Because confidential data is used during a risk analysis, the statement below has been drawn up.


To secure this website, I have used my more than 30 years of programming experience, my 25 years of experience in computer security and my 15 years of experience as a penetration tester, security consultant and information security officer.

The texts entered for a BIA, actor list or a risk analysis are stored encrypted in the database using AES-256-GCM. The password is used as the encryption key.

To develop RAFIS, I used my own open source Banshee PHP framework. It's a framework with a focus on security and simplicity.

I hereby give everyone permission to perform a penetration test on this website. However, performing stress tests (DoS attacks) and the use of automated scan tools that fill my logfiles are not appreciated.


Short term: As far as the uptime guarantee is concerned, I do not offer more than what my VPS provider offers. In addition, I offer a best-effort guarantee as far as my free time allows.

Long term: This website arose from my personal interest in (ICT) security and risk analysis. As long as I am sufficiently interested in this (as it seems now, it always will be), this website will remain available. In addition, the website will remain available as long as it is being used.

Accounts that are not logged in to for 180 days will be automatically deleted. 10, 20 and 30 days before deleting an account, you will be notified via email. Accounts in which no cases have been created within 14 days of creation, will be deleted without notice.


Data will not be shared with third parties under any circumstances. I myself have no (commercial) interest in offering this website and do this solely from my conviction of the good of free knowledge sharing and my interest in information security. RAFIS is a private project and therefore in no way connected with my employer.

The only information I request from a user account is the last login date to see if an account is still being used. This is done fully automated. I am the only one with administrative rights within the website, the underlying database and the underlying server (VPS).

The basis for the processing of the personal data necessary for the creation of an account is the 'performance of a contract', as referred to in GDPR Article 6 (1) b. It is not the purpose of RAFIS to process any other personal data. The owner of a RAFIS account is responsible for any personal data entered in the risk analysis. As the owner of the RAFIS website, I am only the processor for that data.

The website and web server collect IP addresses in log files for the sole purpose of enabling me to take action in the event of errors or problems with the website or in case of hacking attempts. This website runs on a private server, so old log data is only deleted at random times. In practice this is a few times a year. The basis for this processing is the 'legitimate interest' as referred to in GDPR Article 6 (1) f, as indicated in GDPR recital 49.

Hugo Leisink