.png){kind=logo}
Compliance & Security
Data Protection Standards
How KryptoX safeguards customer data: principles, classification, access controls, encryption, retention, cross-border transfers, vendor oversight, and incident response.
Principles
GDPR-aligned
CCPA/CPRA-aligned
RBA (AML/KYC)
- Lawfulness, fairness, transparency: notice at collection; purpose specification.
- Data minimization: collect only what’s required to deliver services & compliance.
- Accuracy: verification and periodic refresh where required.
- Storage limitation: retention schedules by data category and jurisdiction.
- Integrity & confidentiality: encryption, RBAC, audit logs, least privilege.
Data Classification
| Class | Examples | Controls (minimum) |
|---|---|---|
| Restricted | Government IDs, liveness selfies, bank details, UBO docs | At-rest & in-transit encryption; strict RBAC; audit logs; need-to-know; extra DLP |
| Confidential | Customer profiles, invoices, ledgers, webhook payloads | Encryption; RBAC; monitoring; retention policy; secure exports |
| Internal | Product analytics (aggregated), runbooks, configs | Access by role; source control; change management |
| Public | Marketing site content, docs published by KryptoX | Review/approval prior to publication |
Access Controls
- RBAC & least privilege: access granted per role and tenant; reviewed quarterly.
- MFA: required for privileged roles and back-office access.
- Segregation of duties: approvals required for production data access.
- Audit trails: immutable logs for access, changes, and exports.
Encryption & Key Management
- Transport: TLS for all external & internal endpoints.
- At rest: encryption for databases, storage, backups.
- Secrets: stored in a managed secret vault; rotation policy.
- Keys: managed service KMS/HSM; scoped IAM policies.
- Backups: encrypted, integrity-checked, tested restores.
- Exports: signed downloads; time-bound links; watermarking where applicable.
Retention & Minimization
Retention periods vary by jurisdiction and contract. Illustrative baseline:
| Data Category | Baseline Retention | Notes |
|---|---|---|
| KYC/KYB evidence | 5–10 years post-relationship | AML/financial regulation dependent |
| Transaction & settlement records | 7–10 years | Accounting & audit requirements |
| Support tickets & logs | 1–3 years | Security & quality purposes |
| Marketing analytics (aggregated) | 12–24 months | Only aggregated/anonymous metrics kept |
- Automated deletion for expired records; documented exceptions with approval.
- Data minimization at collection; purpose limitation enforced by design.
International Transfers
- Preferred regional hosting; transfers limited to service operation needs.
- Transfer mechanisms may include Standard Contractual Clauses (SCCs) or equivalent where applicable.
- Sub-processor list available upon request; change notifications provided in advance.
Vendors & Data Processing Agreements
- Due diligence for privacy, security, and resilience prior to onboarding vendors.
- DPAs covering roles, purposes, security measures, and sub-processing.
- Annual reviews of critical vendors; remediation tracking for findings.
Artifacts (e.g., security summaries) available under NDA.
Incident Response
- Runbooks defining detection, triage, containment, eradication, and recovery.
- Notification workflows for customers and authorities when required by law or contract.
- Post-incident reviews and corrective actions tracked to completion.
Data Subject Requests
- Supported rights: access, correction, deletion, portability (subject to legal obligations).
- Identity verification required before fulfilling requests.
- Response SLAs aligned to applicable regulations.