Archonite is committed to upholding the highest standards of data privacy and organizational security. For our partners operating within the European Economic Area (EEA) or managing the data of EU citizens, we ensure comprehensive alignment with the General Data Protection Regulation (GDPR). This document provides a technical and operational overview of our legal framework, architecture, and the features designed to facilitate our clients' compliance obligations.

I. Legal Framework & Data Governance

Adherence to GDPR requires a transparent and legally binding framework governing the relationship between Data Controllers and Data Processors.

1. Data Processing Agreement (DPA)

Archonite serves as a Data Processor under the GDPR. We require all EU-based clients and businesses processing data of EU subjects to execute a Data Processing Agreement (DPA) prior to account activation.

• Article 28 Compliance: Our DPA serves as the legal instrument defining the scope, nature, and purpose of data processing, ensuring that Archonite acts only upon the documented instructions of the Data Controller.
• Sub-Processor Management: Archonite utilizes a rigorously vetted network of infrastructure providers. We maintain an up-to-date list of all sub-processors, their locations, and their processing roles. We agree to notify the Controller prior to any changes to this list, granting the right to object to new sub-processors.

List of Archonite sub-processors

2. Lawful Basis for Processing (Articles 6 & 9)

We facilitate the collection of valid lawful bases for all processing activities performed within the Archonite ecosystem.

• Explicit Biometric Consent: Processing biometric data (Special Category Data under Article 9) necessitates explicit, informed consent. Archonite's KYC flow includes a mandatory consent module: "I consent to the processing of my biometric data for the sole purpose of identity verification and fraud prevention."
• Regulatory Conflict Resolution (AML vs. GDPR): Under the "Legal Obligation" basis (Article 6(1)(c)), Archonite's adherence to Anti-Money Laundering (AML) regulations requires the retention of specific identity records for a minimum of 6 years that starts during active relationship.
• Retention Primacy: In instances where AML laws mandate data retention, this legal obligation takes precedence over a "Right to Erasure" request, but only for the specific data points required by law.

3. Data Protection Officer (DPO)

Archonite has appointed a dedicated Data Protection Officer to oversee our privacy strategy and serve as a point of contact for supervisory authorities.

• Contact: dpo@archonite.xyz

II. Technical Architecture & Security (Article 32)

Archonite's infrastructure is built on the principle of Privacy by Design, implementing robust technical and organizational measures to safeguard data.

1. Data Residency & Sovereignty

We recognize the importance of data residency for EU-based enterprises.

• EU Region Hosting: Enterprise customers with high verification volumes have the option to provision resources within EU-based data centers, ensuring that personal data remains within the EEA.
• Data Transfer Safeguards: Archonite operates legally as a "Third Country" processor. To guarantee compliance with Chapter V of the GDPR (Transfers), we automatically incorporate the latest Standard Contractual Clauses (SCCs) into our Data Processing Agreement. Furthermore, our "Cloud-Native Workstation" policy ensures that our support staff access EU data only through secure, non-persistent Virtual Desktop Environments (VDI) located within the EEA, minimizing data export risks.

2. Cryptographic Controls

• Encryption at Rest: All PII—including names, identification numbers, and ID document images—is stored using Argon2 encryption.
• Encryption in Transit: We enforce TLS 1.3 across all API endpoints. Unsecured connections are programmatically rejected.
• Pseudonymization & Fingerprinting: To ensure absolute auditability for AML compliance, Archonite utilizes our proprietary "Identity Fingerprinting" system. While data is not pseudonymized in the active processing layer to facilitate immediate fraud detection, every record is cryptographically anchored to a unique, immutable ID. This allows us to precisely segregate and retrieve data for DSARs without exposing the raw identity set to unauthorized sub-systems.

3. Data Minimization & Accuracy

• Storage of Intent: Archonite does not retain unsubmitted or abandoned sessions. For incomplete verifications, we only store metadata (session fingerprint, connection logs, and intent ID) for security and debugging purposes.
• Minimal Biometric Footprint: We store only the raw high-resolution frames required for facial verification. Archonite does not retain or store audio or video recordings during the KYC process.

III. Data Subject Rights

We provide the technical tools necessary for our clients to honor Data Subject Access Requests (DSARs).

1. The Right to Erasure (Article 17)

Clients can programmatically initiate the deletion of user data via our Delete User API Endpoint. The API automatically evaluates whether the user's data is eligible for deletion or must be retained for the mandatory AML holding period.

2. Fraud Prevention Exception (Legitimate Interest)

If a user is flagged for fraudulent activity, Archonite retains a non-invertible cryptographic hash of the user's identity markers. This is documented under "Legitimate Interest" (Article 6(1)(f)), as it is essential for preventing future fraud across the Archonite network.

3. Backup Integrity & Rotation

Deletion requests propagate to our backup systems through a 30-day rotation cycle. Once a record is deleted from production, it will be fully purged from all backup media within 30 days.

IV. Operational Readiness & Accountability

1. Record of Processing Activities (RoPA)

Archonite maintains a rigorous RoPA detailing:

• Data Categories: KYC metadata, PII, and biometric data.
• Processing Purpose: Identity verification and regulatory AML compliance.
• Retention Policy: Data is retained for the duration of the client relationship, or for 6 years following account closure as mandated by global financial regulations.

2. Security Incident Response

In the event of a suspected data breach, Archonite follows a structured Incident Response Plan:

• Identification: Rapid filtering of affected segments using immutable audit logs.
• Notification: In accordance with Article 33(2), Archonite will notify affected Data Controllers without undue delay (and in no case later than 48 hours) after becoming aware of the breach, enabling our partners to fulfill their 72-hour reporting obligations to supervisory authorities.

V. Compliance-Centric Features

• Immutable Audit Logs: Access logs detailing every instance of PII retrieval are available via API, supporting the principle of Accountability.
• Data Portability (Article 20): Clients can export a user's full verification package in a machine-readable JSON format, accompanied by a secure archive of all associated images, to facilitate portability requests.

Support & Compliance Inquiries

For inquiries regarding our Data Processing Agreement or to submit a regulatory request, please contact our Compliance Team:

• General Support: support@archonite.xyz
• Data Protection Officer: dpo@archonite.xyz

---

Archonite Ltd., 69 Patri Felicjan Bilocca St, Marsa, Malta MRS1521