Risk Management Policy

Redhorse Technologies Private Limited

Version 1.0 • Effective March 15, 2025

Introduction

This Risk Management and Third-Party Risk Management Policy defines how Redhorse Technologies Private Limited identifies, assesses, manages, and monitors risks to its business operations, systems, and customer data. Effective risk management is fundamental to maintaining the security, reliability, and trustworthiness of our services.

This policy supports our Information Security and Privacy programs and reflects a pragmatic, risk-based approach appropriate for a growing technology company. We balance comprehensive risk coverage with operational efficiency, ensuring that our risk management practices scale with our business.

Scope

This policy applies to all personnel associated with Redhorse Technologies Private Limited, including employees, founders, contractors, consultants, and temporary staff. It governs all business operations, systems, applications, infrastructure, and data assets under our management.

The policy also extends to all third-party vendors, service providers, and partners that access, process, or store Redhorse data or integrate with our systems. Third-party risk management is an integral component of our overall risk management framework.

Risk Management Approach

Redhorse Technologies employs a structured, risk-based approach to identifying and managing threats to our operations and customer data.

Risks are systematically identified during key activities including system design and architecture reviews, infrastructure changes and deployments, vendor evaluations and onboarding processes, operational modifications, and regular security assessments. We maintain awareness of emerging threats and incorporate new risk factors as they become relevant to our environment.

Each identified risk is evaluated based on its likelihood of occurrence and potential impact across multiple dimensions, including confidentiality, integrity, availability, financial consequences, regulatory implications, and reputational effects. This evaluation enables us to prioritize risks and allocate mitigation resources effectively.

Where risks exceed acceptable thresholds, proportionate mitigation measures are implemented. For risks that fall within acceptable bounds after mitigation, residual risk is formally documented and accepted by management. All risk assessments are reviewed periodically and whenever significant changes occur to our systems, operations, or threat landscape.

Risk Ownership and Governance

Executive management holds ultimate responsibility for risk management at Redhorse Technologies. Management establishes the organization's risk tolerance, approves risk management policies, and ensures adequate resources are allocated to risk mitigation activities.

The Founder and Technical Lead serves as the designated risk owner for operational and technical risks, responsible for identifying and assessing risks across the technology environment, developing and implementing risk mitigation plans, recommending risk acceptance decisions to management, and maintaining the risk register and related documentation.

Risk-related decisions are documented and maintained as part of our governance records. Significant risk decisions, including acceptance of material residual risks, require management approval and are reviewed periodically to ensure continued appropriateness.

Risk Categories

Redhorse Technologies considers multiple categories of risk in our assessment and management activities.

Information Security Risks encompass threats to the confidentiality, integrity, and availability of data and systems. This includes risks such as unauthorized access, data breaches, malware, and insider threats. Our Information Security Policy provides detailed controls for managing these risks.

Operational Risks relate to potential disruptions to business operations and service delivery. This includes system outages, deployment failures, capacity constraints, and process breakdowns. Our Business Continuity Plan addresses our approach to maintaining operations during disruptions.

Third-Party Risks arise from our reliance on external vendors, service providers, and partners. These risks include vendor security weaknesses, service disruptions, data handling concerns, and dependency on critical suppliers.

Compliance and Legal Risks involve potential violations of laws, regulations, or contractual obligations. This includes data protection requirements, industry standards, and customer contractual commitments.

Business Continuity Risks relate to events that could significantly disrupt our ability to deliver services, including natural disasters, infrastructure failures, and pandemic events.

Third-Party Risk Management

Redhorse Technologies relies on third-party service providers for cloud infrastructure, development tooling, content delivery, and payment processing. We recognize that third-party relationships introduce risks that must be actively managed.

Our third-party risk management program includes comprehensive vendor evaluation and ongoing monitoring. Before engaging new vendors, we assess their security posture, data handling practices, compliance certifications, business stability, and alignment with our requirements. Evaluation rigor is scaled based on the sensitivity of data accessed and the criticality of services provided.

We prefer vendors with established security practices, recognized industry certifications, and demonstrated commitment to protecting customer data. All third-party access is limited to the minimum required for legitimate business purposes, and access is reviewed periodically to ensure continued appropriateness.

High-risk vendors, particularly those with access to sensitive customer data or providing critical infrastructure services, are subject to enhanced scrutiny and more frequent reassessment. We maintain awareness of vendor security incidents and respond appropriately when our vendors experience events that may affect our environment.

Payment Processing

Payment processing for Redhorse Technologies services is handled exclusively by PCI DSS-compliant providers including Razorpay, PayPal, and Paddle.

Redhorse Technologies does not store, process, or transmit payment card data directly. All payment transactions are handled entirely by our payment processing partners, and cardholder data never enters our systems or infrastructure.

This architecture significantly reduces our exposure to payment-related security risks and ensures that PCI DSS compliance responsibilities remain with the specialized payment processors who are equipped to maintain the rigorous controls required for handling financial data.

Risk Mitigation Strategies

When risks exceed acceptable thresholds, we implement appropriate mitigation strategies. Our mitigation approach employs multiple layers of controls.

Technical Controls include encryption of data in transit and at rest, access restrictions based on least privilege principles, multi-factor authentication for sensitive systems, continuous monitoring and alerting, automated security scanning, and network segmentation.

Process Controls encompass code review and approval workflows, change management procedures, segregation of development and production environments, regular security training and awareness, and documented operational procedures.

Vendor and Contractual Safeguards include security requirements in vendor agreements, data protection clauses, service level commitments, and right-to-audit provisions where appropriate.

Risk mitigation strategies are reviewed periodically and updated as our technology environment evolves, new threats emerge, or business requirements change.

Incident and Exception Handling

When a risk materializes into an actual security incident, our Incident Response Plan is activated. The incident response process includes immediate containment and mitigation activities, management notification and escalation as appropriate, thorough investigation to determine root cause and scope, remediation actions to address identified vulnerabilities, and post-incident review to capture lessons learned.

Lessons learned from incidents are incorporated into our risk assessment process, informing updates to risk ratings, mitigation strategies, and control implementations.

Risk exceptions may be granted when business requirements necessitate temporary deviation from standard controls. All exceptions require documented justification, compensating controls where feasible, management approval, defined expiration dates, and periodic review to ensure continued necessity.

Policy Review and Updates

This Risk Management Policy is reviewed at least annually or upon significant changes to our business operations, systems, infrastructure, regulatory environment, or risk landscape. Reviews incorporate lessons learned from incidents, changes in the threat environment, and evolving best practices.

Updates are approved by management and communicated to all relevant personnel. Material changes to our risk management approach are reflected in updates to this policy and related documentation.

Related Documents

• Information Security Policy
• Business Continuity Plan
• Privacy Policy
• Data Retention Policy
• Service Level Agreement

Contact Us

If you have questions about our Risk Management Policy or require additional information for your compliance or vendor assessment purposes, please contact us.