Data Processing

When CREANODE develops and operates systems that process personal data belonging to a client organization's customers or users, the client organization is the data controller and CREANODE acts as a data processor. CREANODE processes such data only on documented instructions from the controller and for the purposes specified in the project agreement.

Processing activities performed by CREANODE as a data processor are limited to: hosting and operating client systems, performing maintenance and updates, providing technical support, and performing security monitoring. CREANODE does not process client organization data for any purpose beyond what is necessary to deliver contracted services.

CREANODE uses infrastructure providers (hosting, email delivery) as sub-processors. Sub-processors are located in the EU/EEA or in jurisdictions with adequate data protection. Client organizations are informed of sub-processor changes in advance of implementation. A full list of sub-processors is available on request.

CREANODE implements technical and organizational security measures appropriate to the risk level of the data being processed: access controls, encryption in transit and at rest, audit logging, regular security updates, and incident response procedures. Specific security measures for a given client system are documented in the project architecture documentation.