Data Subject Rights Procedure
This page reflects the Axora policy suite updated on 30 March 2026. For questions, contact support@axorastack.com or privacy@axorastack.com where applicable.
This Data Subject Rights Procedure (the “Procedure”) delivers a comprehensive, meticulously structured, and operationally resilient framework that explains in full detail how Axora (“Axora”, “we”, “us”, “our”) receives, rigorously authenticates, systematically routes, technically coordinates, and fully executes every Data Subject Request (DSR) submitted by Data Subjects (“Data Subjects”, “you”, “your”) seeking to exercise your personal data rights in relation to data processed through the Axora Platform and Infrastructure Services.
The Procedure establishes a robust, enterprise-wide, risk-based, technology-enabled, and fully auditable governance, operational, and evidentiary framework engineered to ensure complete, timely, and demonstrable support for the exercise of individual data-protection rights in strict, verifiable conformity with the General Data Protection Regulation (EU) 2016/679 (GDPR), the UK GDPR, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), the California Consumer Privacy Act (CCPA), and all analogous statutes, regulations, and supervisory expectations in jurisdictions where Axora operates or provides infrastructure services.
As a dedicated data processor and technical infrastructure provider, Axora processes personal data exclusively under the explicit, documented, and auditable instructions of its controllers, principally Novapayx, Codepulse, and regulated banking or custody partners, and maintains uncompromising accountability through this Procedure, contractual safeguards, technical controls, and continuous compliance monitoring.
This Procedure forms an integral, non-severable, and fully synchronized component of Axora's comprehensive compliance architecture, operating in complete operational synergy, mutual reinforcement, and absolute consistency with the Privacy Policy and other related operational procedures, thereby ensuring end-to-end traceability, regulatory alignment, and seamless integration across privacy, financial compliance, and operational resilience domains.
Purpose
Establishment Of A Unified, Scalable, And Legally Robust DSR Fulfillment Framework
The principal purpose of this Procedure is to define, document, implement, enforce, and continuously improve a transparent, auditable, scalable, technology-driven, and legally robust process that empowers Axora to:
Efficiently receive, authenticate, route, coordinate, and execute all Data Subject Requests (DSRs) in full, proactive coordination with the relevant controller and in alignment with contractual obligations under the DPA;
Guarantee timely, accurate, and verifiable support to controllers in meeting all statutory response deadlines across GDPR, PIPEDA, CCPA, and other applicable jurisdictions;
Clearly delineate and operationalize Axora's internal technical, organizational, and compliance responsibilities when assisting controllers in DSR fulfillment, including data discovery, secure extraction, modification, restriction, and deletion;
Provide authoritative, mandatory guidance to all employees, contractors, and sub-processors on recognizing, escalating, documenting, and handling DSRs in a compliant, secure, and auditable manner;
Seamlessly and proactively integrate privacy-rights management with statutory AML/CFT record-keeping mandates, retention controls, risk monitoring, fraud detection, audit trails, and operational continuity protocols, ensuring no conflict between data-subject rights and financial regulatory obligations.
Scope
Universal And Unqualified Applicability Across All Processing Environments And Data Types
This Procedure applies universally, without exception or qualification, to every item of personal or pseudonymized data that Axora collects, processes, stores, transmits, replicates, or otherwise controls in any medium, format, or environment, including but not limited to:
Payment-processing and transaction-settlement systems;
Shared liquidity, custody, and blockchain-based ledgers operated jointly with Codepulse or banking partners;
Compliance, KYC, AML verification, and sanctions-screening platforms;
Logging, telemetry, system monitoring, and forensic audit systems used for infrastructure integrity, security, and performance analysis;
Backup, archival, disaster recovery, and business continuity environments.
Mandatory And Binding Compliance For All Personnel, Partners, And Sub-Processors
It binds every employee, contractor, consultant, vendor, service provider, and third-party processor who handles, accesses, or contributes to the management of personal data under Axora's direct control, supervision, or contractual delegation.
Whenever Axora receives a DSR directly from an individual, it shall immediately inform the relevant controller via secure, encrypted communication and act only upon the controller's explicit written instruction, except where an applicable law or supervisory order expressly obliges Axora to respond independently (in which case, the DPO and Legal Counsel shall be engaged immediately).
Legal Framework And Recognized Rights
Full, Controller-Facilitated Support For All Data-Subject Rights: Axora fully supports, through its controllers, contractual obligations, and technical capabilities, the exercise of the following core data-subject rights in a secure, auditable, and compliant manner:
Right Of Access
You are entitled to obtain prompt confirmation as to whether your personal data is being processed;
Where processing is confirmed, you may receive a complete, structured copy of all such data;
You will be provided with comprehensive supplementary information, including processing purposes, data categories, recipients, retention periods, source, automated decision-making, and available rights.
Right To Rectification: You have the right to correct inaccurate or incomplete personal data without undue delay, with propagation to all relevant systems and sub-processors.
Right To Erasure (“Right To Be Forgotten”): You May Request Permanent Erasure When
Data is no longer necessary.
Consent is withdrawn;
Processing is unlawful;
Erasure is legally required;
Subject to mandatory statutory retention (e.g., AML/CFT, tax, audit).
Right To Restriction Of Processing: You May Request Temporary Suspension During
Accuracy disputes;
Legality challenges;
Pending objections;
Legal claims.
Right To Data Portability
Receive data in a structured, commonly used, machine-readable format (CSV, JSON, XML);
Request direct transmission to another controller where technically feasible.
Right to Object: Object to processing based on legitimate interests, public tasks, profiling, or analytics (including absolute right for direct marketing).
Right not to be Subject to Automated Decision-Making Request human intervention, express views, and contest decisions with legal or significant effects.
Right to Withdraw Consent: Withdraw consent at any time without affecting prior lawful processing.
Right to Lodge a Complaint: Contact the controller's DPO or relevant supervisory authority.
Controller As Primary Interface And Axora As Technical Executor Controllers remain the primary point of contact for data subjects; Axora acts exclusively as a technical implementing partner, executing controller instructions with precision, auditability, and security.
DSR Intake And Notification Mechanisms
Controller-Directed Intake With Immediate, Secure Escalation
All DSRs must be directed to the controller's official, published contact channel.
If Axora Receives A DSR Directly (Via Email, Support Ticket, Or Other Means)
It shall log the request within two (2) business days in the Data Subject Request Register with a unique tracking ID;
It shall notify the controller's Data Protection Officer within three (3) business days via encrypted, authenticated channel;
It shall suspend all further action until written, signed authorization is received from the controller.
Regulatory, Supervisory, and Law Enforcement Requests: Requests from regulators, supervisory authorities, or law enforcement are immediately escalated to Axora's DPO and Legal Counsel, who coordinate directly with the controller and ensure full documentation of compliance.
Identity Verification
Controller-Led Verification With Processor Technical Assistance
Identity verification is primarily the responsibility of the controller.
Where Axora Is Required To Assist, Verification Is Conducted Using
Account-level authentication tokens or session validation;
Cross-referencing unique transaction IDs, user hashes, or KYC reference numbers;
MFA confirmation via pre-registered secure channels (SMS, authenticator app, hardware token).
Secure Handling and Immediate Disposal of Verification Materials: Any supporting identification materials (e.g., ID scans) are:
Stored in encrypted, access-restricted containers;
Used solely for verification;
Permanently deleted immediately upon DSR closure or verification completion.
Timelines For Response
Internal Performance Standards Supporting Full Statutory Compliance: Axora supports controllers in meeting the 30-day GDPR response period through rigorous internal timelines:
Acknowledgment to controller: Within five (5) business days of receipt;
Technical output delivery (export, deletion, restriction): Within twenty-one (21) calendar days of validated, authorized request;
Complex, multi-system, or multi-partner DSRs: Full execution within sixty (60) calendar days, with written extension notice and detailed justification provided to the controller.
Documentation and Escalation of Delays: Any delay due to third-party custodians, legal holds, system outages, or data volume is fully documented in the DSR Register with:
Root cause analysis;
Mitigation Steps
Revised timeline.
Where a DSR is submitted to Axora in its capacity as a data controller (for example, by an employee, vendor, or direct B2B contact whose personal data Axora processes for its own operational purposes), Axora shall:
Log the request within two (2) business days in the Data Subject Request Register with a unique tracking ID;
Acknowledge receipt to the data subject within five (5) business days; and
Respond fully within thirty (30) days of receipt, in accordance with the timelines set out in Section 10, without requiring referral to an external controller.
Internal Workflow And Accountability
Structured, Sequential, Timestamped, and Chain-of-Custody Secured DSR Lifecycle: Every DSR is processed through a mandatory, fully documented, and auditable workflow designed to ensure consistency, compliance, and traceability at every stage:
Registration & Categorization: Upon receipt, the DPO immediately assigns a unique reference ID, classifies the request type (access, erasure, rectification, etc.), identifies the controller, and logs the jurisdiction and initial receipt timestamp.
Controller Notification & Instruction: The DPO notifies the controller's designated contact via secure, encrypted channel and obtains formal written instructions, including scope, action required, and timeline.
Data Discovery & Mapping: IT and Operations conduct comprehensive, system-wide searches across all environments (databases, ledgers, KYC platforms, backups, logs) using automated tools and manual validation to compile a complete data inventory.
Legal & Compliance Assessment: The Head of Regulatory Compliance and Compliance Team evaluate conflicts with AML/CFT, tax, audit, or litigation holds and provide a written legal opinion on applicable exceptions.
Execution of Action: Technical teams export, rectify, restrict, or delete data using secure, auditable tools, with pre- and post-execution checksums to verify integrity.
Validation & Quality Assurance: The DPO performs an independent review of completeness, accuracy, legal compliance, and data security, approving the output only upon full satisfaction.
Controller Confirmation & Reporting: A detailed completion report, including actions taken, systems affected, evidence of execution, and audit logs, is sent securely to the controller.
Archival & Closure: The full case file is encrypted, versioned, and archived in the compliance vault for five (5) years, with access restricted to authorized personnel.
Specific Processing Scenarios
Access And Portability Requests
Data exports are generated using secure, version-controlled extraction scripts directly from production or archival systems, ensuring data freshness and integrity.
The export format is determined by controller preference (CSV, JSON, XML), with metadata headers for clarity.
Exports exclude cryptographic keys, API credentials, multi-tenant metadata, proprietary risk algorithms, and third-party data to protect business confidentiality and other data subjects.
All exports are encrypted with AES-256, digitally signed, and transmitted via secure SFTP or controller-managed VPN tunnels.
Rectification Requests
Upon controller instruction, Axora's Systems Team updates master records and all downstream replicas within twenty-four (24) hours, using transactional consistency to prevent data drift.
A differential audit log captures before-and-after values, timestamps, and operator ID.
If data has propagated to sub-processors, Axora issues formal rectification requests and tracks confirmation of completion within five (5) business days.
Erasure And Restriction Requests: When Erasure Is Approved
Active database entries are deleted using secure deletion utilities with multi-pass overwriting;
Backups are flagged for cryptographic erasure during the next rotation cycle;
Logs and indices containing identifiers are re-hashed or tokenized.
Where Statutory Retention Applies (E.G., AMLD V, Tax Laws)
Data is fully encrypted at rest;
Physically or logically segregated from operational systems;
Tagged “Retained for Statutory Compliance – No Active Processing”;
Access is strictly limited to the MLRO and Compliance Team under dual-control.
Objection And Automated Decision-Making
Any objection triggers immediate suspension of the automated decision.
The DPO and Head of Regulatory Compliance jointly conduct a manual, documented review of the logic, input, output, and impact of the automated decision.
A comprehensive written explanation is provided to the controller, including findings, corrective actions, and appeal options.
All such events are documented in the Register and retained for regulatory inspection and internal trend analysis.
Cross-Border Transfers And Sub-Processors
Axora engages only sub-processors bound by Standard Contractual Clauses (SCCs) or equivalent adequacy mechanisms.
Each sub-processor must maintain a dedicated DSR process and notify Axora of execution results within ten (10) business days.
The DPO verifies closure and documents compliance before final reporting to the controller.
Communications And Documentation
Secure, Encrypted, And Fully Traceable Communication Protocols
All DSR-related communications between Axora and controllers occur exclusively through encrypted, authenticated channels, including secure email, dedicated secure portals, or other mechanisms that ensure confidentiality and integrity of transmission.
Every instruction, action, confirmation, and correspondence is documented with date, time, actor ID, system reference, and cryptographic hash for immutability.
Axora never communicates directly with a data subject unless the controller expressly authorizes written delegation and provides approved messaging.
Cooperation With Controllers And Authorities
Proactive, Transparent, and Fully Documented Collaboration: Axora commits to full and unconditional cooperation with:
Controllers and their DPOs;
Supervisory Authorities (e.g., EDPB members, ICO, OPC Canada, California Attorney General);
Financial Intelligence Units for AML/CFT oversight.
In cases of conflicting obligations (e.g., erasure vs. AML retention), Axora documents the conflict, seeks controller direction, and retains all records to demonstrate lawful basis and good faith.
Recordkeeping And Retention
Centralized, Immutable, and Highly Secure Audit Trail: The Data Subject Request Register serves as the authoritative, centralized, and immutable audit trail and includes:
Unique reference ID and controller identifier;
Request type and jurisdiction;
Dates: received, acknowledged, executed, closed;
Systems impacted and employees involved;
Confirmation from controller;
Applicable legal or AML retention exemption.
All entries and supporting documentation are retained for a minimum of five (5) years post-closure in full compliance with the Data Protection & Retention Policy of Axora.
Records are encrypted with AES-256, stored in a segregated, access-controlled compliance vault, and accessible only to the DPO and Chief Compliance Officer (CCO) under strict audit logging.
Roles And Responsibilities
Data Protection Officer (DPO): Holds ultimate accountability for overall compliance, register oversight, controller coordination, authority liaison, DSR closure approval, and continuous process improvement.
Chief Compliance Officer (CCO): Ensures full integration with AML/CFT policies, supervises retention exceptions, and validates legal overrides in coordination with the Legal Team.
IT & Infrastructure Security Teams: Bear responsibility for data discovery, secure extraction, system-level actions, secure deletion, and technical validation of all DSR outcomes.
Legal Team: Provides expert legal and regulatory guidance, evaluates jurisdictional conflicts, drafts formal documentation, and supports supervisory engagements.
All Employees And Contractors
Are mandatorily required to immediately forward any identified DSR to the DPO upon receipt.
Must uphold absolute confidentiality and refrain from independent action throughout the entire DSR lifecycle.
Training And Awareness
Comprehensive, Tiered, Mandatory, and Continuously Reinforced Training Program: All personnel with access to personal data or involvement in DSR processing must complete specialized training on data-subject rights within thirty (30) days of onboarding and annually thereafter.
The Training Curriculum Comprehensively Covers
Identification and classification of incoming DSRs;
Controller vs. processor responsibility demarcation;
AML/CFT retention conflicts and resolution protocols;
Secure use of data-extraction, rectification, and erasure tools;
Jurisdictional nuances under GDPR, PIPEDA, and CCPA.
Training completion, comprehension, and refresher compliance are centrally tracked, audited, and reported by Human Resources and Compliance, with records retained for five (5) years.
Monitoring, Audit, And Review
Proactive, Risk-Based, and Continuous Governance Framework: This Procedure is subject to a full formal review at least twice per calendar year, with immediate ad-hoc review triggered by:
Material changes in applicable law, regulation, or supervisory guidance;
Significant organizational, technical, or operational restructuring;
Emerging privacy risks, audit findings, or incident learnings.
Internal Audits Evaluate
Timeliness of controller notifications and response execution;
Accuracy and completeness of data exports, rectifications, and deletions;
Proper application and documentation of AML/CFT exceptions;
Effectiveness and coverage of training programs.
All audit findings, gap assessment reports, operational performance metrics, and stakeholder feedback are systematically analyzed and incorporated into documented corrective actions, tracked to closure in the Compliance Audit Report.
Enforcement And Disciplinary Action
Zero-Tolerance Enforcement and Progressive Disciplinary Measures: Any failure to comply with this Procedure constitutes a serious breach of Axora's compliance policies and may result in:
Internal disciplinary proceedings, up to and including termination of employment;
Contractual liability, suspension, or termination for third-party processors.
Significant or repeated breaches must be immediately reported to the DPO and may be escalated to the relevant supervisory authority under Article 33 GDPR or equivalent provisions, with full documentation of the incident and remediation.
Contact Us
To submit a Data Subject Request, raise a privacy concern, or obtain further information regarding this Procedure, please contact: privacy@axorastack.com