Protocol: Data_Minimization

Privacy
Governance

Digifolio Ltd • GDPR Article 30 Compliant

01. Controller & Processor Identity

Under the jurisdiction of England & Wales, Digifolio Ltd (Company No. 15821992) acts as the Data Processor for all licensing and attribution metadata.

Licensees (Owners of the Codex) act as the Data Controller for any information processed within their independent deployments. We do not have access to your internal instance data.

02. Data Minimization Mandate

Our architecture is engineered to redact PII (Personally Identifiable Information) locally on GCP Cloud Run before any data touches an external inference API. We capture only four (4) core data points:

Authorized Email
Company Name
Transaction ID
Hashed IP

03. Mandatory Retention Nodes

Financial Records
7 Years
Operational Logs
90 Days
Session Metadata
Ephemeral

04. Right to Erasure (GDPR)

Architects may trigger the Right to Erasure Protocol via the Portal Settings.

Once triggered, all PII (excluding immutable financial transaction records) is anonymized and deleted across all system nodes within 30 days.

Zero-Trust Architecture
AES-256 Encryption • 30-Day Key Rotation
Operational Terms
Kamel Abouelnaga
Founder & Data Protection Officer
Direct Legal Inquiries:
info@digifolio.co.uk