Compliance features
Built into the architecture โ not bolted on as an afterthought.
No personal data retention
Verification results are stateless. Personal data is never written to disk, cached, or persisted at any point in the verification flow.
Pseudonymised audit logs
All verification decisions are logged with pseudonymised identifiers only, meeting GDPR Article 32 requirements for auditability without data exposure.
Right to be forgotten
Because no personal data is retained, data subject erasure requests are trivially satisfied. There is nothing to delete.
Data Processing Agreements
Enterprise deployments can request a full Data Processing Agreement (DPA) covering AffixIO's role as data processor under GDPR Article 28.
Encrypted transmission
All data in transit uses TLS 1.3. No plaintext personal data is ever transmitted or processed outside of the secure verification context.
Implementation
AffixIO's stateless architecture means the platform does not act as a data controller for personal data in the conventional sense. Each verification is transient:
- ✓ No data persistence: Personal identifiers are evaluated in memory for the duration of the API call and immediately discarded. No database writes occur.
- ✓ Encrypted channels: All communication uses TLS 1.3 with certificate pinning options available for enterprise integrations.
- ✓ Pseudonymised audit trails: Logs reference pseudonymous transaction identifiers. Personal data is never present in log records.
- ✓ Consent management compatible: AffixIO integrates with external consent management platforms, allowing merchants to gate verification on recorded consent.
- ✓ Transparent processing records: Merchants receive full decision logs for their own records, enabling them to respond to subject access requests from their customers.
Deploy with confidence under GDPR
Get API access to AffixIO's GDPR-compliant verification infrastructure. Enterprise DPAs available on request.
Other compliance frameworks