI

Rik.ai uses artificial intelligence (including large language models, natural language processing, computer vision, and sentiment analysis) to conduct and analyse qualitative research interviews. We design our AI systems with care, transparency, and human oversight.

3.1 Our AI Principles.

(a)Human-Centred Design: AI interactions are structured to encourage honest, voluntary, and thoughtful responses from participants. AI does not make decisions about participants (e.g., payout eligibility) without human review where needed.

(b)Transparency: We clearly communicate when an AI is being used. Participants are informed before any interview that they will be interacting with an AI interviewer. Customers are informed that reports are AI-generated.

(c)Accuracy and Limitations: We acknowledge that AI-generated outputs may contain inaccuracies, omissions, biases, or analytical artefacts. We do not present AI outputs as infallible or as a substitute for human judgment.

(d)Data Privacy: AI processing uses participant data only for the purposes of conducting the specific survey and generating research insights. Customer Data and Participant Data processed through third-party AI services are used solely to provide the requested functionality and are not provided for the purpose of training Anthropic's foundation models. We do not use Customer Data to train proprietary or third-party foundation models unless expressly authorised in writing by the Customer.

(e)Human Oversight: Critical decisions (e.g., fraud review for referrals, disputed session quality) involve human review. Customers are advised to review AI-generated insights alongside human judgment.

3.2 AI Features.

(a)AI Interviewer (Multiple Personas): Our AI agents (Jal – Empathy, Vayu – Discovery, Agni – Insight, Prithvi – Clarity, Aakash – Reflection) conduct structured interviews, ask follow-up questions based on participant responses, and adapt conversation flow.

(b)Sentiment Analysis: We use Google Cloud Natural Language API to compute sentiment scores (positive, neutral, negative) from participant transcripts.

(c)Facial Expression Analysis (video surveys only, with explicit consent): We use Google Cloud Vision API to derive engagement-related analytical metrics. Raw frames are deleted immediately after analysis.

(d)Automated Theme Extraction: The AI identifies recurring themes, patterns, and anomalies across participant responses.

(e)"Ask Rishi" (Customer Portal): Customers can ask natural language questions about their survey data, and the AI provides answers based on aggregate, anonymised data.

(f)Aggregate Report Generation: The AI generates executive summaries, key findings, and strategic recommendations from survey data.

3.3 AI Limitations and Disclaimers.

(a)AI-generated outputs may not be complete, accurate, or suitable for every purpose.

(b)The AI may reflect biases present in its training data. We take reasonable steps to mitigate bias but cannot guarantee bias-free outputs.

(c)Rik.ai does not provide legal, financial, medical, investment, or professional advice through any AI feature. Customers and participants should consult qualified professionals for such advice.

(d)AI is not a substitute for human judgment, especially in high-stakes decisions.

3.4 Participant Consent for AI.

Before any survey, participants are informed that they will be interacting with an AI interviewer.
For video surveys, participants must provide explicit, per-survey consent for facial expression analysis.
Participants can withdraw consent for facial analysis at any time before a session is finalised, without affecting their ability to complete non-video surveys. Withdrawal takes effect for any session that has not yet been finalised.

4. Compliance and Governance

4.1 Regulatory Framework.

Rik.ai aligns its practices with:

(a)Digital Personal Data Protection Act, 2023 (DPDP Act) – India's comprehensive data protection law;

(b)Information Technology Act, 2000 (and associated rules, including the SPDI Rules);

(c)Industry standards for security and data protection (ISO 27001, SOC 2 – in progress);

(d)Emerging AI governance frameworks and best practices.

4.2 Legal Basis for Processing.

We process personal data only on valid legal grounds under the DPDP Act:

Consent (explicit, informed, free, specific, unambiguous)
Contractual necessity (for providing services to participants and customers)
Legitimate interest (for security, fraud prevention, and platform improvement)
Legal obligation (for tax, audit, and regulatory compliance)

4.3 Grievance Redressal.

We have appointed a Grievance Officer as required under the DPDP Act and IT Rules:

Partha Roy, Founder & Grievance Officer

Email: contact@rikai.tech
Response Time: We aim to acknowledge grievances within 7 days and resolve them as promptly as practicable, generally within 30 days.

If you are not satisfied with our resolution, you may escalate to the Data Protection Board of India once constituted.

4.4 Third-Party Assessments.

We engage independent security and privacy professionals to conduct assessments, audits, and penetration tests periodically. While we are not currently certified, we have implemented a range of security, privacy, and governance controls designed to support future certification efforts.

5. Platform Availability and Service Levels

5.1The Rik.ai platform is designed for high availability, resilience, and continuity of service. We maintain operational procedures, monitoring, backup, and recovery processes intended to support reliable platform performance. Scheduled maintenance may occasionally be required to maintain, improve, or secure the platform, and we will use reasonable efforts to provide advance notice where practicable.

Specific service availability commitments, uptime targets, maintenance windows, and service credits (if applicable) may be agreed separately with enterprise customers under a written Service Level Agreement (SLA) or Statement of Work.

6. Responsible Disclosure and Bug Bounty

We take security vulnerabilities seriously. If you discover a security vulnerability in any Rik.ai system, please report it to us immediately at security@rikai.tech. We will use reasonable efforts to acknowledge your report promptly and work with you to investigate and remediate the issue. We do not currently operate a public bug bounty program but will consider reports in good faith.

7. Contact Us

For security, privacy, compliance, or AI-related questions, or to report a concern:

Rik Technologies

Email: privacy@rikai.tech
Website: https://rikai.tech

We will use reasonable efforts to acknowledge and address communications in a timely manner.

© 2026 Rik Technologies. All rights reserved.
Trust CenterPrivacy PolicyTerms of Service