Data Protection and Retention Policy
This page reflects the Axora policy suite updated on 30 March 2026. For questions, contact support@axorastack.com or privacy@axorastack.com where applicable.
This Data Protection and Retention Policy (the “Policy”) describes in detail how Axora (“Axora”, “we”, “us”, “our”) collects, processes, stores, retains, and protects the personal and transactional data of Users (“Users”, “you”, “your”) whenever you interact with the Axora Platform and Services.
The Policy establishes a comprehensive, enterprise-wide, and risk-based framework to guarantee the lawful, fair, equitable, and fully transparent handling of your personal and transactional data throughout its entire lifecycle, in strict alignment with the General Data Protection Regulation (GDPR), the UK-GDPR, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), the California Consumer Privacy Act (CCPA), and all other applicable data protection laws governing our operations across jurisdictions.
As a B2B financial infrastructure platform, Axora primarily functions as a data processor, delivering high-reliability transaction processing, payment gateway services, and compliance-support functions to trusted partners, including Novapayx and Codepulse.
This Policy operates in full integration and complementarity with our Privacy Policy and other related operational procedures, forming a core pillar of the Company's uncompromising commitment to robust data governance, advanced security controls, contractual accountability, and regulatory compliance across all systems, platforms, and operational jurisdictions.
Purpose
Structured And Auditable Data Lifecycle Governance
The fundamental purpose of this Policy is to define and enforce a structured, auditable, scalable, and consistently applied framework that comprehensively governs the protection, processing, retention, and secure disposal of personal and transactional data from the moment of receipt through to final deletion or anonymization.
It ensures that Axora fully satisfies its legal, statutory, contractual, and operational obligations while proactively enabling our clients and partners to achieve and demonstrate compliance with international privacy standards and financial regulatory requirements.
Scope
Universal Applicability Across Data Types And Formats
This Policy applies without exception to all personal and pseudonymized data processed, stored, or transmitted by Axora, irrespective of format, digital records, paper documents, cloud-based storage, or hybrid systems.
It extends across all business units, subsidiaries, joint ventures, and operational environments, binding every employee, contractor, and third-party service provider with authorized access to such data.
Inclusion Of Joint And Shared Processing Environments
The Policy explicitly covers transactional, custodial, and compliance-related data processed through shared technological infrastructures, including systems jointly operated with Codepulse, Novapayx, and regulated partners such as Fireblocks, Scorechain, and Sumsub.
All data within these collaborative and interconnected frameworks is subject to the same rigorous protection, retention, deletion, and accountability standards set forth in this Policy, ensuring uniform compliance and seamless governance across multi-party operations.
Data Protection Principles
Mandatory And Non-Negotiable Core Principles
Axora embeds the following internationally recognized data protection principles into every processing activity, with zero tolerance for deviation:
Lawfulness, Fairness, and Transparency: All processing must be grounded in a valid legal basis, conducted fairly, and supported by clear, accessible, and honest communication with data subjects.
Purpose Limitation: Data shall be collected and processed only for specified, explicit, and legitimate purposes and not used incompatibly without a new lawful basis.
Data Minimisation: Only data that is adequate, relevant, and strictly necessary for the defined purpose shall be processed.
Accuracy: Personal and transactional data must be accurate, complete, and kept up to date, with timely mechanisms for correction or erasure of inaccuracies.
Storage Limitation: Data shall be retained in identifiable form only for as long as strictly necessary to fulfill its purpose.
Integrity and Confidentiality: Robust technical and organizational measures must protect data against unauthorized access, alteration, loss, or destruction.
Accountability: Axora shall maintain full documentation and be able to demonstrate compliance with all principles through policies, audits, and records.
Roles And Responsibilities
Data Protection Officer (DPO)
The DPO is the central authority for overseeing, coordinating, and enforcing compliance with all data protection laws and this Policy.
Key duties include policy implementation, risk assessments, audit execution, regulatory liaison, and data subject rights management.
Chief Technology Officer (CTO)
The CTO bears full accountability for ensuring that all infrastructure, encryption systems, access controls, and technical safeguards are designed, deployed, and maintained in full compliance with applicable security standards and regulatory requirements.
Money Laundering Reporting Officer (MLRO)
The MLRO ensures complete alignment between AML/CFT record-keeping obligations and privacy-compliant retention practices.
This includes supervising transaction audit trails, approving retention exceptions, and coordinating compliance reporting.
All Personnel With Data Access Responsibilities
Every individual, internal or external, with access to personal or transactional data is personally accountable for strict adherence to this Policy.
All such personnel must complete mandatory induction and annual training in privacy, security, retention, and incident response protocols.
Data Classification And Processing Role
Risk-Based Data Classification Framework
Axora applies a tiered classification system based on data sensitivity and operational impact:
Confidential Data: Client credentials, transaction identifiers, cryptographic keys, AML/KYC verification documents.
Restricted Data: Internal system logs, API access credentials, processor-to-controller communications.
Public Data: Explicitly approved materials such as public API documentation and marketing collateral.
Axora As A Compliant And Accountable Data Processor
Axora processes personal data exclusively under the written, documented instructions of its clients and partners, including Novapayx.
All sub-processors are bound by comprehensive written agreements that mandate equivalent protection standards, with regular due diligence, performance audits, and contractual enforcement mechanisms in place.
Data Retention
Retention Schedule Governance And Documentation
Retention periods are precisely defined based on contractual terms, AML/CFT mandates, and applicable legal frameworks.
A centralized internal Retention Schedule is actively maintained and validated through the Compliance Gap Assessment Report.
Detailed Retention Periods By Data Category
KYC/AML Verification Data: Retained for 8 to 10 years after account closure or final transaction, per EU and Polish AML directives.
Transaction and Payment Records: Preserved for 10 years post-completion to support audit trails, reconciliation, and regulatory reporting.
External Transaction Proofs: Screenshots, API logs, blockchain explorer records, or other digital evidence uploaded by tenants from external platforms (e.g., crypto exchanges, wallet providers, payment processors) to substantiate the release, transfer, or receipt of cryptocurrency or fiat funds are classified as official transaction records. These External Transaction Proofs must be retained for a minimum of 5 years and up to 10 years from the date of upload or transaction completion, whichever is later, to satisfy Anti-Money Laundering (AML), Counter-Financing of Terrorism (CFT), financial recordkeeping, and applicable regulatory examination requirements across all operating jurisdictions. Such records are subject to the same encryption, access control, and secure disposal standards as all other transactional data under this Policy.
Client Contracts and Processor Agreements: Retained for the full engagement duration + 6 years to demonstrate Article 28 GDPR compliance.
Incident Response and Breach Records: Kept for 5 years post-resolution for regulatory evidence and lessons learned.
Support Tickets and Communications: Preserved for 2 years from last interaction for service continuity and dispute resolution.
Marketing or Product Communication Data: Held only until consent withdrawal, or maximum 24 months if inactive.
Legal Holds And Mandatory Preservation
In cases of legal mandates, regulatory investigations, or ongoing litigation, data will be securely preserved until the obligation fully expires or the matter is officially closed.
Secure Storage And Access Controls
Encryption And Jurisdiction-Compliant Hosting
All personal data is stored in encrypted environments. Where data is hosted or processed outside the European Economic Area, including in the United States, appropriate cross-border transfer mechanisms are applied as set out in the Cross-Border Data Transfers section of this Policy and our Privacy Policy.
Strict Access Governance Framework
Access is enforced through role-based authorization (RBAC), multi-factor authentication (MFA), and real-time logged access trails with tamper-evident auditing.
Backup, Recovery, And Infrastructure Assurance
Encrypted backups are stored in isolated, access-controlled environments and automatically purged upon retention expiry.
All sub-processors and infrastructure providers must maintain ISO 27001 certification or a demonstrably equivalent recognized security standard, evidenced at the time of onboarding and reviewed on a periodic basis.
Deletion, Disposal, And Immutable Ledger Data
Secure, Verifiable Deletion And Disposal
At retention expiry, data is permanently deleted or irreversibly anonymized using industry-standard methods.
Digital erasure employs cryptographic wiping and multi-pass logical overwriting.
Physical destruction is performed via certified, audited disposal services with destruction certificates issued.
Compliant Handling Of Immutable Ledger Data
Blockchain-based immutable records must be pseudonymized prior to submission to any distributed ledger, such that the on-chain record does not constitute identifiable personal data. Such records are logically isolated from operational systems and used exclusively for compliance verification purposes.
Access is strictly limited to compliance verification purposes and prohibited for profiling, marketing, or non-essential use.
Vendor And Sub-Processor Record-Keeping
End-To-End Vendor Lifecycle Documentation
Axora maintains complete, version-controlled records of vendor and sub-processor due diligence, onboarding, contract execution, and ongoing performance assessments.
Records are retained for the full relationship duration + minimum 6 years post-termination.
Contractual and Operational Safeguards: All sub-processor agreements include mandatory Article 28(3) GDPR-compliant clauses, breach notification obligations, audit rights, and continuous security oversight requirements.
Cross-Border Data Transfers
Approved and Audited Transfer Mechanisms
Transfers Outside The European Economic Area Are Executed Solely Via
Standard Contractual Clauses (SCCs);
UK Addendum; or
European Commission adequacy decisions.
Global Data Flow Integrity: All international data movements, including through payment gateways and liquidity networks, are subject to equivalent protection, contractual enforcement, and pre-transfer risk assessments.
Data Breach And Incident Records
Comprehensive Incident Documentation And Retention
All breaches, near-misses, and data loss events are fully documented under the Data Breach Response Policy.
Logs are retained for 5 years post-resolution, including notification records, root cause analysis, remediation actions, and regulatory correspondence.
Monitoring, Review And Training
Proactive And Event-Driven Policy Governance
This Policy is reviewed at least biannually and immediately upon any material legal, technical, or operational change.
The DPO and MLRO jointly lead reviews to ensure full integration of privacy and AML/CFT requirements.
Tiered And Mandatory Training Program
All personnel complete induction training and annual refreshers on data handling, retention, disposal, and incident response.
Training records are centrally tracked and audited to evidence compliance across all personnel.
Enforcement
Progressive And Firm Enforcement Measures
Non-Compliance May Trigger
Disciplinary proceedings;
Contract termination; or
Reporting to supervisory authorities.
Continuous Audit and Assurance: Axora conducts regular internal and third-party audits to verify and enforce adherence to all data protection obligations.
Contact Us
Email - privacy@axorastack.com