GDPR Self-Certification

Formal self-assessment demonstrating compliance with EU General Data Protection Regulation

Version 1.0Issued: November 23, 2025Valid Until: November 23, 2026

Self-Certification Statement

Adaptrix hereby certifies that we have conducted a comprehensive self-assessment of our data processing operations and have implemented technical and organizational measures to ensure compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR).

This self-certification is based on our internal review of all processing activities, policies, and procedures. While this is not an independent third-party certification, we affirm that the statements herein are accurate and reflect our current compliance posture.

This certification is reviewed annually and updated as necessary to reflect changes in our processing activities or regulatory requirements.

Executive Summary

Scope of Assessment

This self-certification covers all personal data processing activities conducted by Adaptrix in its role as a Data Processor, including the Adaptrix analytics platform and associated services.

Assessment Methodology

Based on Article-by-Article review of GDPR requirements, documentation of implemented controls, and verification of technical measures through internal audit procedures.

Compliance Status

All assessed GDPR requirements have been implemented. Continuous improvement program in place for ongoing compliance enhancement.

Next Review Date

Annual review scheduled for November 2026. Interim reviews conducted upon significant changes to processing activities or regulatory guidance.

1. Organization Details

Organization Name

Adaptrix

GDPR Role

Data Processor (Article 4(8) GDPR)

Location

Palma, Illes Balears, Spain

Website

https://adaptrix.ai

Data Protection Contact

Data Protection Officer - [email protected]

2. Lawful Basis for Processing (Article 6)

Legal Basis	Implementation Details	Status
Contractual Necessity (Art. 6(1)(b))	Processing necessary for the performance of our service agreement with data controllers.
Legitimate Interests (Art. 6(1)(f))	Limited processing for service improvement, security monitoring, and fraud prevention.
Consent (Art. 6(1)(a))	Explicit consent obtained for marketing communications and optional analytics.
Legal Obligation (Art. 6(1)(c))	Processing required by law, including tax records and regulatory compliance.

3. Data Subject Rights (Articles 15-22)

Right	Implementation Details	Status
Right of Access (Art. 15)	Automated data export functionality; manual requests processed within 30 days.
Right to Rectification (Art. 16)	Self-service profile editing; support ticket system for data corrections.
Right to Erasure (Art. 17)	Automated data deletion workflow with immutable audit logging.
Right to Restriction (Art. 18)	Processing restriction flags in database; manual review process.
Right to Data Portability (Art. 20)	JSON and CSV export in machine-readable formats.
Right to Object (Art. 21)	Opt-out mechanisms for direct marketing; objection handling workflow.
Automated Decision-Making (Art. 22)	Human review available for all AI-assisted decisions; no fully automated decisions with legal effects.

4. Technical & Organizational Measures (Article 32)

Measure	Implementation Details	Status
Encryption at Rest	AES-256 encryption for all stored personal data.
Encryption in Transit	TLS 1.3 for all data transmission; HTTPS enforced.
Access Controls	Role-based access control (RBAC); principle of least privilege.
Multi-Factor Authentication	MFA available for all user accounts; required for admin access.
Audit Logging	Immutable audit logs for all data access and modifications.
Data Backup	Daily encrypted backups with 30-day retention; tested recovery procedures.
Vulnerability Management	Regular security assessments; dependency scanning; penetration testing.
Network Security	Firewall protection; DDoS mitigation; intrusion detection.

5. Data Protection by Design & Default (Article 25)

Principle	Implementation Details	Status
Proactive not Reactive	Privacy considerations integrated from project inception.
Privacy as Default	Most privacy-protective settings enabled by default.
Data Minimization	Only essential data collected; purpose limitation enforced.
Full Functionality	Privacy-protective measures without sacrificing user experience.
End-to-End Security	Data protection throughout entire data lifecycle.
Visibility & Transparency	Clear privacy notices; accessible data practices.
User-Centric	User control over their data; easy-to-use privacy tools.

6. Breach Notification (Articles 33-34)

Requirement	Implementation Details	Status
Detection	Automated breach detection systems with 24/7 monitoring.
Assessment	Documented risk assessment procedures for potential breaches.
Authority Notification	Process to notify supervisory authority within 72 hours.
Data Subject Notification	High-risk breach notification procedures for affected individuals.
Documentation	Breach register maintained with all incidents and responses.

7. Records of Processing Activities (Article 30)

Record Type	Implementation Details	Status
Processing Inventory	Complete inventory of all processing activities maintained.
Purpose Documentation	Clear documentation of purposes for each processing activity.
Data Categories	Categories of personal data documented for each process.
Recipients	All data recipients and transfers documented.
Retention Periods	Defined retention periods for each data category.
Security Measures	Technical and organizational measures documented.

8. Data Protection Impact Assessment (Article 35)

Element	Implementation Details	Status
DPIA Process	Documented process for conducting DPIAs for high-risk processing.
Risk Assessment	Systematic assessment of risks to data subjects.
Mitigation Measures	Documented measures to address identified risks.
DPO Consultation	DPO consulted for all DPIAs.
Prior Consultation	Process for supervisory authority consultation if required.

9. International Data Transfers (Articles 44-49)

Mechanism	Implementation Details	Status
EU Data Residency	Primary data processing in Frankfurt, Germany (EU).
Standard Contractual Clauses	EU Commission approved SCCs (Decision 2021/914) for non-EU transfers.
EU-US Data Privacy Framework	US sub-processors certified under EU-US DPF where applicable.
Transfer Impact Assessments	TIAs conducted for transfers to countries without adequacy decisions.
Supplementary Measures	Additional technical measures (encryption) for international transfers.

10. Sub-processor Management (Article 28)

Requirement	Implementation Details	Status
Written Contracts	Written agreements with all sub-processors meeting GDPR Article 28 requirements.
Due Diligence	Security and compliance assessment before engaging sub-processors.
Sub-processor List	Transparent list of all sub-processors publicly available.
Change Notification	30-day advance notice for sub-processor additions or changes.
Ongoing Monitoring	Regular review of sub-processor compliance and security.

Certification Declaration

I hereby declare that Adaptrix has implemented the technical and organizational measures described in this self-certification document. This declaration is made in good faith based on our internal assessment of compliance with the General Data Protection Regulation (EU) 2016/679.

We acknowledge that this is a self-certification and does not constitute an independent third-party audit. We commit to maintaining and continuously improving our compliance posture, and to updating this certification as necessary.

We further commit to cooperating with any supervisory authority inquiries and to providing evidence of our compliance measures upon request.

Certified By

Data Protection Officer

Adaptrix

Certification Date

November 23, 2025

Valid for 12 months

Questions About This Certification?

For questions regarding our GDPR compliance or this self-certification:

[email protected]

Loading...

Please wait while we prepare your content

Self-Certification Statement

This certification is reviewed annually and updated as necessary to reflect changes in our processing activities or regulatory requirements.

Executive Summary

Scope of Assessment

This self-certification covers all personal data processing activities conducted by Adaptrix in its role as a Data Processor, including the Adaptrix analytics platform and associated services.

Assessment Methodology

Based on Article-by-Article review of GDPR requirements, documentation of implemented controls, and verification of technical measures through internal audit procedures.

Compliance Status

All assessed GDPR requirements have been implemented. Continuous improvement program in place for ongoing compliance enhancement.

Next Review Date

Annual review scheduled for November 2026. Interim reviews conducted upon significant changes to processing activities or regulatory guidance.

Legal Basis

Implementation Details

Status

Contractual Necessity (Art. 6(1)(b))

Processing necessary for the performance of our service agreement with data controllers.

Legitimate Interests (Art. 6(1)(f))

Limited processing for service improvement, security monitoring, and fraud prevention.

Consent (Art. 6(1)(a))

Explicit consent obtained for marketing communications and optional analytics.

Legal Obligation (Art. 6(1)(c))

Processing required by law, including tax records and regulatory compliance.

Right

Implementation Details

Status

Right of Access (Art. 15)

Automated data export functionality; manual requests processed within 30 days.

Right to Rectification (Art. 16)

Self-service profile editing; support ticket system for data corrections.

Right to Erasure (Art. 17)

Automated data deletion workflow with immutable audit logging.

Right to Restriction (Art. 18)

Processing restriction flags in database; manual review process.

Right to Data Portability (Art. 20)

JSON and CSV export in machine-readable formats.

Right to Object (Art. 21)

Opt-out mechanisms for direct marketing; objection handling workflow.

Automated Decision-Making (Art. 22)

Human review available for all AI-assisted decisions; no fully automated decisions with legal effects.

Measure

Implementation Details

Status

Encryption at Rest

AES-256 encryption for all stored personal data.

Encryption in Transit

TLS 1.3 for all data transmission; HTTPS enforced.

Access Controls

Role-based access control (RBAC); principle of least privilege.

Multi-Factor Authentication

MFA available for all user accounts; required for admin access.

Audit Logging

Immutable audit logs for all data access and modifications.

Data Backup

Daily encrypted backups with 30-day retention; tested recovery procedures.

Vulnerability Management

Regular security assessments; dependency scanning; penetration testing.

Network Security

Firewall protection; DDoS mitigation; intrusion detection.

Principle

Implementation Details

Status

Proactive not Reactive

Privacy considerations integrated from project inception.

Privacy as Default

Most privacy-protective settings enabled by default.

Data Minimization

Only essential data collected; purpose limitation enforced.

Full Functionality

Privacy-protective measures without sacrificing user experience.

End-to-End Security

Data protection throughout entire data lifecycle.

Visibility & Transparency

Clear privacy notices; accessible data practices.

User-Centric

User control over their data; easy-to-use privacy tools.

Requirement

Implementation Details

Status

Detection

Automated breach detection systems with 24/7 monitoring.

Assessment

Documented risk assessment procedures for potential breaches.

Authority Notification

Process to notify supervisory authority within 72 hours.

Data Subject Notification

High-risk breach notification procedures for affected individuals.

Documentation

Breach register maintained with all incidents and responses.

Record Type

Implementation Details

Status

Processing Inventory

Complete inventory of all processing activities maintained.

Purpose Documentation

Clear documentation of purposes for each processing activity.

Data Categories

Categories of personal data documented for each process.

Recipients

All data recipients and transfers documented.

Retention Periods

Defined retention periods for each data category.

Security Measures

Technical and organizational measures documented.

Element

Implementation Details

Status

DPIA Process

Documented process for conducting DPIAs for high-risk processing.

Risk Assessment

Systematic assessment of risks to data subjects.

Mitigation Measures

Documented measures to address identified risks.

DPO Consultation

DPO consulted for all DPIAs.

Prior Consultation

Process for supervisory authority consultation if required.

Mechanism

Implementation Details

Status

EU Data Residency

Primary data processing in Frankfurt, Germany (EU).

Standard Contractual Clauses

EU Commission approved SCCs (Decision 2021/914) for non-EU transfers.

EU-US Data Privacy Framework

US sub-processors certified under EU-US DPF where applicable.

Transfer Impact Assessments

TIAs conducted for transfers to countries without adequacy decisions.

Supplementary Measures

Additional technical measures (encryption) for international transfers.

Requirement

Implementation Details

Status

Written Contracts

Written agreements with all sub-processors meeting GDPR Article 28 requirements.

Due Diligence

Security and compliance assessment before engaging sub-processors.

Sub-processor List

Transparent list of all sub-processors publicly available.

Change Notification

30-day advance notice for sub-processor additions or changes.

Ongoing Monitoring

Regular review of sub-processor compliance and security.

Certification Declaration

We further commit to cooperating with any supervisory authority inquiries and to providing evidence of our compliance measures upon request.

Certified By

Data Protection Officer

Adaptrix

Certification Date

November 23, 2025

Valid for 12 months

GDPR Self-Certification

Self-Certification Statement

Executive Summary

Scope of Assessment

Assessment Methodology

Compliance Status

Next Review Date

1. Organization Details

2. Lawful Basis for Processing (Article 6)

3. Data Subject Rights (Articles 15-22)

4. Technical & Organizational Measures (Article 32)

5. Data Protection by Design & Default (Article 25)

6. Breach Notification (Articles 33-34)

7. Records of Processing Activities (Article 30)

8. Data Protection Impact Assessment (Article 35)

9. International Data Transfers (Articles 44-49)

10. Sub-processor Management (Article 28)

Certification Declaration

Related Documents

Questions About This Certification?

Loading...

GDPR Self-Certification

Self-Certification Statement

Executive Summary

Scope of Assessment

Assessment Methodology

Compliance Status

Next Review Date

1. Organization Details

2. Lawful Basis for Processing (Article 6)

3. Data Subject Rights (Articles 15-22)

4. Technical & Organizational Measures (Article 32)

5. Data Protection by Design & Default (Article 25)

6. Breach Notification (Articles 33-34)

7. Records of Processing Activities (Article 30)

8. Data Protection Impact Assessment (Article 35)

9. International Data Transfers (Articles 44-49)

10. Sub-processor Management (Article 28)

Certification Declaration

Related Documents

Questions About This Certification?