Risk Management Policy

Redhorse Technologies Private Limited

Version 1.1 • Effective March 11, 2026

Introduction

This Risk Management Policy defines how Redhorse Technologies Private Limited identifies, assesses, manages, and monitors information security risks associated with React Native Stallion. Effective risk management is fundamental to maintaining the security, reliability, and trustworthiness of our services.

We adopt a risk-based approach that balances comprehensive protection with operational efficiency. This policy reflects our commitment to identifying and addressing risks proactively while maintaining the agility needed to operate as a small, remote-first technology company.

Scope

This policy applies to cloud-hosted infrastructure and supporting systems, applications and development environments, customer and operational data, third-party service providers, authorized personnel, and business processes supporting Stallion services.

Risk Management Framework

We adopt a risk-based approach to information security that consists of five key phases: risk identification, risk assessment, risk evaluation, risk treatment, and risk monitoring and review. The Information Security Officer maintains oversight of this process.

Risks may be identified through changes to infrastructure or architecture, introduction of new vendors or services, security incidents, vulnerability discoveries, regulatory changes, management review activities, or business expansion initiatives. All identified risks are recorded in a Risk Register.

Risks are assessed using an Impact × Likelihood model. Impact is evaluated based on potential effect on confidentiality, integrity, availability, legal or regulatory exposure, reputational impact, and financial impact. Impact levels are categorized as Low, Medium, or High.

Likelihood reflects the probability of a risk event occurring and is also categorized as Low, Medium, or High. Overall risk rating is determined by combining Impact and Likelihood using a defined matrix. High-impact and high-likelihood risks receive priority treatment.

For each identified risk, one of the following treatment options is selected: mitigate (implement controls to reduce risk), accept (accept the risk within defined tolerance levels), transfer (transfer risk through contractual or insurance mechanisms), or avoid (eliminate the activity causing the risk). High-risk items require review and approval by the Directors.

Risk Register and Governance

The Information Security Officer maintains a Risk Register that includes risk description, affected assets or processes, impact rating, likelihood rating, overall risk rating, treatment decision, responsible party, and status.

The Risk Register is reviewed at least annually, upon significant infrastructure, architectural, or regulatory change, and following major security incidents.

The Information Security Officer is responsible for maintaining and updating the Risk Register, coordinating risk assessments, and tracking remediation efforts. The Directors review significant risks, approve acceptance of high risks, and provide oversight of risk management activities.

Continuous Monitoring

Risk management is an ongoing process. Risks are reassessed when new services or modules are introduced, infrastructure changes occur, new vendors are onboarded, security incidents occur, or regulatory or contractual requirements change.

Third-Party Risk Management

Redhorse Technologies manages third-party risk through a structured vendor risk management process. We perform documented risk assessments prior to onboarding any vendor that will process, store, or access Company or customer data. Vendor security posture is reviewed before onboarding, including evaluation of security certifications, compliance reports, or publicly available security documentation where applicable.

Vendors are classified based on risk level (critical, high, medium, low). Access to systems and data is limited based on business necessity and least privilege. Written agreements defining security and confidentiality obligations are executed before granting access to sensitive data.

Critical and high-risk vendors are reviewed at least annually, while medium-risk vendors are reviewed at least once every 24 months. Vendor reviews include reassessment of security posture and contractual compliance. Vendor risk assessments are updated upon significant service changes or known security incidents.

We rely on reputable third-party service providers for cloud infrastructure (AWS), analytics (Google BigQuery), content delivery and security (Cloudflare), and payment processing (Razorpay, PayPal, Stripe). All vendors are evaluated for their security practices and business continuity capabilities.

Policy Review and Updates

This policy is reviewed periodically and updated when necessary to reflect changes in our systems, risk landscape, or regulatory obligations. Reviews are conducted at least annually or upon significant operational, technical, or regulatory change.

Related Documents

• Information Security Policy
• Business Continuity Plan
• Privacy Policy
• Data Retention Policy
• Service Level Agreement

Contact Us

If you have questions regarding this policy or our risk management practices, please contact us at:

support@stalliontech.io