RMS is classified as a Data Processor under the GDPR because we process data on behalf of our clients as a service. This enables us to provide risk quantification for the various models we produce. Our clients are Data Controllers because they have the direct relationship and collect the Personal Data directly from an EU Data Subject.
Even then, RMS only receives a very small subset of Personal Data from our clients, and it is almost entirely related to a physical address or geographic location. However, under the GDPR, this data qualifies as Personal Data because it can be used to indirectly identify a person.
As a Data Processor, we do still have an obligation to protect the client data we receive, which is why we have implemented data protections when receiving client data to build privacy by design into our data handling processes.