GDPR Compliance

Last updated: March 26, 2026 · Effective: March 26, 2026

1. Our Commitment

Red Sustentable Internacional S.A. de C.V. ("RSI"), the company behind Certexi, is committed to compliance with the EU General Data Protection Regulation (GDPR) and equivalent data protection legislation worldwide.

Certexi is designed from the ground up with data sovereignty as a core architectural principle. For on-premise deployments, personal data never leaves the customer's infrastructure — making Certexi inherently aligned with GDPR's data minimization and storage limitation principles.

2. Roles & Responsibilities

3. Data Processing Agreement

For Certexi Cloud deployments, we offer a Data Processing Agreement (DPA) that covers:

• Subject matter and duration of processing
• Nature and purpose of processing
• Types of personal data and categories of data subjects
• Obligations and rights of the data controller
• Sub-processor management
• Data breach notification procedures
• Data deletion and return upon termination

To request a DPA, contact privacy@certexi.com.

4. Lawful Basis for Processing

We process personal data under the following legal bases:

• Contract performance — to provide the Service you subscribed to
• Legitimate interest — to improve the platform, send security updates, and respond to inquiries
• Legal obligation — to comply with applicable laws and regulations
• Consent — where required (e.g., marketing communications)

5. Data Subject Rights

Under the GDPR, you have the right to:

• Access — request a copy of your personal data (Art. 15)
• Rectification — correct inaccurate personal data (Art. 16)
• Erasure — request deletion of your personal data (Art. 17)
• Restriction — restrict processing of your personal data (Art. 18)
• Data portability — receive your data in a structured, machine-readable format (Art. 20)
• Objection — object to processing based on legitimate interest (Art. 21)
• Automated decisions — not be subject to solely automated decision-making (Art. 22)

To exercise any right, email privacy@certexi.com. We will respond within 30 days.

6. International Data Transfers

RSI is based in Mexico. For transfers of personal data from the EEA or UK, we rely on:

• EU Standard Contractual Clauses (SCCs) — Module 2 (Controller to Processor)
• Supplementary technical measures (encryption in transit and at rest)
• Transfer Impact Assessments where required

For on-premise deployments, no international transfer occurs unless configured by the customer.

7. Sub-Processors

We use a limited number of sub-processors:

We notify Cloud customers of any new sub-processor additions with 30 days' notice. On-premise deployments have no sub-processors — all processing occurs within your infrastructure.

8. Data Breach Notification

In the event of a personal data breach affecting Cloud deployment data:

• We will notify the affected customer within 72 hours of becoming aware
• Notification will include the nature of the breach, data affected, and remediation steps
• We will cooperate with the customer's notification obligations to supervisory authorities and data subjects

9. Data Protection by Design

Certexi implements GDPR Article 25 (Data Protection by Design and by Default) through:

• Sovereignty-first architecture: On-premise deployment means data never leaves your control
• Data minimization: We collect only the minimum personal data necessary for account management
• Encryption: TLS in transit, encryption at rest for all stored data
• Access controls: Role-based access with audit logging
• Pseudonymization: Support for anonymized and pseudonymized evidence records

10. Supervisory Authority

If you are in the EEA, you have the right to lodge a complaint with your local Data Protection Authority. We encourage you to contact us first at privacy@certexi.com so we can address your concern.

11. Contact

Data Protection Contact:
Red Sustentable Internacional S.A. de C.V.
Veracruz, Mexico
privacy@certexi.com