Data Protection
Data Protection
Fidacy minimizes the personal data it touches and keeps what it does retain inside the region you choose. GDPR applies; a Data Processing Agreement is available on request.
EU data residency
For EU customers, the primary datastore is hosted in the European Union. Decision data, the audit chain, and assessment records are written and read within the EU region, a differentiator for institutions that must keep regulated data inside the bloc. Data residency is confirmed in the DPA and the enterprise agreement.
Data minimization
Fidacy is a decision layer, not a processor, so the sensitive data it sees is deliberately narrow. It never receives a primary account number, track data, or a payment credential. The optional reasoning layer receives only non-sensitive signals, scores, flags, and codes, never raw PII.
Retention by data type
| Data type | Retention posture |
|---|---|
| Assessments | Structured decision records retained for the contractual term so verdicts remain reproducible; configurable in an enterprise agreement. |
| Audit chain | Append-only and retained for the regulatory retention period, detached, never dropped (UPDATE/DELETE blocked) so the chain stays verifiable. |
| Operational logs | High-churn operational data (e.g. webhook deliveries) ages out on a short rolling window. |
Deletion & erasure (GDPR)
We support data-subject and customer-initiated deletion in line with GDPR. Note the tension every audit system has: the append-only audit chain exists to be non-repudiable, so erasure of an underlying record is handled to preserve the integrity of the chain while honoring the erasure right, the approach is set out in the DPA. Direct deletion requests to privacy@fidacy.com.
DPA & sub-processors
- ·A Data Processing Agreement is available on request through
sales@fidacy.comorprivacy@fidacy.com. - ·Fidacy uses a small, named set of sub-processors. The current list and the change-notification policy are on the Sub-processors page.