Data processing and storage
1. Hosting and storage location
All data is processed and stored within the European Union. Specifically:
- Application hosting: Vercel, Frankfurt (EU) region
- Database: AWS RDS PostgreSQL, Frankfurt (EU) region. All account, product and audit data is stored here.
- File storage: AWS S3, Frankfurt (EU) region. Documents uploaded by the user (e.g. data protection or DSFA documents) are stored in this repository.
2. Data collected and purposes of processing
2.1 Account: Email address, name, password (stored in encrypted form), optional profile picture, language setting, MFA data (TOTP or telephone number), billing details (company, address, postcode, town, country, VAT number)
Purpose: Account creation, authentication, security, billing
2.2 Product: Teams, members, AI systems and associated assessment data, risk assessments, audit trail, incident reports, token balances and purchase history (including Stripe session IDs)
Purpose: Provision of the compliance service, traceability, payment processing.
2.3 Files: Documents uploaded by the user (e.g. data protection documents)
Purpose: Storage in AWS S3, linking to the recorded AI systems
2.4 Sessions: Session data and, where applicable, OAuth provider data
Purpose: Maintenance of login status and access security
Processing is carried out for the fulfilment of the contract, to comply with legal obligations and on the basis of legitimate interests (e.g. security, fraud prevention, service improvement).
3. Data processors (sub-processors)
The following service providers process data on behalf of oxethica:
- Vercel – Application hosting, location: Frankfurt (EU)
- AWS – Database operation (RDS, Frankfurt) and file storage (S3, EU). Both services are located within the EU.
- Stripe – Payment processing. Stripe may process data in the USA and other regions. Only data necessary for payment is transmitted (e.g. session and purchase metadata). Stripe’s Terms of Service and Privacy Policy apply.
All providers have appropriate safeguards in place; where necessary, standard contractual clauses or equivalent mechanisms are used for international data transfers.
4. Retention and deletion
Active accounts: Data is retained for the duration of the account’s existence and in accordance with the stated purposes.
Account deletion: Upon deletion of the account, personal data is anonymised. Email addresses, names and other identifiable fields are replaced with anonymous placeholders; sessions and linked OAuth accounts are removed. It is no longer possible to log in again using the same email address. For compliance and audit purposes, individual data records (e.g. audit log entries, AI system and incident data) may retain anonymised user references; it is therefore no longer possible to identify the data subject.
Files: Files uploaded to AWS S3 are linked to the use of the service and will be handled in accordance with this policy when content is removed or the account is anonymised.
5. Data subject rights
Users residing in the EEA or the United Kingdom have the following rights vis-à-vis oxethica as the data controller:
- Access – Requesting a copy of the stored personal data
- Rectification – Correction of inaccurate data
- Erasure – Requesting the erasure of data (implemented through account deletion and anonymisation in accordance with Section 4)
- Restriction – Limiting data processing in certain cases
- Data portability – Receipt of data in a structured, machine-readable format, where applicable
- Objection – Objection to processing based on legitimate interests
- Withdrawal of consent – where processing is based on consent
- Complaint – Submission of a complaint to the competent data protection supervisory authority
To exercise these rights or if you have any questions regarding this annex, please contact info@oxethica.com or viahttps://www.oxethica.com.