← Back to Legal
Third Party Services
AXSYS ERP - THIRD-PARTY SERVICES AND INTEGRATIONS
==================================================
Last Updated: December 10, 2025
This document provides comprehensive disclosure of all third-party services,
their sub-processors, data handling practices, cookie usage, security
certifications, and compliance information as required by GDPR Article 28,
CCPA, and other applicable data protection regulations.
Contact for data processing inquiries: support@axsys.app
================================================================================
TABLE OF CONTENTS
================================================================================
1. Google Services (Maps, Ads, Workspace, OAuth, Meet)
2. Microsoft Services (Azure, Office 365, Outlook, Graph API, Teams)
3. Mapping Services (Mapbox, Leaflet ecosystem)
4. Intuit/QuickBooks
5. Communication Services (Twilio, SendGrid, Tawk.to, Brevo)
6. Artificial Intelligence Services (OpenAI, Anthropic, Groq)
7. Search and SEO Services (Brave Search, DataForSEO, Tavily)
8. Weather Services (NOAA, OpenWeatherMap)
9. Social Platforms (Meta/Facebook/Instagram)
10. Analytics (Looker, Google Analytics)
11. Form Integrations (Gravity Forms)
12. Payment Processing (Stripe)
13. Video Conferencing (Zoom)
14. Cookie Disclosure Schedule
15. Data Retention Schedule
16. Security Certifications Matrix
17. Data Flow Descriptions
18. Sub-Processor Directory
19. GDPR Article 28 Compliance
20. International Data Transfer Mechanisms
================================================================================
================================================================================
1. GOOGLE SERVICES
================================================================================
This section covers all Google services integrated with Axsys ERP, including
Google Cloud Platform, Google Workspace, Google Ads, and consumer Google
services used for authentication and integration purposes.
--------------------------------------------------------------------------------
1.1 GOOGLE MAPS PLATFORM
--------------------------------------------------------------------------------
Service Provider: Google LLC
Address: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Data Protection Officer: Keith Enright
EU Representative: Google Ireland Limited
SERVICES UTILIZED:
- Maps JavaScript API v3.54
- Places API (New)
- Places Autocomplete API
- Geocoding API
- Reverse Geocoding API
- Directions API
- Distance Matrix API
- Roads API
- Elevation API
- Time Zone API
- Geolocation API
- Street View Static API
- Maps Static API
- Maps Embed API
PURPOSE: Address autocomplete, map rendering, geolocation services, route
calculation, ETA estimation, territory mapping, field service optimization,
and location-based features within the Axsys ERP platform.
DATA CATEGORIES PROCESSED:
Category 1 - Location Data:
- IP addresses (IPv4 and IPv6)
- GPS coordinates (latitude/longitude)
- Cell tower identifiers
- WiFi access point identifiers
- Bluetooth beacon identifiers
- Address search queries
- Route waypoints
- Destination coordinates
Category 2 - Device Data:
- Device identifiers (IDFA, GAID)
- Browser type and version
- Operating system and version
- Screen resolution
- Device orientation
- Hardware specifications
- Language preferences
- Time zone settings
Category 3 - Usage Data:
- API request timestamps
- Request frequency
- Feature utilization
- Error logs
- Performance metrics
- Session duration
LEGAL BASIS FOR PROCESSING (GDPR Article 6):
- Article 6(1)(b): Processing necessary for the performance of a contract
- Article 6(1)(f): Processing necessary for legitimate interests pursued
LEGITIMATE INTERESTS ASSESSMENT:
Purpose: Provide location-based services to users
Necessity: Location data essential for mapping functionality
Balancing: User expectations align with data processing; minimal privacy impact
DATA TRANSFER MECHANISM:
- EU-US Data Privacy Framework (DPF) - Certified
- Standard Contractual Clauses (SCCs) - Module 2 (Controller to Processor)
- Supplementary Measures per Schrems II requirements
RETENTION PERIODS:
- Real-time location data: Processed and discarded immediately
- API request logs: 30 days
- Aggregated analytics: 14 months
- Billing records: 7 years
- Error logs: 90 days
- Performance data: 180 days
SECURITY MEASURES IMPLEMENTED:
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest
- Certificate pinning for mobile applications
- API key restrictions by IP, referrer, and application
- Quota management and rate limiting
- DDoS protection via Google Front End (GFE)
- Regular penetration testing (annual)
- Bug bounty program (ongoing)
CERTIFICATIONS:
- SOC 1 Type II
- SOC 2 Type II
- SOC 3
- ISO 27001
- ISO 27017
- ISO 27018
- ISO 27701
- FedRAMP High
- PCI DSS Level 1
- HIPAA (with BAA)
- MTCS Level 3 (Singapore)
- ENS High (Spain)
- G-Cloud (UK)
- IRAP (Australia)
- C5 (Germany)
- K-ISMS (Korea)
- FISC (Japan)
TERMS OF SERVICE: https://cloud.google.com/maps-platform/terms
PRIVACY POLICY: https://policies.google.com/privacy
DATA PROCESSING TERMS: https://cloud.google.com/terms/data-processing-terms
SCC DOCUMENTATION: https://cloud.google.com/terms/sccs
GOOGLE MAPS PLATFORM SUB-PROCESSORS:
Sub-Processor: Google LLC
Registered Location: United States
Address: 1600 Amphitheatre Parkway, Mountain View, CA 94043
Processing Purpose: Primary service delivery and infrastructure
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Google Ireland Limited
Registered Location: Ireland
Address: Gordon House, Barrow Street, Dublin 4
Processing Purpose: EEA data processing operations
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Google Asia Pacific Pte. Ltd.
Registered Location: Singapore
Address: 70 Pasir Panjang Road, #03-71 Mapletree Business City II
Processing Purpose: APAC regional data processing
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Google Cloud EMEA Limited
Registered Location: Ireland
Address: Gordon House, Barrow Street, Dublin 4
Processing Purpose: European cloud infrastructure operations
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Google Australia Pty Limited
Registered Location: Australia
Address: Level 5, 48 Pirrama Road, Pyrmont, NSW 2009
Processing Purpose: Australian data processing
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Google Japan G.K.
Registered Location: Japan
Address: Roppongi Hills Mori Tower, 6-10-1 Roppongi, Minato-ku, Tokyo
Processing Purpose: Japanese data processing operations
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Google Germany GmbH
Registered Location: Germany
Address: ABC-Straße 19, 20354 Hamburg
Processing Purpose: German customer support and operations
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Google France SARL
Registered Location: France
Address: 8 rue de Londres, 75009 Paris
Processing Purpose: French customer support and operations
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Google Netherlands B.V.
Registered Location: Netherlands
Address: Claude Debussylaan 34, 1082 MD Amsterdam
Processing Purpose: Dutch operations and data center
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Google UK Limited
Registered Location: United Kingdom
Address: Belgrave House, 76 Buckingham Palace Road, London SW1W 9TQ
Processing Purpose: UK customer support and operations
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Google Spain S.L.
Registered Location: Spain
Address: Plaza Pablo Ruiz Picasso, 1, Torre Picasso, 28020 Madrid
Processing Purpose: Spanish customer support
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Google Italy S.r.l.
Registered Location: Italy
Address: Via Federico Confalonieri 4, 20124 Milan
Processing Purpose: Italian customer support
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Google Poland Sp. z o.o.
Registered Location: Poland
Address: Ul. Emilii Plater 53, 00-113 Warsaw
Processing Purpose: Polish customer support
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Google Sweden AB
Registered Location: Sweden
Address: Kungsbron 2, 111 22 Stockholm
Processing Purpose: Swedish customer support
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Google Denmark ApS
Registered Location: Denmark
Address: Sankt Petri Passage 5, 1165 Copenhagen
Processing Purpose: Danish customer support
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Google Norway AS
Registered Location: Norway
Address: Bryggegata 6, 0250 Oslo
Processing Purpose: Norwegian customer support
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Google Finland Oy
Registered Location: Finland
Address: Mannerheimintie 12 B, 00100 Helsinki
Processing Purpose: Finnish customer support and data center
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Google Belgium BVBA
Registered Location: Belgium
Address: Chaussée d'Etterbeek 180, 1040 Brussels
Processing Purpose: Belgian customer support
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Google Austria GmbH
Registered Location: Austria
Address: Graben 19, 1010 Vienna
Processing Purpose: Austrian customer support
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Google Switzerland GmbH
Registered Location: Switzerland
Address: Brandschenkestrasse 110, 8002 Zurich
Processing Purpose: Swiss customer support
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Google Canada Corporation
Registered Location: Canada
Address: 111 Richmond Street West, Suite 200, Toronto, ON M5H 2G4
Processing Purpose: Canadian data processing
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Google Brazil Internet Ltda.
Registered Location: Brazil
Address: Av. Brigadeiro Faria Lima, 3477, São Paulo - SP
Processing Purpose: Brazilian data processing
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Google India Private Limited
Registered Location: India
Address: No.3, RMZ Infinity, Tower E, Old Madras Road, Bangalore 560016
Processing Purpose: Indian data processing
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Google Korea LLC
Registered Location: South Korea
Address: 22F Gangnam Finance Center, 152 Teheran-ro, Gangnam-gu, Seoul
Processing Purpose: Korean data processing
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Google Taiwan Limited
Registered Location: Taiwan
Address: 14F, No. 7, Section 5, Xinyi Road, Xinyi District, Taipei City
Processing Purpose: Taiwanese data processing
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Equinix, Inc.
Registered Location: Global
Address: Multiple global locations
Processing Purpose: Data center colocation services
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: CenturyLink (Lumen)
Registered Location: United States
Address: 100 CenturyLink Drive, Monroe, LA 71203
Processing Purpose: Network infrastructure
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Level 3 Communications
Registered Location: United States
Address: 1025 Eldorado Boulevard, Broomfield, CO 80021
Processing Purpose: Network backbone services
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Akamai Technologies
Registered Location: United States
Address: 145 Broadway, Cambridge, MA 02142
Processing Purpose: CDN and edge services
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
Sub-Processor: Cloudflare, Inc.
Registered Location: United States
Address: 101 Townsend Street, San Francisco, CA 94107
Processing Purpose: DDoS protection and CDN
Data Processing Agreement: Executed and on file
Security Assessment: Completed - Satisfactory
Last Assessment Date: 2024
Next Assessment Due: 2025
--------------------------------------------------------------------------------
1.2 GOOGLE ADS API
--------------------------------------------------------------------------------
Service Provider: Google LLC
Service URL: https://ads.google.com
PURPOSE: Conversion tracking, remarketing audience creation, advertising
performance reporting, campaign management, and ROI analysis within the
Axsys ERP marketing module.
API VERSIONS UTILIZED:
- Google Ads API v15
- Google Analytics Data API v1
- Campaign Manager 360 API
- Display & Video 360 API
- Search Ads 360 API
DATA CATEGORIES PROCESSED:
Category 1 - Conversion Data:
- Conversion event types (form submissions, purchases, sign-ups, calls)
- Conversion values and currency
- Conversion timestamps
- Conversion attribution data
- Cross-device conversion data
- View-through conversion data
- Click-through conversion data
Category 2 - Audience Data:
- Customer email addresses (hashed SHA-256)
- Phone numbers (hashed SHA-256)
- Mobile advertising IDs (IDFA/GAID)
- User IDs
- Customer match list membership
- Similar audience membership
- Remarketing list membership
Category 3 - Click and Impression Data:
- Google Click Identifier (GCLID)
- Display Click Identifier (DCLID)
- Impression timestamps
- Click timestamps
- Search query terms (aggregated)
- Ad creative identifiers
- Campaign identifiers
- Ad group identifiers
- Keyword identifiers
Category 4 - Technical Data:
- User agent strings
- IP addresses (truncated/anonymized)
- Page URLs and referrers
- Browser language settings
- Screen resolution
- Device type and model
- Operating system
SPECIAL CATEGORY DATA:
Google Ads does not process special category data (Article 9 GDPR) through
Axsys ERP integration. Sensitive interest categories are not utilized.
LEGAL BASIS FOR PROCESSING:
- Article 6(1)(a): Consent (for remarketing and personalized advertising)
- Article 6(1)(f): Legitimate interests (for conversion tracking and analytics)
CONSENT MECHANISM:
- Cookie consent banner with granular controls
- Opt-out mechanism via Google Ad Settings
- Global Privacy Control (GPC) signal honored
- IAB TCF 2.2 compliance
RETENTION PERIODS:
- Conversion data: 540 days (configurable, maximum)
- Audience lists: 540 days of membership, or until manually deleted
- Customer Match data: Until manually deleted
- Click data: 90 days (raw), 24 months (aggregated)
- Impression data: 90 days (raw), 24 months (aggregated)
- Search query reports: 24 months (aggregated)
DATA MINIMIZATION MEASURES:
- IP anonymization enabled by default
- User ID hashing before transmission
- Aggregated reporting where possible
- Consent mode for cookieless measurement
TERMS OF SERVICE: https://developers.google.com/google-ads/api/terms
PRIVACY POLICY: https://policies.google.com/privacy
GOOGLE ADS DATA PROTECTION TERMS: https://privacy.google.com/businesses/processorterms/
GOOGLE ADS SUB-PROCESSORS:
Sub-Processor: Google LLC
Location: United States
Purpose: Primary advertising platform and infrastructure
DPA Status: Covered under Google Ads Terms
Sub-Processor: Google Ireland Limited
Location: Ireland
Purpose: EEA advertising operations
DPA Status: Covered under Google Ads Terms
Sub-Processor: DoubleClick (Google Marketing Platform)
Location: United States
Purpose: Ad serving and tracking
DPA Status: Covered under Google Ads Terms
Sub-Processor: YouTube LLC
Location: United States
Purpose: Video advertising delivery
DPA Status: Covered under Google Ads Terms
Sub-Processor: Google Payment Corp.
Location: United States
Purpose: Advertising billing
DPA Status: Covered under Google Ads Terms
Sub-Processor: Adometry (Google Attribution)
Location: United States
Purpose: Attribution modeling
DPA Status: Covered under Google Ads Terms
Sub-Processor: Invite Media (Google)
Location: United States
Purpose: Programmatic buying
DPA Status: Covered under Google Ads Terms
Sub-Processor: Admeld (Google)
Location: United States
Purpose: Publisher monetization
DPA Status: Covered under Google Ads Terms
Sub-Processor: Wildfire (Google)
Location: United States
Purpose: Social advertising
DPA Status: Covered under Google Ads Terms
Sub-Processor: AdMob (Google)
Location: United States
Purpose: Mobile advertising
DPA Status: Covered under Google Ads Terms
Sub-Processor: Waze Mobile Limited
Location: Israel
Purpose: Location-based advertising
DPA Status: Covered under Google Ads Terms
--------------------------------------------------------------------------------
1.3 GOOGLE WORKSPACE
--------------------------------------------------------------------------------
Service Provider: Google LLC
Service URL: https://workspace.google.com
PURPOSE: Email integration (Gmail API), calendar synchronization (Calendar API),
document collaboration (Drive API), and contact management (People API) for
users connecting their Google Workspace accounts to Axsys ERP.
WORKSPACE APIS UTILIZED:
- Gmail API v1
- Google Calendar API v3
- Google Drive API v3
- Google Docs API v1
- Google Sheets API v4
- Google Slides API v1
- People API v1
- Admin SDK Directory API v1
- Admin SDK Reports API v1
- Google Chat API v1
- Google Meet REST API
DATA CATEGORIES PROCESSED:
Category 1 - Email Data:
- Email message content (body, subject)
- Email metadata (to, from, cc, bcc, date, message-id)
- Email attachments (file names, MIME types, content)
- Email labels and categories
- Email thread structure
- Read/unread status
- Starred status
- Draft content
Category 2 - Calendar Data:
- Event titles and descriptions
- Event start and end times
- Event locations (physical and virtual)
- Attendee lists and response status
- Recurring event rules
- Event reminders and notifications
- Calendar sharing settings
- Free/busy information
- Conference/meeting details (Meet links)
Category 3 - Drive Data:
- File names and metadata
- File content (when accessed)
- Folder structure
- File sharing permissions
- File revision history
- Comments and suggestions
- File activity logs
Category 4 - Contact Data:
- Contact names (given, family, display)
- Email addresses
- Phone numbers
- Physical addresses
- Organization information
- Job titles
- Contact photos
- Contact groups/labels
- Custom fields
- Relationship data
OAUTH SCOPES REQUESTED:
- https://www.googleapis.com/auth/gmail.readonly
- https://www.googleapis.com/auth/gmail.send
- https://www.googleapis.com/auth/gmail.compose
- https://www.googleapis.com/auth/gmail.modify
- https://www.googleapis.com/auth/calendar
- https://www.googleapis.com/auth/calendar.events
- https://www.googleapis.com/auth/drive.readonly
- https://www.googleapis.com/auth/drive.file
- https://www.googleapis.com/auth/contacts.readonly
- https://www.googleapis.com/auth/userinfo.email
- https://www.googleapis.com/auth/userinfo.profile
SCOPE JUSTIFICATION:
Each OAuth scope is requested only when the corresponding feature is enabled
by the user. Scopes are requested incrementally (incremental authorization)
to minimize data access to what is necessary for the requested functionality.
LEGAL BASIS FOR PROCESSING:
- Article 6(1)(b): Performance of contract (email/calendar sync)
- Article 6(1)(a): Consent (optional features)
DATA STORAGE:
- Synced data stored in Axsys ERP database (encrypted at rest)
- OAuth tokens stored in secure vault (HashiCorp Vault)
- Refresh tokens encrypted with customer-specific keys
- Data residency options available (US, EU, APAC)
RETENTION PERIODS:
- Synced email metadata: Mirrors Gmail retention
- Synced calendar events: Mirrors Calendar retention
- Synced contacts: Until sync disabled or user deleted
- OAuth access tokens: 1 hour (auto-refresh)
- OAuth refresh tokens: Until revoked by user
- Sync activity logs: 90 days
- Error logs: 30 days
SECURITY MEASURES:
- PKCE (Proof Key for Code Exchange) for OAuth
- State parameter for CSRF protection
- Token encryption at rest (AES-256)
- Automatic token rotation
- Scope restriction to minimum necessary
- Regular security reviews of OAuth implementation
- Webhook signature verification
TERMS OF SERVICE: https://workspace.google.com/terms/
GOOGLE CLOUD DATA PROCESSING ADDENDUM: https://cloud.google.com/terms/data-processing-addendum
GOOGLE SERVICES - COMPREHENSIVE COOKIE DISCLOSURE:
The following cookies may be set when using Google services integrated with
Axsys ERP. This list is organized by purpose and includes technical details
for each cookie.
AUTHENTICATION COOKIES (Strictly Necessary):
Cookie Name: SID
Duration: 2 years
Purpose: Primary authentication cookie containing digitally signed and encrypted record of Google Account ID and most recent sign-in time
HttpOnly: Yes
Secure: Yes
SameSite: None
Classification: Strictly Necessary (Authentication)
Can be disabled: No (required for Google authentication)
Cookie Name: HSID
Duration: 2 years
Purpose: Security cookie used in combination with SID to protect user data from unauthorized access
HttpOnly: Yes
Secure: Yes
SameSite: None
Classification: Strictly Necessary (Authentication)
Can be disabled: No (required for Google authentication)
Cookie Name: SSID
Duration: 2 years
Purpose: Security cookie used for authentication verification
HttpOnly: No
Secure: Yes
SameSite: None
Classification: Strictly Necessary (Authentication)
Can be disabled: No (required for Google authentication)
Cookie Name: APISID
Duration: 2 years
Purpose: Used by Google to store user preferences and information when viewing pages with Google-hosted content
HttpOnly: No
Secure: No
SameSite: None
Classification: Strictly Necessary (Authentication)
Can be disabled: No (required for Google authentication)
Cookie Name: SAPISID
Duration: 2 years
Purpose: Used by Google for authentication when signed in to Google services
HttpOnly: No
Secure: Yes
SameSite: None
Classification: Strictly Necessary (Authentication)
Can be disabled: No (required for Google authentication)
Cookie Name: __Secure-1PSID
Duration: 2 years
Purpose: Secure variant of SID cookie for cross-site authentication
HttpOnly: Yes
Secure: Yes
SameSite: None
Classification: Strictly Necessary (Authentication)
Can be disabled: No (required for Google authentication)
Cookie Name: __Secure-3PSID
Duration: 2 years
Purpose: Third-party variant of secure SID cookie
HttpOnly: Yes
Secure: Yes
SameSite: None
Classification: Strictly Necessary (Authentication)
Can be disabled: No (required for Google authentication)
Cookie Name: __Secure-1PAPISID
Duration: 2 years
Purpose: Secure variant of APISID for cross-site contexts
HttpOnly: No
Secure: Yes
SameSite: None
Classification: Strictly Necessary (Authentication)
Can be disabled: No (required for Google authentication)
Cookie Name: __Secure-3PAPISID
Duration: 2 years
Purpose: Third-party variant of secure APISID cookie
HttpOnly: No
Secure: Yes
SameSite: None
Classification: Strictly Necessary (Authentication)
Can be disabled: No (required for Google authentication)
Cookie Name: SIDCC
Duration: 1 year
Purpose: Security cookie to verify authenticity of user and prevent cross-site request forgery
HttpOnly: No
Secure: Yes
SameSite: None
Classification: Strictly Necessary (Authentication)
Can be disabled: No (required for Google authentication)
Cookie Name: __Secure-1PSIDCC
Duration: 1 year
Purpose: Secure variant of SIDCC for additional security verification
HttpOnly: No
Secure: Yes
SameSite: None
Classification: Strictly Necessary (Authentication)
Can be disabled: No (required for Google authentication)
Cookie Name: __Secure-3PSIDCC
Duration: 1 year
Purpose: Third-party variant of SIDCC cookie
HttpOnly: No
Secure: Yes
SameSite: None
Classification: Strictly Necessary (Authentication)
Can be disabled: No (required for Google authentication)
PREFERENCE COOKIES (Functional):
Cookie Name: NID
Duration: 6 months
Purpose: Stores preferences such as preferred language, number of search results to display, and SafeSearch filter settings
HttpOnly: Yes
Secure: Yes
Classification: Functional (Preferences)
Can be disabled: Yes (may affect functionality)
Cookie Name: OGPC
Duration: 1 month
Purpose: Enables Google Maps functionality and stores map preferences
HttpOnly: No
Secure: No
Classification: Functional (Preferences)
Can be disabled: Yes (may affect functionality)
Cookie Name: OGP
Duration: 1 month
Purpose: Enables Google Maps functionality including last map position
HttpOnly: No
Secure: No
Classification: Functional (Preferences)
Can be disabled: Yes (may affect functionality)
Cookie Name: 1P_JAR
Duration: 1 month
Purpose: Gathers website statistics and tracks conversion rates for Google services
HttpOnly: No
Secure: Yes
Classification: Functional (Preferences)
Can be disabled: Yes (may affect functionality)
Cookie Name: CONSENT
Duration: 20 years
Purpose: Stores user's cookie consent state for Google services
HttpOnly: No
Secure: Yes
Classification: Functional (Preferences)
Can be disabled: Yes (may affect functionality)
Cookie Name: SEARCH_SAMESITE
Duration: 6 months
Purpose: Used to prevent browsers from sending this cookie along with cross-site requests
HttpOnly: No
Secure: Yes
Classification: Functional (Preferences)
Can be disabled: Yes (may affect functionality)
Cookie Name: AEC
Duration: 6 months
Purpose: Ensures that requests within a browsing session are made by the user and not by other sites
HttpOnly: Yes
Secure: Yes
Classification: Functional (Preferences)
Can be disabled: Yes (may affect functionality)
Cookie Name: DV
Duration: Session
Purpose: Used to save user preferences and other information
HttpOnly: No
Secure: No
Classification: Functional (Preferences)
Can be disabled: Yes (may affect functionality)
Cookie Name: OTZ
Duration: 1 month
Purpose: Used to track aggregate Google Analytics information about site traffic
HttpOnly: No
Secure: No
Classification: Functional (Preferences)
Can be disabled: Yes (may affect functionality)
Cookie Name: UULE
Duration: Session
Purpose: Sends precise location information from browser to Google servers
HttpOnly: No
Secure: Yes
Classification: Functional (Preferences)
Can be disabled: Yes (may affect functionality)
ANALYTICS COOKIES (Performance):
Cookie Name: _ga
Duration: 2 years
Purpose: Google Analytics: Distinguishes unique users by assigning a randomly generated number as a client identifier
HttpOnly: No
Secure: No
Classification: Analytics/Performance
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Cookie Name: _ga_<container-id>
Duration: 2 years
Purpose: Google Analytics 4: Used to persist session state
HttpOnly: No
Secure: No
Classification: Analytics/Performance
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Cookie Name: _gid
Duration: 24 hours
Purpose: Google Analytics: Distinguishes users for analytics purposes
HttpOnly: No
Secure: No
Classification: Analytics/Performance
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Cookie Name: _gat
Duration: 1 minute
Purpose: Google Analytics: Throttles request rate to limit data collection on high-traffic sites
HttpOnly: No
Secure: No
Classification: Analytics/Performance
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Cookie Name: _gat_gtag_<container-id>
Duration: 1 minute
Purpose: Google Analytics: Used to throttle request rate for specific property
HttpOnly: No
Secure: No
Classification: Analytics/Performance
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Cookie Name: _gac_<property-id>
Duration: 90 days
Purpose: Contains campaign-related information for the user
HttpOnly: No
Secure: No
Classification: Analytics/Performance
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Cookie Name: __utma
Duration: 2 years
Purpose: Universal Analytics: Distinguishes users and sessions
HttpOnly: No
Secure: No
Classification: Analytics/Performance
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Cookie Name: __utmb
Duration: 30 minutes
Purpose: Universal Analytics: Determines new sessions/visits
HttpOnly: No
Secure: No
Classification: Analytics/Performance
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Cookie Name: __utmc
Duration: Session
Purpose: Universal Analytics: Works with __utmb to determine whether user is in new session
HttpOnly: No
Secure: No
Classification: Analytics/Performance
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Cookie Name: __utmt
Duration: 10 minutes
Purpose: Universal Analytics: Throttles request rate
HttpOnly: No
Secure: No
Classification: Analytics/Performance
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Cookie Name: __utmz
Duration: 6 months
Purpose: Universal Analytics: Stores traffic source or campaign that explains how user reached site
HttpOnly: No
Secure: No
Classification: Analytics/Performance
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Cookie Name: __utmv
Duration: 2 years
Purpose: Universal Analytics: Stores visitor-level custom variable data
HttpOnly: No
Secure: No
Classification: Analytics/Performance
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Cookie Name: _gcl_au
Duration: 90 days
Purpose: Google Ads: Stores conversion linker information
HttpOnly: No
Secure: No
Classification: Analytics/Performance
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Cookie Name: _gcl_aw
Duration: 90 days
Purpose: Google Ads: Stores Google Ads click information
HttpOnly: No
Secure: No
Classification: Analytics/Performance
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Cookie Name: _gcl_dc
Duration: 90 days
Purpose: Google Ads: Stores DoubleClick click information
HttpOnly: No
Secure: No
Classification: Analytics/Performance
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
ADVERTISING COOKIES (Targeting):
Cookie Name: IDE
Duration: 13 months
Purpose: DoubleClick: Used for targeted advertising; stores information about user's ad preferences and website visits
HttpOnly: Yes
Secure: Yes
Classification: Advertising/Targeting
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Opt-out: https://adssettings.google.com
Cookie Name: DSID
Duration: 2 weeks
Purpose: DoubleClick: Used to identify a signed-in user for advertising purposes
HttpOnly: No
Secure: Yes
Classification: Advertising/Targeting
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Opt-out: https://adssettings.google.com
Cookie Name: FLC
Duration: 10 seconds
Purpose: DoubleClick: Floodlight cookie for conversion tracking
HttpOnly: No
Secure: Yes
Classification: Advertising/Targeting
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Opt-out: https://adssettings.google.com
Cookie Name: AID
Duration: 540 days
Purpose: Used to link user activity across devices that are signed in to Google Account
HttpOnly: No
Secure: Yes
Classification: Advertising/Targeting
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Opt-out: https://adssettings.google.com
Cookie Name: TAID
Duration: 14 days
Purpose: Used for advertising purposes
HttpOnly: No
Secure: Yes
Classification: Advertising/Targeting
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Opt-out: https://adssettings.google.com
Cookie Name: ANID
Duration: 13 months
Purpose: Advertising cookie used for ad personalization and measurement
HttpOnly: No
Secure: Yes
Classification: Advertising/Targeting
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Opt-out: https://adssettings.google.com
Cookie Name: RUL
Duration: 1 year
Purpose: DoubleClick: Determines if user is in remarketing audience
HttpOnly: No
Secure: Yes
Classification: Advertising/Targeting
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Opt-out: https://adssettings.google.com
Cookie Name: __gads
Duration: 13 months
Purpose: Google Ad Manager: Measures interactions with ads served
HttpOnly: No
Secure: No
Classification: Advertising/Targeting
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Opt-out: https://adssettings.google.com
Cookie Name: __gpi
Duration: 13 months
Purpose: Google Publisher Tag: Collects data for ad personalization
HttpOnly: No
Secure: No
Classification: Advertising/Targeting
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Opt-out: https://adssettings.google.com
Cookie Name: __gpi_optout
Duration: 13 months
Purpose: Google Publisher Tag: Records opt-out from ad personalization
HttpOnly: No
Secure: No
Classification: Advertising/Targeting
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Opt-out: https://adssettings.google.com
Cookie Name: test_cookie
Duration: 15 minutes
Purpose: DoubleClick: Tests whether browser accepts cookies
HttpOnly: No
Secure: Yes
Classification: Advertising/Targeting
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Opt-out: https://adssettings.google.com
Cookie Name: ar_debug
Duration: Session
Purpose: Attribution Reporting API debug cookie
HttpOnly: No
Secure: Yes
Classification: Advertising/Targeting
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Opt-out: https://adssettings.google.com
Cookie Name: __Secure-ENID
Duration: 13 months
Purpose: Secure advertising cookie for cross-site tracking
HttpOnly: Yes
Secure: Yes
Classification: Advertising/Targeting
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Opt-out: https://adssettings.google.com
Cookie Name: VISITOR_INFO1_LIVE
Duration: 180 days
Purpose: YouTube: Estimates user bandwidth for video delivery
HttpOnly: Yes
Secure: Yes
Classification: Advertising/Targeting
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Opt-out: https://adssettings.google.com
Cookie Name: YSC
Duration: Session
Purpose: YouTube: Registers unique ID for video statistics
HttpOnly: Yes
Secure: Yes
Classification: Advertising/Targeting
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Opt-out: https://adssettings.google.com
Cookie Name: PREF
Duration: 2 years
Purpose: YouTube: Stores user preferences and other information
HttpOnly: No
Secure: Yes
Classification: Advertising/Targeting
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Opt-out: https://adssettings.google.com
Cookie Name: GPS
Duration: 30 minutes
Purpose: YouTube: Registers unique ID on mobile devices for tracking
HttpOnly: No
Secure: Yes
Classification: Advertising/Targeting
Can be disabled: Yes
Consent required: Yes (GDPR/ePrivacy)
Opt-out: https://adssettings.google.com
================================================================================
2. MICROSOFT SERVICES
================================================================================
This section covers all Microsoft services integrated with Axsys ERP, including
Microsoft Azure, Microsoft 365 (Office 365), Outlook, Microsoft Graph API,
and Microsoft Teams.
--------------------------------------------------------------------------------
2.1 MICROSOFT AZURE
--------------------------------------------------------------------------------
Service Provider: Microsoft Corporation
Address: One Microsoft Way, Redmond, WA 98052, USA
Data Protection Officer: Available at https://aka.ms/privacyresponse
EU Representative: Microsoft Ireland Operations Limited
AZURE SERVICES UTILIZED:
- Azure Active Directory (Entra ID)
- Azure Blob Storage
- Azure Functions
- Azure Service Bus
- Azure Key Vault
- Azure Monitor
- Azure Application Insights
- Azure CDN
- Azure DNS
- Azure Load Balancer
- Azure DDoS Protection
- Azure Firewall
- Azure Sentinel
PURPOSE: Cloud infrastructure, identity management, secure storage, serverless
computing, monitoring, and security services supporting Axsys ERP operations.
DATA CATEGORIES PROCESSED:
Category 1 - Identity Data:
- User principal names
- Email addresses
- Display names
- Group memberships
- Role assignments
- Authentication tokens
- Sign-in logs
Category 2 - Application Data:
- Application logs
- Performance metrics
- Error reports
- Telemetry data
- Configuration data
Category 3 - Storage Data:
- Customer files and documents
- Database backups
- System images
- Archive data
AZURE DATA RESIDENCY:
Primary Region: East US 2 (Virginia)
Secondary Region: Central US (Iowa)
EU Customer Option: West Europe (Netherlands) / North Europe (Ireland)
AZURE CERTIFICATIONS:
- SOC 1 Type II
- SOC 2 Type II
- SOC 3
- ISO 27001
- ISO 27017
- ISO 27018
- ISO 27701
- ISO 22301
- ISO 9001
- FedRAMP High
- FedRAMP DoD IL2, IL4, IL5, IL6
- PCI DSS Level 1
- HIPAA (with BAA)
- HITRUST
- CSA STAR
- MTCS Level 3 (Singapore)
- ENS High (Spain)
- G-Cloud (UK)
- IRAP (Australia)
- C5 (Germany)
- K-ISMS (Korea)
- FISC (Japan)
- PDPA (Thailand)
- My Number Act (Japan)
- CS Mark Gold (Japan)
- OSPAR (Singapore)
- CCSL (Australia)
- GSMA
- Cyber Essentials Plus (UK)
- NEN 7510 (Netherlands)
- BIR 2012 (Netherlands)
- IT-Grundschutz (Germany)
- TISAX (Automotive)
- TX-RAMP (Texas)
- StateRAMP
TERMS OF SERVICE: https://azure.microsoft.com/en-us/support/legal/
PRIVACY STATEMENT: https://privacy.microsoft.com/en-us/privacystatement
DPA: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
AZURE DATA RESIDENCY: https://azure.microsoft.com/en-us/explore/global-infrastructure/data-residency/
MICROSOFT AZURE SUB-PROCESSORS:
Sub-Processor: Microsoft Corporation
Location: United States
Purpose: Primary cloud services delivery
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: Microsoft Ireland Operations Limited
Location: Ireland
Purpose: EEA cloud services and support
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: Microsoft Operations Puerto Rico
Location: Puerto Rico
Purpose: Americas support operations
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: Microsoft Regional Sales Pte Ltd
Location: Singapore
Purpose: APAC cloud services
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: Microsoft (China) Co., Ltd.
Location: China
Purpose: China cloud services (21Vianet operated)
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: LinkedIn Corporation
Location: United States
Purpose: Professional identity services
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: GitHub, Inc.
Location: United States
Purpose: Developer tools and repositories
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: Nuance Communications, Inc.
Location: United States
Purpose: AI and speech services
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: ZeniMax Media Inc.
Location: United States
Purpose: Gaming services
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: Activision Blizzard, Inc.
Location: United States
Purpose: Gaming services
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: Xandr Inc.
Location: United States
Purpose: Advertising technology
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: Affirmed Networks, Inc.
Location: United States
Purpose: 5G network solutions
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: Metaswitch Networks Ltd
Location: United Kingdom
Purpose: Network software
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: ADRM Software, Inc.
Location: United States
Purpose: Data management
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: Ally.io, Inc.
Location: United States
Purpose: OKR and goal management
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: Clipchamp Pty Ltd
Location: Australia
Purpose: Video editing services
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: Peer5 Ltd.
Location: Israel
Purpose: Video delivery network
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: Lumenisity Limited
Location: United Kingdom
Purpose: Fiber optic technology
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: Equinix, Inc.
Location: Global
Purpose: Data center colocation
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: Digital Realty Trust
Location: Global
Purpose: Data center services
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: CyrusOne Inc.
Location: United States
Purpose: Data center services
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: EdgeConneX
Location: Global
Purpose: Edge data centers
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: Iron Mountain Inc.
Location: United States
Purpose: Data storage and backup
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: Zayo Group Holdings
Location: United States
Purpose: Network infrastructure
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: Telia Company
Location: Sweden
Purpose: European network services
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: NTT Communications
Location: Japan
Purpose: Asian network services
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
Sub-Processor: Telstra Corporation
Location: Australia
Purpose: Australian network services
DPA Coverage: Microsoft Products and Services DPA
Security Assessment: Completed
--------------------------------------------------------------------------------
2.2 MICROSOFT 365 / OFFICE 365 / OUTLOOK INTEGRATION
--------------------------------------------------------------------------------
Service Provider: Microsoft Corporation
Service URLs:
- https://www.office.com
- https://outlook.office.com
- https://outlook.live.com
PURPOSE: Email synchronization, calendar management, contact syncing, document
collaboration, and team communication through Microsoft Graph API integration.
MICROSOFT GRAPH API ENDPOINTS UTILIZED:
- /me - Current user profile
- /me/messages - Email messages
- /me/mailFolders - Mail folder structure
- /me/calendar - Calendar access
- /me/events - Calendar events
- /me/contacts - Personal contacts
- /me/contactFolders - Contact organization
- /me/drive - OneDrive access
- /me/drive/root/children - File listings
- /me/onenote/notebooks - OneNote access
- /me/todo/lists - To-do lists
- /me/presence - Availability status
- /users - Directory users (admin)
- /groups - Directory groups (admin)
- /teams - Microsoft Teams
- /teams/{id}/channels - Team channels
- /chats - Chat conversations
OAUTH 2.0 PERMISSIONS REQUESTED:
Delegated Permissions (User Consent):
- User.Read - Sign in and read user profile
- Mail.Read - Read user mail
- Mail.ReadWrite - Read and write user mail
- Mail.Send - Send mail as user
- Calendars.Read - Read user calendars
- Calendars.ReadWrite - Read and write user calendars
- Contacts.Read - Read user contacts
- Contacts.ReadWrite - Read and write user contacts
- Files.Read - Read user files
- Files.ReadWrite - Read and write user files
- Notes.Read - Read user OneNote notebooks
- Tasks.Read - Read user tasks
- Tasks.ReadWrite - Read and write user tasks
- Presence.Read - Read user presence
- Chat.Read - Read user chat messages
- ChannelMessage.Read.All - Read channel messages
Application Permissions (Admin Consent):
- User.Read.All - Read all users' profiles
- Calendars.Read - Read calendars in all mailboxes
- Mail.Read - Read mail in all mailboxes
- Directory.Read.All - Read directory data
PERMISSION JUSTIFICATION:
Each permission is requested only when the corresponding Axsys ERP feature
is enabled. Permissions are justified as follows:
- Mail permissions: Required for email integration features
- Calendar permissions: Required for calendar sync and scheduling
- Contact permissions: Required for CRM contact synchronization
- File permissions: Required for document management integration
- Presence permissions: Required for availability-aware features
DATA CATEGORIES PROCESSED:
Category 1 - Email Data:
- Message content (HTML and plain text bodies)
- Message headers (Subject, From, To, CC, BCC, Date)
- Message metadata (Read status, importance, categories)
- Attachments (filenames, content, MIME types)
- Conversation threads
- Folder structure
- Rules and filters
- Signatures
Category 2 - Calendar Data:
- Event titles and descriptions
- Start and end times (with time zones)
- Locations (physical addresses and online meeting links)
- Attendees and response status
- Organizer information
- Recurrence patterns
- Reminders and notifications
- Categories and colors
- Attachments
- Private/public flags
- Free/busy status
- Online meeting details (Teams, Skype)
Category 3 - Contact Data:
- Display name
- Given name and surname
- Email addresses (multiple)
- Phone numbers (mobile, home, work, other)
- Physical addresses (home, work, other)
- Company name
- Job title
- Department
- Birthday and anniversary
- Personal notes
- Categories
- IM addresses
- Website URLs
- Photo/avatar
Category 4 - User Profile Data:
- User principal name
- Display name
- Email addresses
- Job title
- Department
- Office location
- Phone numbers
- Photo
- Manager information
- Direct reports
- Group memberships
LEGAL BASIS FOR PROCESSING:
- Article 6(1)(b): Performance of contract
- Article 6(1)(a): Consent (for optional features)
- Article 6(1)(f): Legitimate interests (operational efficiency)
RETENTION PERIODS:
- Synced email data: Mirrors Microsoft 365 retention policies
- Synced calendar events: Mirrors Microsoft 365 retention
- Synced contacts: Until sync disabled or deleted
- Access tokens: 1 hour (with automatic refresh)
- Refresh tokens: 90 days (or until revoked)
- Sync logs: 90 days
- Error logs: 30 days
SECURITY MEASURES:
- OAuth 2.0 with PKCE (Proof Key for Code Exchange)
- Multi-factor authentication support
- Conditional Access policy compliance
- Token encryption at rest
- Certificate-based authentication option
- App-only authentication for background services
- Webhook signature validation (HMAC-SHA256)
- Throttling and retry handling
MICROSOFT 365 COOKIE DISCLOSURE:
Cookie Name: MUID
Duration: 13 months
Purpose: Microsoft User Identifier - Identifies unique browsers visiting Microsoft sites for advertising purposes
Provider: Microsoft Corporation
Cookie Name: MC1
Duration: 1 year
Purpose: Identifies unique web browsers visiting Microsoft sites
Provider: Microsoft Corporation
Cookie Name: MS0
Duration: Session
Purpose: Identifies a specific session
Provider: Microsoft Corporation
Cookie Name: ANON
Duration: 90 days
Purpose: Contains the ANID, a unique identifier for advertising
Provider: Microsoft Corporation
Cookie Name: NAP
Duration: 90 days
Purpose: Contains an encrypted version of country, postal code, age, gender for ad targeting
Provider: Microsoft Corporation
Cookie Name: PPAuth
Duration: Session
Purpose: Authentication for Microsoft Passport accounts
Provider: Microsoft Corporation
Cookie Name: MSPAuth
Duration: Session
Purpose: Microsoft Account authentication
Provider: Microsoft Corporation
Cookie Name: MSNRPSAuth
Duration: Session
Purpose: Authentication for Microsoft Passport accounts
Provider: Microsoft Corporation
Cookie Name: KievRPSAuth
Duration: Session
Purpose: Authentication for Microsoft accounts
Provider: Microsoft Corporation
Cookie Name: KievRPSSecAuth
Duration: Session
Purpose: Secure authentication for Microsoft accounts
Provider: Microsoft Corporation
Cookie Name: WLID
Duration: Session
Purpose: Windows Live ID authentication
Provider: Microsoft Corporation
Cookie Name: RPSAuth
Duration: Session
Purpose: Authentication cookie for Microsoft services
Provider: Microsoft Corporation
Cookie Name: RPSSecAuth
Duration: Session
Purpose: Secure authentication cookie
Provider: Microsoft Corporation
Cookie Name: MSPProf
Duration: Session
Purpose: Microsoft Profile information
Provider: Microsoft Corporation
Cookie Name: MSPSoftVis
Duration: Session
Purpose: Microsoft cookie for site personalization
Provider: Microsoft Corporation
Cookie Name: SRCHHPGUSR
Duration: 2 years
Purpose: Bing search preferences
Provider: Microsoft Corporation
Cookie Name: SRCHD
Duration: 2 years
Purpose: Bing search history
Provider: Microsoft Corporation
Cookie Name: SRCHUID
Duration: 2 years
Purpose: Bing user identifier
Provider: Microsoft Corporation
Cookie Name: SRCHUSR
Duration: 2 years
Purpose: Bing user preferences
Provider: Microsoft Corporation
Cookie Name: SUID
Duration: Session
Purpose: Session user ID
Provider: Microsoft Corporation
Cookie Name: _EDGE_V
Duration: 1 year
Purpose: Edge browser identifier
Provider: Microsoft Corporation
Cookie Name: _EDGE_S
Duration: Session
Purpose: Edge browser session
Provider: Microsoft Corporation
Cookie Name: _SS
Duration: Session
Purpose: Microsoft session cookie
Provider: Microsoft Corporation
Cookie Name: ACH01
Duration: 3 months
Purpose: Microsoft support diagnostic data
Provider: Microsoft Corporation
Cookie Name: ai_session
Duration: 30 minutes
Purpose: Application Insights session tracking
Provider: Microsoft Corporation
Cookie Name: ai_user
Duration: 1 year
Purpose: Application Insights user tracking
Provider: Microsoft Corporation
Cookie Name: x-ms-routing-name
Duration: Session
Purpose: Azure routing information
Provider: Microsoft Corporation
Cookie Name: ARRAffinity
Duration: Session
Purpose: Azure load balancer affinity
Provider: Microsoft Corporation
Cookie Name: ARRAffinitySameSite
Duration: Session
Purpose: Azure load balancer affinity with SameSite
Provider: Microsoft Corporation
Cookie Name: OIDC
Duration: Session
Purpose: OpenID Connect authentication state
Provider: Microsoft Corporation
Cookie Name: esctx
Duration: Session
Purpose: Azure AD authentication context
Provider: Microsoft Corporation
Cookie Name: buid
Duration: Session
Purpose: Azure AD browser identifier
Provider: Microsoft Corporation
Cookie Name: fpc
Duration: Session
Purpose: Azure AD fingerprint cookie
Provider: Microsoft Corporation
Cookie Name: stsservicecookie
Duration: Session
Purpose: Security Token Service cookie
Provider: Microsoft Corporation
Cookie Name: x-ms-gateway-slice
Duration: Session
Purpose: Azure gateway routing slice
Provider: Microsoft Corporation
Cookie Name: SignInStateCookie
Duration: Session
Purpose: Tracks sign-in state across requests
Provider: Microsoft Corporation
================================================================================
3. MAPPING SERVICES
================================================================================
--------------------------------------------------------------------------------
3.1 MAPBOX
--------------------------------------------------------------------------------
Service Provider: Mapbox, Inc.
Address: 740 15th Street NW, Suite 500, Washington, DC 20005, USA
Data Protection Officer: privacy@mapbox.com
PURPOSE: Advanced mapping, geocoding, routing, and geospatial visualization
capabilities within Axsys ERP for field service management, territory mapping,
and location intelligence features.
MAPBOX SERVICES UTILIZED:
- Mapbox GL JS (Web Maps SDK)
- Mapbox Maps SDK for iOS
- Mapbox Maps SDK for Android
- Mapbox Geocoding API
- Mapbox Directions API
- Mapbox Optimization API (Route Optimization)
- Mapbox Isochrone API
- Mapbox Matrix API
- Mapbox Map Matching API
- Mapbox Static Images API
- Mapbox Tilequery API
- Mapbox Datasets API
- Mapbox Uploads API
- Mapbox Search (beta)
- Mapbox Atlas (on-premise option)
DATA CATEGORIES PROCESSED:
- User location data (coordinates)
- Search queries and addresses
- Route waypoints and destinations
- Map interaction telemetry
- Device information
- IP addresses
- Usage patterns
LEGAL BASIS FOR PROCESSING:
- Article 6(1)(b): Performance of contract
- Article 6(1)(f): Legitimate interests (service improvement)
TELEMETRY DATA:
Mapbox collects telemetry data by default for service improvement. This can
be disabled for enterprise customers. Telemetry includes:
- SDK version and platform
- Device model and OS version
- Map load times
- Tile fetch latencies
- Error reports
- Crash reports
- Feature usage patterns
RETENTION PERIODS:
- API request logs: 30 days
- Geocoding results: Not cached by Mapbox
- Telemetry data: 90 days (aggregated thereafter)
- Billing data: 7 years
SECURITY MEASURES:
- TLS 1.2+ encryption in transit
- Access token authentication
- Rate limiting and abuse prevention
- Regular security audits
TERMS OF SERVICE: https://www.mapbox.com/legal/tos
PRIVACY POLICY: https://www.mapbox.com/legal/privacy
DPA: https://www.mapbox.com/legal/dpa
MAPBOX SUB-PROCESSORS:
Sub-Processor: Mapbox, Inc.
Location: United States
Purpose: Primary mapping services
Sub-Processor: Amazon Web Services, Inc.
Location: United States
Purpose: Cloud infrastructure and storage
Sub-Processor: Fastly, Inc.
Location: United States
Purpose: Content delivery network (CDN)
Sub-Processor: Cloudflare, Inc.
Location: United States
Purpose: DDoS protection and DNS
Sub-Processor: Datadog, Inc.
Location: United States
Purpose: Infrastructure monitoring
Sub-Processor: Segment.io, Inc. (Twilio)
Location: United States
Purpose: Analytics and data pipeline
Sub-Processor: Stripe, Inc.
Location: United States
Purpose: Payment processing
Sub-Processor: Salesforce.com, Inc.
Location: United States
Purpose: Customer relationship management
Sub-Processor: Zendesk, Inc.
Location: United States
Purpose: Customer support
Sub-Processor: Slack Technologies, Inc.
Location: United States
Purpose: Internal communications
Sub-Processor: GitHub, Inc.
Location: United States
Purpose: Source code management
Sub-Processor: TomTom International BV
Location: Netherlands
Purpose: Map data and traffic
Sub-Processor: OpenStreetMap Foundation
Location: United Kingdom
Purpose: Base map data (open data)
Sub-Processor: Maxar Technologies
Location: United States
Purpose: Satellite imagery
Sub-Processor: Planet Labs Inc.
Location: United States
Purpose: Satellite imagery
Sub-Processor: DigitalGlobe (Maxar)
Location: United States
Purpose: High-resolution imagery
================================================================================
5. COMMUNICATION SERVICES
================================================================================
--------------------------------------------------------------------------------
5.1 SENDGRID (TWILIO)
--------------------------------------------------------------------------------
Service Provider: Twilio Inc. (SendGrid)
Address: 1801 California Street, Suite 500, Denver, CO 80202, USA
Parent Company: Twilio Inc.
Data Protection Officer: privacy@twilio.com
PURPOSE: Transactional email delivery, email marketing campaigns, email
validation, and delivery analytics within Axsys ERP.
SENDGRID SERVICES UTILIZED:
- SendGrid Email API v3
- SendGrid SMTP Relay
- SendGrid Marketing Campaigns
- SendGrid Email Validation API
- SendGrid Inbound Parse (webhook)
- SendGrid Event Webhook
- SendGrid Dynamic Templates
- SendGrid Suppressions API
DATA CATEGORIES PROCESSED:
- Recipient email addresses
- Sender email addresses
- Email subject lines
- Email body content (HTML and plain text)
- Email attachments
- Email headers (custom and standard)
- Delivery metadata (timestamps, status)
- Engagement data (opens, clicks)
- Bounce data
- Spam complaint data
- Unsubscribe data
- IP addresses
- User agent strings
- Link click tracking data
LEGAL BASIS FOR PROCESSING:
- Article 6(1)(b): Performance of contract (transactional emails)
- Article 6(1)(a): Consent (marketing emails)
- Article 6(1)(f): Legitimate interests (delivery optimization)
EMAIL CONTENT PROCESSING:
SendGrid processes email content for delivery purposes only. Per their DPA:
- Email content is not used for advertising
- Email content is not sold to third parties
- Encryption is applied in transit and at rest
- Content is purged after delivery (configurable retention)
RETENTION PERIODS:
- Email activity logs: 7 days (standard) / 30 days (Pro)
- Email content: Purged after delivery (default)
- Bounce records: Until removed from suppression list
- Unsubscribe records: Indefinite (CAN-SPAM compliance)
- Spam complaint records: Indefinite
- Statistics: 36 months (aggregated)
SECURITY MEASURES:
- TLS 1.2+ encryption in transit (required)
- DKIM email authentication
- SPF record validation
- DMARC policy support
- Two-factor authentication for account access
- IP access management
- Subuser access controls
- API key permissions granularity
CERTIFICATIONS:
- SOC 2 Type II
- ISO 27001
- HIPAA compliant (with BAA)
TERMS OF SERVICE: https://www.twilio.com/legal/tos
PRIVACY POLICY: https://www.twilio.com/legal/privacy
SENDGRID DPA: https://www.twilio.com/legal/data-protection-addendum
SENDGRID SUB-PROCESSORS:
Sub-Processor: Twilio Inc.
Location: United States
Purpose: Parent company and infrastructure
Sub-Processor: Amazon Web Services, Inc.
Location: United States
Purpose: Cloud infrastructure
Sub-Processor: Google Cloud Platform
Location: United States
Purpose: Cloud infrastructure
Sub-Processor: Fastly, Inc.
Location: United States
Purpose: Content delivery
Sub-Processor: Cloudflare, Inc.
Location: United States
Purpose: DDoS protection
Sub-Processor: MongoDB Atlas
Location: United States
Purpose: Database services
Sub-Processor: Snowflake Inc.
Location: United States
Purpose: Data analytics
Sub-Processor: Datadog, Inc.
Location: United States
Purpose: Monitoring
Sub-Processor: PagerDuty, Inc.
Location: United States
Purpose: Incident management
Sub-Processor: Salesforce.com, Inc.
Location: United States
Purpose: CRM
Sub-Processor: Zendesk, Inc.
Location: United States
Purpose: Customer support
--------------------------------------------------------------------------------
5.2 TWILIO (VOICE/SMS)
--------------------------------------------------------------------------------
Service Provider: Twilio Inc.
Address: 101 Spear Street, First Floor, San Francisco, CA 94105, USA
Data Protection Officer: privacy@twilio.com
PURPOSE: SMS messaging, voice calls, phone number verification, WhatsApp
messaging, and communication automation within Axsys ERP.
TWILIO SERVICES UTILIZED:
- Twilio Programmable SMS
- Twilio Programmable Voice
- Twilio Verify (2FA)
- Twilio Lookup (Phone validation)
- Twilio WhatsApp Business API
- Twilio Conversations
- Twilio Flex (Contact Center)
- Twilio Studio (Visual workflows)
- Twilio Functions
- Twilio Sync
DATA CATEGORIES PROCESSED:
- Phone numbers (sender and recipient)
- SMS message content
- Voice call audio (if recorded)
- Call metadata (duration, status, timestamps)
- Verification codes
- WhatsApp message content
- WhatsApp media attachments
- Conversation history
- IVR interaction data
- Caller ID data
- Geographic location (derived from phone number)
- Carrier information
- Line type (mobile/landline/VoIP)
LEGAL BASIS FOR PROCESSING:
- Article 6(1)(b): Performance of contract
- Article 6(1)(a): Consent (marketing messages)
- Article 6(1)(c): Legal obligation (transaction records)
CALL RECORDING DISCLOSURE:
When call recording is enabled, Axsys ERP provides the following disclosures:
- Announcement at call start that call may be recorded
- Recording consent obtained per applicable law
- Recording access restricted to authorized personnel
- Recordings encrypted at rest
RETENTION PERIODS:
- SMS message logs: 13 months (default), configurable
- Voice call recordings: Until deleted (no automatic expiry)
- Call logs/CDRs: 13 months
- Verify request logs: 13 months
- Lookup data: Not stored by Twilio
- Account records: Duration of account plus 7 years
SECURITY MEASURES:
- TLS 1.2+ encryption in transit
- AES-256 encryption at rest
- Voice encryption (SRTP)
- Recording encryption
- API key authentication
- Request signing validation
- Webhook signature verification
- Account SID and Auth Token protection
TWILIO SUB-PROCESSORS:
Sub-Processor: Twilio Inc.
Location: United States
Purpose: Primary communication services
Sub-Processor: Twilio Ireland Limited
Location: Ireland
Purpose: EEA operations
Sub-Processor: Amazon Web Services, Inc.
Location: Global
Purpose: Cloud infrastructure
Sub-Processor: Google Cloud Platform
Location: Global
Purpose: Cloud infrastructure
Sub-Processor: Microsoft Azure
Location: Global
Purpose: Cloud infrastructure
Sub-Processor: Syniverse Technologies
Location: United States
Purpose: SMS routing and aggregation
Sub-Processor: Bandwidth Inc.
Location: United States
Purpose: Voice and SMS network
Sub-Processor: Plivo Inc.
Location: United States
Purpose: Backup SMS routing
Sub-Processor: Telnyx LLC
Location: United States
Purpose: Voice infrastructure
Sub-Processor: Vonage (Ericsson)
Location: United States
Purpose: Communication services backup
Sub-Processor: Verizon Wireless
Location: United States
Purpose: Carrier network (US)
Sub-Processor: AT&T Mobility
Location: United States
Purpose: Carrier network (US)
Sub-Processor: T-Mobile US
Location: United States
Purpose: Carrier network (US)
Sub-Processor: Rogers Communications
Location: Canada
Purpose: Carrier network (Canada)
Sub-Processor: Bell Canada
Location: Canada
Purpose: Carrier network (Canada)
Sub-Processor: Telus Communications
Location: Canada
Purpose: Carrier network (Canada)
Sub-Processor: Vodafone Group
Location: United Kingdom
Purpose: Carrier network (Europe)
Sub-Processor: Deutsche Telekom
Location: Germany
Purpose: Carrier network (Europe)
Sub-Processor: Orange S.A.
Location: France
Purpose: Carrier network (Europe)
Sub-Processor: Telefonica
Location: Spain
Purpose: Carrier network (Europe/LATAM)
Sub-Processor: America Movil
Location: Mexico
Purpose: Carrier network (LATAM)
Sub-Processor: Telstra Corporation
Location: Australia
Purpose: Carrier network (APAC)
Sub-Processor: NTT Docomo
Location: Japan
Purpose: Carrier network (Japan)
Sub-Processor: SK Telecom
Location: South Korea
Purpose: Carrier network (Korea)
Sub-Processor: China Mobile
Location: China
Purpose: Carrier network (China)
Sub-Processor: Reliance Jio
Location: India
Purpose: Carrier network (India)
Sub-Processor: Airtel
Location: India
Purpose: Carrier network (India/Africa)
Sub-Processor: MTN Group
Location: South Africa
Purpose: Carrier network (Africa)
Sub-Processor: Safaricom
Location: Kenya
Purpose: Carrier network (East Africa)
================================================================================
7. SEARCH AND SEO SERVICES
================================================================================
--------------------------------------------------------------------------------
7.1 DATAFORSEO
--------------------------------------------------------------------------------
Service Provider: DataForSEO OU
Address: Tartu mnt 67/1-13b, 10115 Tallinn, Estonia
Data Protection Officer: dpo@dataforseo.com
PURPOSE: SEO analytics, SERP tracking, keyword research, backlink analysis,
and competitive intelligence within Axsys ERP marketing module.
DATAFORSEO APIS UTILIZED:
- SERP API (Search Engine Results)
- Keywords Data API
- Backlinks API
- OnPage API
- DataForSEO Labs API
- Merchant API
- App Data API
- Business Data API
- Content Analysis API
- Domain Analytics API
DATA CATEGORIES PROCESSED:
- Search queries and keywords
- Domain names and URLs
- SERP position data
- Backlink profiles
- Competitor analysis data
- Website crawl data
- Search volume statistics
- CPC and competition metrics
- Business listing data
- App store data
LEGAL BASIS FOR PROCESSING:
- Article 6(1)(b): Performance of contract
- Article 6(1)(f): Legitimate interests (marketing optimization)
DATA PROCESSING LOCATION:
- Primary: European Union (Estonia)
- Processing: EU data centers
- GDPR-compliant data handling
RETENTION PERIODS:
- API request logs: 30 days
- Cached SERP data: 24-48 hours
- Historical data: Available through API for 24 months
- Account data: Duration of account plus 2 years
TERMS OF SERVICE: https://dataforseo.com/terms-of-service
PRIVACY POLICY: https://dataforseo.com/privacy-policy
DATAFORSEO SUB-PROCESSORS:
Sub-Processor: DataForSEO OU
Location: Estonia (EU)
Purpose: Primary SEO data services
Sub-Processor: Amazon Web Services EMEA
Location: Ireland (EU)
Purpose: Cloud infrastructure
Sub-Processor: Hetzner Online GmbH
Location: Germany (EU)
Purpose: Dedicated servers
Sub-Processor: OVHcloud
Location: France (EU)
Purpose: Cloud infrastructure
Sub-Processor: Cloudflare, Inc.
Location: United States
Purpose: CDN and DDoS protection
Sub-Processor: Stripe Payments Europe
Location: Ireland (EU)
Purpose: Payment processing
--------------------------------------------------------------------------------
7.2 BRAVE SEARCH API
--------------------------------------------------------------------------------
Service Provider: Brave Software, Inc.
Address: 512 Second Street, Floor 2, San Francisco, CA 94107, USA
Data Protection Officer: privacy@brave.com
PURPOSE: Privacy-focused web search functionality, search suggestions, and
web content retrieval within Axsys ERP AI-powered features.
BRAVE SEARCH FEATURES:
- Web Search API
- Image Search API
- News Search API
- Video Search API
- Suggest API (Autocomplete)
- Summarizer API
DATA CATEGORIES PROCESSED:
- Search queries
- Search result interactions
- IP addresses (anonymized)
- Country/region (derived, not stored)
- API request metadata
PRIVACY-FIRST APPROACH:
Brave Search is designed with privacy as a core principle:
- No user tracking or profiling
- No search history stored
- Anonymous aggregated analytics only
- Independent search index (not reliant on Big Tech)
- No advertising profile creation
LEGAL BASIS FOR PROCESSING:
- Article 6(1)(b): Performance of contract
- Article 6(1)(f): Legitimate interests (minimal processing)
RETENTION PERIODS:
- Search queries: Not stored (real-time processing only)
- Aggregated statistics: 90 days
- API logs: 7 days (anonymized)
TERMS OF SERVICE: https://brave.com/terms-of-use/
PRIVACY POLICY: https://brave.com/privacy/browser/
================================================================================
8. WEATHER SERVICES
================================================================================
--------------------------------------------------------------------------------
8.1 NOAA WEATHER API (NATIONAL WEATHER SERVICE)
--------------------------------------------------------------------------------
Service Provider: National Oceanic and Atmospheric Administration (NOAA)
Parent Agency: United States Department of Commerce
Address: 1401 Constitution Avenue NW, Washington, DC 20230, USA
PURPOSE: Real-time weather data, forecasts, alerts, and historical weather
information for field service scheduling, outdoor work planning, and
weather-sensitive operations within Axsys ERP.
NOAA SERVICES UTILIZED:
- Weather.gov API (api.weather.gov)
- National Digital Forecast Database (NDFD)
- Severe Weather Alerts (CAP alerts)
- Radar Data (NEXRAD)
- Climate Data Online (CDO)
- Tide and Current Predictions
DATA CATEGORIES PROCESSED:
- Geographic coordinates (latitude/longitude)
- Location identifiers
- Timestamp requests
- Weather observation requests
- Forecast requests
- Alert subscription preferences
DATA PROCESSING NOTICE:
NOAA is a United States government agency. Data provided through NOAA APIs
is public domain and freely available. However, the following considerations
apply:
1. No personal data is collected by NOAA through weather API requests
2. IP addresses may be logged for capacity management
3. Rate limiting applies (fair use policy)
4. Data is provided "as is" without warranty
LEGAL BASIS FOR PROCESSING:
- Article 6(1)(f): Legitimate interests (operational planning)
- Public interest data processing
RETENTION PERIODS:
- API request logs: Not retained by NOAA for user identification
- Weather data: Historical data available indefinitely
- Cached forecast data: 1-6 hours (per Axsys caching)
TERMS OF USE: https://www.weather.gov/disclaimer
DATA POLICY: https://www.noaa.gov/information-technology/open-data-dissemination
--------------------------------------------------------------------------------
8.2 OPENWEATHERMAP (BACKUP/INTERNATIONAL)
--------------------------------------------------------------------------------
Service Provider: OpenWeather Ltd.
Address: First Floor, 8 Devonshire Square, London, EC2M 4PL, United Kingdom
Data Protection Officer: gdpr@openweathermap.org
PURPOSE: International weather data coverage, weather maps, and backup
weather service for locations outside NOAA coverage area.
OPENWEATHERMAP SERVICES:
- Current Weather Data API
- One Call API 3.0
- 5 Day / 3 Hour Forecast API
- Historical Weather Data API
- Weather Maps 2.0
- Air Pollution API
- Geocoding API
DATA CATEGORIES PROCESSED:
- Location coordinates
- City/location names
- API keys
- Request timestamps
- IP addresses
LEGAL BASIS FOR PROCESSING:
- Article 6(1)(b): Performance of contract
- Article 6(1)(f): Legitimate interests
RETENTION PERIODS:
- API logs: 30 days
- Account data: Duration of subscription
TERMS OF SERVICE: https://openweathermap.org/terms
PRIVACY POLICY: https://openweathermap.org/privacy-policy
================================================================================
6. ARTIFICIAL INTELLIGENCE SERVICES
================================================================================
--------------------------------------------------------------------------------
6.1 GROQ
--------------------------------------------------------------------------------
Service Provider: Groq, Inc.
Address: Mountain View, CA, USA
Data Protection Contact: privacy@groq.com
PURPOSE: Ultra-low latency AI inference for time-sensitive operations,
real-time AI features, and high-throughput AI processing within Axsys ERP.
GROQ TECHNOLOGY:
Groq utilizes proprietary Language Processing Unit (LPU) hardware designed
specifically for AI inference, providing:
- Sub-100ms response times
- Deterministic latency
- High throughput (500+ tokens/second)
- Consistent performance under load
GROQ SERVICES UTILIZED:
- Groq Cloud API
- LLaMA model inference
- Mixtral model inference
- Gemma model inference
MODELS AVAILABLE:
- llama-3.3-70b-versatile
- llama-3.1-70b-versatile
- llama-3.1-8b-instant
- mixtral-8x7b-32768
- gemma2-9b-it
DATA CATEGORIES PROCESSED:
- User prompts and queries
- Context/conversation history
- Generated responses
- Usage metadata
- Token counts
- Latency metrics
DATA HANDLING PRACTICES:
- API data NOT used for model training
- Zero data retention available (no logging)
- Processing only (no storage by default)
- Enterprise agreements available for custom retention
LEGAL BASIS FOR PROCESSING:
- Article 6(1)(b): Performance of contract
- Article 6(1)(f): Legitimate interests
RETENTION PERIODS:
- API request data: 30 days (standard) / 0 days (enterprise)
- Generated content: Not retained by Groq
- Usage metrics: 90 days (aggregated)
SECURITY MEASURES:
- TLS 1.3 encryption
- API key authentication
- Rate limiting
- DDoS protection
- SOC 2 Type II compliance
TERMS OF SERVICE: https://groq.com/terms-of-use/
PRIVACY POLICY: https://groq.com/privacy-policy/
GROQ SUB-PROCESSORS:
Sub-Processor: Groq, Inc.
Location: United States
Purpose: AI inference processing
Sub-Processor: Google Cloud Platform
Location: United States
Purpose: Cloud infrastructure
Sub-Processor: Cloudflare, Inc.
Location: United States
Purpose: CDN and security
Sub-Processor: Stripe, Inc.
Location: United States
Purpose: Payment processing
--------------------------------------------------------------------------------
6.2 OPENAI
--------------------------------------------------------------------------------
Service Provider: OpenAI, L.L.C.
Address: 3180 18th Street, San Francisco, CA 94110, USA
Data Protection Contact: privacy@openai.com
PURPOSE: Advanced AI capabilities including natural language understanding,
content generation, document analysis, code assistance, and intelligent
automation within Axsys ERP.
OPENAI SERVICES UTILIZED:
- GPT-4o API
- GPT-4o-mini API
- GPT-4 Turbo API
- GPT-3.5 Turbo API
- Embeddings API (text-embedding-3-large)
- Whisper API (speech-to-text)
- TTS API (text-to-speech)
- DALL-E 3 API (image generation)
- Vision API (image understanding)
- Fine-tuning API
- Assistants API
- Function Calling
MODELS DEPLOYED:
- gpt-4o (primary)
- gpt-4o-mini (cost-optimized tasks)
- gpt-4-turbo (complex reasoning)
- gpt-3.5-turbo (simple tasks)
- text-embedding-3-large (semantic search)
- whisper-1 (transcription)
- tts-1-hd (voice synthesis)
- dall-e-3 (image generation)
DATA CATEGORIES PROCESSED:
- User prompts and queries
- Conversation context
- Document content for analysis
- Audio files for transcription
- Images for analysis
- Generated text responses
- Generated images
- Generated audio
- Embeddings vectors
- Function call parameters
- Usage metadata
CRITICAL DATA HANDLING NOTICE:
Per OpenAI's API Data Usage Policy (effective March 1, 2023):
1. API Data Training Opt-Out (Default):
- Data sent via API is NOT used to train OpenAI models by default
- This applies to all API customers automatically
- No action required to opt out
2. Data Retention:
- API inputs/outputs retained for 30 days for abuse monitoring
- Zero-day retention available for eligible customers
- Enterprise customers can negotiate custom retention
3. Content Policy:
- Usage policies apply to all content
- Moderation endpoint available for content filtering
- Automated systems monitor for policy violations
LEGAL BASIS FOR PROCESSING:
- Article 6(1)(b): Performance of contract
- Article 6(1)(f): Legitimate interests (AI features)
RETENTION PERIODS:
- API request data: 30 days (abuse monitoring)
- Generated content: Not retained by OpenAI (beyond 30-day window)
- Usage statistics: Indefinite (aggregated, anonymized)
- Billing records: 7 years
SECURITY MEASURES:
- SOC 2 Type II certified
- TLS 1.2+ encryption in transit
- AES-256 encryption at rest
- API key authentication
- Organization-level access controls
- Usage caps and rate limiting
- Automated abuse detection
TERMS OF SERVICE: https://openai.com/policies/terms-of-use
PRIVACY POLICY: https://openai.com/policies/privacy-policy
API DATA USAGE POLICY: https://openai.com/policies/api-data-usage-policies
ENTERPRISE PRIVACY: https://openai.com/enterprise-privacy
OPENAI SUB-PROCESSORS:
Sub-Processor: OpenAI, L.L.C.
Location: United States
Purpose: AI model hosting and inference
Sub-Processor: OpenAI Ireland Ltd
Location: Ireland
Purpose: EEA operations
Sub-Processor: Microsoft Azure
Location: Global
Purpose: Cloud infrastructure (primary)
Sub-Processor: Amazon Web Services
Location: United States
Purpose: Cloud infrastructure (secondary)
Sub-Processor: Cloudflare, Inc.
Location: United States
Purpose: CDN and DDoS protection
Sub-Processor: Stripe, Inc.
Location: United States
Purpose: Payment processing
Sub-Processor: Datadog, Inc.
Location: United States
Purpose: Infrastructure monitoring
Sub-Processor: Zendesk, Inc.
Location: United States
Purpose: Customer support
--------------------------------------------------------------------------------
6.3 ANTHROPIC
--------------------------------------------------------------------------------
Service Provider: Anthropic PBC
Address: 548 Market St, PMB 90375, San Francisco, CA 94104, USA
Data Protection Contact: privacy@anthropic.com
PURPOSE: AI assistant capabilities, document analysis, complex reasoning,
coding assistance, and safe AI interactions within Axsys ERP.
ANTHROPIC SERVICES UTILIZED:
- Claude API
- Messages API
- Completions API (legacy)
- Tool Use (Function Calling)
MODELS DEPLOYED:
- claude-3-5-sonnet-20241022 (primary)
- claude-3-opus-20240229 (complex tasks)
- claude-3-haiku-20240307 (fast, simple tasks)
DATA CATEGORIES PROCESSED:
- User messages and prompts
- System prompts and instructions
- Conversation history
- Document content for analysis
- Generated responses
- Tool/function call data
- Usage metadata
- Token counts
CONSTITUTIONAL AI:
Anthropic's Claude models are trained using Constitutional AI (CAI), a method
designed to make AI systems more helpful, harmless, and honest. Key aspects:
- Built-in safety guidelines
- Reduced harmful outputs
- Transparent reasoning
- Refusal of dangerous requests
DATA HANDLING PRACTICES:
Per Anthropic's Commercial Terms:
1. No Training on API Data:
- Anthropic does NOT train models on API inputs/outputs
- This is contractually guaranteed for API customers
- Applies to all Claude API usage
2. Data Retention:
- Data retained only as needed for service delivery
- Abuse monitoring retention: 30 days
- Enterprise: Custom retention options available
3. Human Review:
- Limited human review for Trust & Safety purposes
- Only triggered by automated safety systems
- Strict access controls on reviewed content
LEGAL BASIS FOR PROCESSING:
- Article 6(1)(b): Performance of contract
- Article 6(1)(f): Legitimate interests
RETENTION PERIODS:
- API request data: 30 days (safety monitoring)
- Generated content: Not retained beyond delivery
- Usage metrics: 90 days (aggregated)
SECURITY MEASURES:
- SOC 2 Type II certified
- TLS 1.3 encryption in transit
- Encryption at rest
- API key authentication
- Rate limiting
- Content filtering
- Automated safety monitoring
TERMS OF SERVICE: https://www.anthropic.com/legal/consumer-terms
COMMERCIAL TERMS: https://www.anthropic.com/legal/commercial-terms
PRIVACY POLICY: https://www.anthropic.com/legal/privacy
ACCEPTABLE USE: https://www.anthropic.com/legal/aup
ANTHROPIC SUB-PROCESSORS:
Sub-Processor: Anthropic PBC
Location: United States
Purpose: AI model hosting and inference
Sub-Processor: Google Cloud Platform
Location: United States
Purpose: Cloud infrastructure
Sub-Processor: Amazon Web Services
Location: United States
Purpose: Cloud infrastructure
Sub-Processor: Cloudflare, Inc.
Location: United States
Purpose: CDN and security
Sub-Processor: Stripe, Inc.
Location: United States
Purpose: Payment processing
================================================================================
12. PAYMENT PROCESSING - STRIPE
================================================================================
Service Provider: Stripe, Inc.
Address: 354 Oyster Point Boulevard, South San Francisco, CA 94080, USA
Data Protection Officer: dpo@stripe.com
EU Representative: Stripe Payments Europe, Ltd. (Dublin, Ireland)
PURPOSE: Complete payment processing infrastructure including card payments,
bank transfers, subscription billing, invoicing, fraud prevention, and
financial operations for Axsys ERP.
STRIPE PRODUCTS UTILIZED:
- Stripe Payments
- Stripe Billing
- Stripe Invoicing
- Stripe Connect
- Stripe Radar (Fraud Prevention)
- Stripe Identity (ID Verification)
- Stripe Tax
- Stripe Terminal (Point of Sale)
- Stripe Issuing (Card Issuing)
- Stripe Treasury (Banking-as-a-Service)
- Stripe Financial Connections
- Stripe Data Pipeline
- Stripe Sigma (SQL Reporting)
PAYMENT METHODS SUPPORTED:
- Credit/Debit Cards: Visa, Mastercard, American Express, Discover, JCB, Diners Club, UnionPay
- Digital Wallets: Apple Pay, Google Pay, Samsung Pay, Microsoft Pay, Amazon Pay, PayPal
- Bank Redirects: iDEAL (NL), Bancontact (BE), giropay (DE), EPS (AT), Przelewy24 (PL), SOFORT (EU)
- Bank Debits: ACH (US), SEPA Direct Debit (EU), BACS (UK), BECS (AU), Pre-authorized Debit (CA)
- Bank Transfers: Wire Transfer, ACH Credit, SEPA Credit Transfer
- Buy Now Pay Later: Affirm (US), Afterpay/Clearpay (US/UK/AU), Klarna (EU)
- Vouchers: OXXO (MX), Boleto (BR), Konbini (JP)
- Real-time Payments: PIX (BR), PromptPay (TH), PayNow (SG), FPX (MY), GrabPay (SG)
- Crypto: USDC (via Stripe)
DATA CATEGORIES PROCESSED:
Category 1 - Cardholder Data (PCI DSS Scope):
- Cardholder name
- Primary Account Number (PAN) - tokenized
- Card expiration date
- Service code
- CVV/CVC (processed, never stored)
- PIN/PIN block (for Terminal)
Category 2 - Transaction Data:
- Transaction amount and currency
- Transaction timestamp
- Merchant category code (MCC)
- Authorization codes
- Response codes
- Statement descriptors
- Metadata (custom fields)
- Refund information
- Dispute/chargeback data
Category 3 - Customer Data:
- Customer name
- Email address
- Phone number
- Billing address
- Shipping address
- Customer metadata
- Payment method preferences
- Subscription details
Category 4 - Risk and Fraud Data:
- IP address
- Device fingerprint
- Browser information
- User agent
- Geolocation
- Behavioral signals
- Risk scores
- 3D Secure authentication data
- Card verification results (AVS, CVC)
Category 5 - Identity Verification Data (Stripe Identity):
- Government-issued ID images
- Selfie/biometric images
- ID document data (name, DOB, ID number)
- Verification results
- Liveness check results
Category 6 - Financial Connections Data:
- Bank account numbers (tokenized)
- Routing numbers
- Account holder name
- Account type
- Account balance
- Transaction history
PCI DSS COMPLIANCE:
Stripe maintains PCI DSS Level 1 certification, the highest level of
certification in the payments industry. This certification covers:
Scope of Certification:
- All Stripe data centers
- All Stripe applications processing card data
- All Stripe employees with access to card data
- All Stripe systems in cardholder data environment
- All third-party service providers
PCI DSS v4.0 Requirements Addressed:
Requirement 1 - Network Security Controls:
- Firewall configurations documented and maintained
- Network segmentation implemented
- Traffic restricted to necessary connections
- Personal firewall software on mobile devices
Requirement 2 - Secure Configurations:
- Vendor defaults changed before deployment
- System hardening standards documented
- Unnecessary services disabled
- Security parameters configured per standards
Requirement 3 - Protect Stored Account Data:
- PAN rendered unreadable (tokenization, encryption)
- Encryption keys protected
- Key management procedures documented
- Sensitive authentication data not stored post-authorization
Requirement 4 - Protect Data in Transit:
- Strong cryptography for transmission (TLS 1.2+)
- Trusted certificates used
- Secure protocols for all channels
Requirement 5 - Protect from Malicious Software:
- Anti-malware deployed on all systems
- Anti-malware kept current
- Periodic scans performed
- Audit logs maintained
Requirement 6 - Develop Secure Systems:
- Security vulnerabilities identified and addressed
- Software development lifecycle includes security
- Public-facing applications protected
- Change management procedures followed
Requirement 7 - Restrict Access:
- Access limited to need-to-know
- Access control system implemented
- Role-based access controls
Requirement 8 - Identify Users:
- Unique IDs for all users
- Strong authentication (MFA)
- Password policies enforced
Requirement 9 - Physical Access:
- Physical access restricted
- Visitor procedures implemented
- Media physically protected
Requirement 10 - Log and Monitor:
- Audit trails enabled
- Logs reviewed daily
- Log integrity protected
- Time synchronization implemented
Requirement 11 - Test Security:
- Vulnerability scans (quarterly)
- Penetration tests (annual)
- IDS/IPS monitoring
- File integrity monitoring
Requirement 12 - Security Policies:
- Information security policy maintained
- Risk assessment performed annually
- Security awareness training
- Incident response plan tested
AXSYS PCI COMPLIANCE:
By using Stripe Elements and Stripe.js, Axsys reduces PCI scope to SAQ A:
- No cardholder data touches Axsys servers
- Card data entered directly into Stripe iframe
- Only tokenized references stored
- Minimal PCI DSS obligations
LEGAL BASIS FOR PROCESSING:
- Article 6(1)(b): Performance of contract (payment processing)
- Article 6(1)(c): Legal obligation (tax, anti-fraud, anti-money laundering)
- Article 6(1)(f): Legitimate interests (fraud prevention, security)
DATA TRANSFER MECHANISMS:
- EU-US Data Privacy Framework (DPF) - Stripe is certified
- Standard Contractual Clauses (SCCs) - Module 2 and Module 3
- Supplementary measures per EDPB recommendations
RETENTION PERIODS:
- Transaction records: 7 years (regulatory requirement)
- Card fingerprints: Until customer deletion request
- Customer records: 7 years after last activity
- Fraud/risk data: 5 years
- Radar machine learning features: 7 years
- Identity verification data: As required by law (varies by jurisdiction)
- Tax records: 7-10 years (varies by jurisdiction)
- Dispute records: 7 years after resolution
SECURITY MEASURES:
- PCI DSS Level 1 certified
- SOC 1 Type II
- SOC 2 Type II
- ISO 27001 certified
- TLS 1.2+ (1.3 preferred) for all connections
- AES-256 encryption at rest
- Hardware Security Modules (HSMs) for key management
- Multi-tenant isolation
- Regular penetration testing
- Bug bounty program
- 24/7 security operations center
- Multi-factor authentication required
- Role-based access control
- Complete audit logging
- Automated threat detection
TERMS OF SERVICE: https://stripe.com/legal/ssa
PRIVACY POLICY: https://stripe.com/privacy
DPA: https://stripe.com/legal/dpa
PCI DSS COMPLIANCE: https://stripe.com/guides/pci-compliance
SCC AGREEMENT: https://stripe.com/legal/sccs
STRIPE SUB-PROCESSORS (COMPREHENSIVE):
--- CORE ---
Sub-Processor: Stripe, Inc.
Location: United States
Purpose: Primary payment processing
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Stripe Payments Europe, Limited
Location: Ireland
Purpose: EEA payment processing
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Stripe Payments UK, Ltd
Location: United Kingdom
Purpose: UK payment processing
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Stripe GmbH
Location: Germany
Purpose: German operations
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Stripe France, SARL
Location: France
Purpose: French operations
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Stripe Netherlands B.V.
Location: Netherlands
Purpose: Dutch operations
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Stripe Payments Canada, Ltd
Location: Canada
Purpose: Canadian payment processing
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Stripe Australia Pty. Ltd.
Location: Australia
Purpose: Australian payment processing
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Stripe Japan, Inc.
Location: Japan
Purpose: Japanese payment processing
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Stripe Singapore Pte. Ltd.
Location: Singapore
Purpose: Singapore/APAC processing
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Stripe Brazil Instituição de Pagamento
Location: Brazil
Purpose: Brazilian payment processing
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Stripe Mexico, S. de R.L. de C.V.
Location: Mexico
Purpose: Mexican payment processing
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Stripe India Private Limited
Location: India
Purpose: Indian payment processing
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Stripe Malaysia Sdn. Bhd.
Location: Malaysia
Purpose: Malaysian operations
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Stripe New Zealand Limited
Location: New Zealand
Purpose: NZ payment processing
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Stripe Hong Kong Limited
Location: Hong Kong
Purpose: Hong Kong operations
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Stripe UAE FZ-LLC
Location: United Arab Emirates
Purpose: UAE operations
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
--- INFRASTRUCTURE ---
Sub-Processor: Amazon Web Services, Inc.
Location: Global
Purpose: Cloud infrastructure and storage
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Google Cloud Platform
Location: Global
Purpose: Cloud infrastructure
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Cloudflare, Inc.
Location: United States
Purpose: CDN, DDoS protection, DNS
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Fastly, Inc.
Location: United States
Purpose: Content delivery network
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
--- CARD NETWORKS ---
Sub-Processor: Visa Inc.
Location: United States
Purpose: Card network processing
DPA Status: Covered under Stripe DPA
PCI Compliance: PCI DSS Certified
Sub-Processor: Visa Europe Limited
Location: United Kingdom
Purpose: European Visa processing
DPA Status: Covered under Stripe DPA
PCI Compliance: PCI DSS Certified
Sub-Processor: Mastercard International Incorporated
Location: United States
Purpose: Card network processing
DPA Status: Covered under Stripe DPA
PCI Compliance: PCI DSS Certified
Sub-Processor: Mastercard Europe SA
Location: Belgium
Purpose: European Mastercard processing
DPA Status: Covered under Stripe DPA
PCI Compliance: PCI DSS Certified
Sub-Processor: American Express Travel Related Services
Location: United States
Purpose: Amex card processing
DPA Status: Covered under Stripe DPA
PCI Compliance: PCI DSS Certified
Sub-Processor: Discover Financial Services
Location: United States
Purpose: Discover card processing
DPA Status: Covered under Stripe DPA
PCI Compliance: PCI DSS Certified
Sub-Processor: JCB International Co., Ltd.
Location: Japan
Purpose: JCB card processing
DPA Status: Covered under Stripe DPA
PCI Compliance: PCI DSS Certified
Sub-Processor: China UnionPay Co., Ltd.
Location: China
Purpose: UnionPay card processing
DPA Status: Covered under Stripe DPA
PCI Compliance: PCI DSS Certified
Sub-Processor: Diners Club International
Location: United States
Purpose: Diners card processing
DPA Status: Covered under Stripe DPA
PCI Compliance: PCI DSS Certified
Sub-Processor: Cartes Bancaires
Location: France
Purpose: French card scheme
DPA Status: Covered under Stripe DPA
PCI Compliance: PCI DSS Certified
Sub-Processor: Interac Corp.
Location: Canada
Purpose: Canadian debit network
DPA Status: Covered under Stripe DPA
PCI Compliance: PCI DSS Certified
Sub-Processor: eftpos Payments Australia Limited
Location: Australia
Purpose: Australian debit network
DPA Status: Covered under Stripe DPA
PCI Compliance: PCI DSS Certified
--- PAYMENT METHODS ---
Sub-Processor: iDEAL (Currence)
Location: Netherlands
Purpose: Dutch bank transfers
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Bancontact Payconiq Company
Location: Belgium
Purpose: Belgian payments
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: giropay GmbH
Location: Germany
Purpose: German bank transfers
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Klarna Bank AB
Location: Sweden
Purpose: BNPL and SOFORT
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Przelewy24 (PayPro S.A.)
Location: Poland
Purpose: Polish bank transfers
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: EPS (PSA Payment Services Austria)
Location: Austria
Purpose: Austrian bank transfers
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Multibanco (SIBS)
Location: Portugal
Purpose: Portuguese payments
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Alipay (Ant Group)
Location: China
Purpose: Chinese digital wallet
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: WeChat Pay (Tencent)
Location: China
Purpose: Chinese digital wallet
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: GrabPay (Grab Holdings)
Location: Singapore
Purpose: Southeast Asian wallet
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: PayNow (ABS)
Location: Singapore
Purpose: Singapore real-time payments
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: FPX (Payments Network Malaysia)
Location: Malaysia
Purpose: Malaysian bank transfers
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Affirm, Inc.
Location: United States
Purpose: US BNPL
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Afterpay Limited
Location: Australia
Purpose: BNPL services
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: OXXO (FEMSA)
Location: Mexico
Purpose: Mexican cash payments
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Boleto (Brazilian banks)
Location: Brazil
Purpose: Brazilian payment slips
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: PIX (Banco Central do Brasil)
Location: Brazil
Purpose: Brazilian instant payments
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Konbini (7-Eleven, Lawson, FamilyMart)
Location: Japan
Purpose: Japanese convenience store payments
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: PayPal Holdings, Inc.
Location: United States
Purpose: Digital wallet
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
--- BANKING ---
Sub-Processor: Wells Fargo Bank, N.A.
Location: United States
Purpose: Banking services (US)
DPA Status: Covered under Stripe DPA
PCI Compliance: PCI DSS Certified
Sub-Processor: Goldman Sachs Bank USA
Location: United States
Purpose: Banking services (US)
DPA Status: Covered under Stripe DPA
PCI Compliance: PCI DSS Certified
Sub-Processor: Citibank, N.A.
Location: United States
Purpose: Banking services (US)
DPA Status: Covered under Stripe DPA
PCI Compliance: PCI DSS Certified
Sub-Processor: JPMorgan Chase Bank, N.A.
Location: United States
Purpose: Banking services (US)
DPA Status: Covered under Stripe DPA
PCI Compliance: PCI DSS Certified
Sub-Processor: Barclays Bank PLC
Location: United Kingdom
Purpose: Banking services (UK)
DPA Status: Covered under Stripe DPA
PCI Compliance: PCI DSS Certified
Sub-Processor: Celtic Bank Corporation
Location: United States
Purpose: Stripe Capital lending
DPA Status: Covered under Stripe DPA
PCI Compliance: PCI DSS Certified
Sub-Processor: Cross River Bank
Location: United States
Purpose: Banking-as-a-Service
DPA Status: Covered under Stripe DPA
PCI Compliance: PCI DSS Certified
Sub-Processor: Evolve Bank & Trust
Location: United States
Purpose: Treasury services
DPA Status: Covered under Stripe DPA
PCI Compliance: PCI DSS Certified
--- SERVICES ---
Sub-Processor: Twilio Inc.
Location: United States
Purpose: SMS notifications
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: SendGrid (Twilio)
Location: United States
Purpose: Email delivery
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Mailgun Technologies, Inc.
Location: United States
Purpose: Email delivery backup
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Zendesk, Inc.
Location: United States
Purpose: Customer support platform
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Salesforce.com, Inc.
Location: United States
Purpose: CRM
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Slack Technologies, Inc.
Location: United States
Purpose: Internal communications
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Datadog, Inc.
Location: United States
Purpose: Infrastructure monitoring
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: PagerDuty, Inc.
Location: United States
Purpose: Incident management
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Splunk Inc.
Location: United States
Purpose: Log management
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Okta, Inc.
Location: United States
Purpose: Identity management
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: 1Password (AgileBits)
Location: Canada
Purpose: Secrets management
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
--- IDENTITY ---
Sub-Processor: Plaid Inc.
Location: United States
Purpose: Bank account verification
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Marqeta, Inc.
Location: United States
Purpose: Card issuing platform
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Onfido Ltd.
Location: United Kingdom
Purpose: Identity verification
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Jumio Corporation
Location: United States
Purpose: Identity verification backup
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
Sub-Processor: Socure, Inc.
Location: United States
Purpose: Identity verification
DPA Status: Covered under Stripe DPA
PCI Compliance: N/A or Stripe-managed
================================================================================
15. DATA RETENTION SCHEDULE (COMPREHENSIVE)
================================================================================
The following table outlines retention periods for all data processed by
third-party services integrated with Axsys ERP:
SERVICE DATA TYPE RETENTION
--------------------------------------------------------------------------------
Google Maps API request logs 30 days
Google Maps Aggregated analytics 14 months
Google Maps Billing records 7 years
Google Ads Conversion data 540 days
Google Ads Audience lists 540 days inactive
Google Ads Click data 90 days raw, 24 months aggregated
Google Workspace Synced data Mirrors Google retention
Google OAuth Access tokens 1 hour
Google OAuth Refresh tokens Until revoked
Microsoft Azure Logs 90 days
Microsoft 365 Synced data Mirrors M365 policy
Microsoft OAuth Tokens 90 days / until revoked
Mapbox API logs 30 days
Mapbox Telemetry 90 days
Stripe Transaction records 7 years
Stripe Card fingerprints Until deletion request
Stripe Fraud signals 5 years
Stripe Radar ML data 7 years
Stripe Identity verification As required by law
Twilio SMS logs 13 months
Twilio Call recordings Until deleted
Twilio Account data Account + 7 years
SendGrid Email activity 7-30 days (plan dependent)
SendGrid Email content Purged after delivery
SendGrid Statistics 36 months
OpenAI API requests 30 days
OpenAI Generated content Not retained
Anthropic API requests 30 days
Anthropic Conversation data Not retained
Groq API requests 30 days (0 enterprise)
DataForSEO API logs 30 days
DataForSEO Historical data 24 months
Brave Search Search queries Not stored
NOAA API logs Not retained for ID
QuickBooks Financial data 7 years
Zoom Meeting metadata 180 days
Zoom Recordings Until deleted
Meta/Facebook Lead data 90 days
Meta/Facebook Ad interactions 2 years
Brevo Email logs 36 months
Tawk.to Chat transcripts 3 years
================================================================================
19. GDPR ARTICLE 28 COMPLIANCE
================================================================================
This section documents compliance with GDPR Article 28 requirements for
processors and sub-processors.
ARTICLE 28(1) - PROCESSOR REQUIREMENTS:
Axsys uses only processors providing sufficient guarantees to implement
appropriate technical and organizational measures. All third-party services
listed in this document have been assessed for:
- Security certifications (SOC 2, ISO 27001, etc.)
- Data protection policies
- Technical security measures
- Incident response capabilities
- Sub-processor management
ARTICLE 28(2) - SUB-PROCESSOR ENGAGEMENT:
Axsys maintains prior written authorization from customers for sub-processor
engagement. This document serves as notification of sub-processors. Customers
may object to new sub-processors within 30 days of notification.
ARTICLE 28(3) - PROCESSOR CONTRACT REQUIREMENTS:
Data Processing Agreements (DPAs) with all processors include:
(a) Processing only on documented instructions
(b) Confidentiality commitments for personnel
(c) Security measures per Article 32
(d) Sub-processor conditions per Article 28(2) and (4)
(e) Assistance with data subject rights
(f) Assistance with Articles 32-36 obligations
(g) Deletion or return of data at end of services
(h) Audit rights and compliance demonstration
ARTICLE 28(4) - SUB-PROCESSOR OBLIGATIONS:
Same data protection obligations imposed on sub-processors via written
contracts. Processor remains liable for sub-processor compliance.
================================================================================
20. INTERNATIONAL DATA TRANSFER MECHANISMS
================================================================================
DATA TRANSFER IMPACT ASSESSMENT (TIA):
For each third-party service involving transfers outside the EEA, a Transfer
Impact Assessment has been conducted considering:
1. LEGAL FRAMEWORK OF DESTINATION COUNTRY:
- Government access laws
- Surveillance laws
- Data protection laws
- Judicial redress availability
2. SUPPLEMENTARY MEASURES IMPLEMENTED:
- Technical: Encryption, pseudonymization, access controls
- Organizational: Policies, training, audits
- Contractual: Enhanced SCCs, additional commitments
3. TRANSFER MECHANISMS BY SERVICE:
United States Services:
- Primary: EU-US Data Privacy Framework (DPF)
- Backup: Standard Contractual Clauses (SCCs) 2021
- Supplementary: Encryption, access restrictions
United Kingdom Services (Post-Brexit):
- UK GDPR adequacy decision
- UK International Data Transfer Agreement (IDTA)
- UK Addendum to EU SCCs
Other Third Countries:
- Adequacy decisions where available
- SCCs with supplementary measures
- Binding Corporate Rules (where applicable)
================================================================================
LEGAL NOTICES AND DISCLAIMERS
================================================================================
TRADEMARK NOTICE:
All product names, logos, and brands mentioned in this document are property
of their respective owners. All company, product, and service names used are
for identification purposes only. Use of these names, logos, and brands does
not imply endorsement or affiliation unless explicitly stated.
DISCLAIMER:
The third-party services listed in this document are independent companies
and platforms. Axsys ERP integrates with these services to provide enhanced
functionality but does not control their operations, terms, or privacy
practices. Users should review each service's terms and privacy policy
before enabling integrations that transmit data to these services.
ACCURACY OF INFORMATION:
While Axsys strives to maintain accurate and up-to-date information about
third-party services, sub-processors, and data practices, this information
may change. Users are encouraged to verify critical information directly
with service providers.
DATA PROTECTION RIGHTS:
Under applicable data protection laws (GDPR, CCPA, etc.), users have rights
including:
- Right to access personal data
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision-making
To exercise these rights, contact both Axsys and relevant service providers.
CHANGES TO THIS DOCUMENT:
This document is reviewed and updated quarterly, or more frequently when:
- New third-party services are integrated
- Existing services add/remove sub-processors
- Material changes to data processing occur
- Legal or regulatory requirements change
CONTACT INFORMATION:
Axsys ERP
Data Protection Inquiries: privacy@axsys.app
General Support: support@axsys.app
Phone: +1 (763) 355-2242
For urgent data protection matters:
Email: dpo@axsys.app
================================================================================
Document Version: 4.0
Last Updated: December 10, 2025
Next Review Date: March 10, 2026
Document Classification: Public
================================================================================
================================================================================
ADDITIONAL SERVICES - APPENDIX A
================================================================================
--------------------------------------------------------------------------------
A.1 TAVILY AI SEARCH API
--------------------------------------------------------------------------------
Service Provider: Tavily, Inc.
Address: San Francisco, CA, USA
Data Protection Contact: privacy@tavily.com
PURPOSE: AI-powered web search and research capabilities for intelligent
information retrieval, fact-checking, and real-time data gathering within
Axsys ERP AI features.
TAVILY SERVICES UTILIZED:
- Tavily Search API
- Tavily Extract API
- Tavily News Search
- Tavily Research API (Deep Research)
- Tavily Answer API
DATA CATEGORIES PROCESSED:
- Search queries and prompts
- Research topics
- URL extraction requests
- API request metadata
- IP addresses
- Usage statistics
AI SEARCH CAPABILITIES:
Tavily provides AI-optimized search results designed for LLM consumption:
- Clean, structured content extraction
- Source attribution and citations
- Relevance scoring
- Content summarization
- Real-time web data access
LEGAL BASIS FOR PROCESSING:
- Article 6(1)(b): Performance of contract
- Article 6(1)(f): Legitimate interests (AI-powered features)
DATA HANDLING:
- Search queries processed in real-time
- No persistent storage of search queries
- Results cached briefly for performance
- No user profiling or tracking
RETENTION PERIODS:
- API request logs: 30 days
- Search results cache: 1 hour
- Usage metrics: 90 days (aggregated)
- Account data: Duration of subscription
TERMS OF SERVICE: https://tavily.com/terms
PRIVACY POLICY: https://tavily.com/privacy
TAVILY SUB-PROCESSORS:
Sub-Processor: Tavily, Inc.
Location: United States
Purpose: Primary AI search services
Sub-Processor: Amazon Web Services, Inc.
Location: United States
Purpose: Cloud infrastructure
Sub-Processor: Cloudflare, Inc.
Location: United States
Purpose: CDN and security
Sub-Processor: OpenAI, L.L.C.
Location: United States
Purpose: AI model inference
Sub-Processor: Anthropic PBC
Location: United States
Purpose: AI model inference (alternative)
Sub-Processor: Stripe, Inc.
Location: United States
Purpose: Payment processing
--------------------------------------------------------------------------------
A.2 GOOGLE PLACES API (EXPANDED DETAIL)
--------------------------------------------------------------------------------
Service Provider: Google LLC
Service URL: https://developers.google.com/maps/documentation/places
PURPOSE: Comprehensive place information, business details, reviews, photos,
and location-based search within Axsys ERP for CRM, field service, and
customer management features.
GOOGLE PLACES API SERVICES:
- Place Search (Nearby Search, Text Search, Find Place)
- Place Details
- Place Photos
- Place Autocomplete
- Query Autocomplete
- Place Add (User-contributed places)
- Place Reviews
DATA CATEGORIES PROCESSED:
Category 1 - Search Data:
- Location coordinates for nearby searches
- Text search queries
- Place type filters
- Radius/bounds parameters
- Language preferences
- Region biasing
Category 2 - Place Data Retrieved:
- Place IDs (Google's unique identifiers)
- Business names
- Formatted addresses
- Address components (street, city, state, country, postal code)
- Geographic coordinates
- Place types and categories
- Business status (operational, closed, etc.)
- Price level indicators
- Rating and review counts
- Opening hours (regular and special)
- Phone numbers (national and international format)
- Website URLs
- Google Maps URLs
Category 3 - Business Information:
- Reviews and ratings
- User-generated photos
- Editorial summaries
- Atmosphere indicators
- Accessibility information
- Service options (delivery, dine-in, takeout)
- Payment options
- Parking information
Category 4 - Photo Data:
- Photo references
- Photo dimensions
- Contributor attributions
- Photo URLs (time-limited)
ATTRIBUTION REQUIREMENTS:
Per Google's Terms of Service, the following attributions are required:
- "Powered by Google" logo display
- Review attribution to Google users
- Photo attribution to contributors
- Link to Google Maps for place details
USAGE RESTRICTIONS:
- Data cannot be cached beyond session
- Pre-fetching/indexing prohibited
- Cannot create derivative databases
- Must display Google attribution
- Cannot use for navigation without proper licensing
LEGAL BASIS FOR PROCESSING:
- Article 6(1)(b): Performance of contract
- Article 6(1)(f): Legitimate interests (business operations)
RETENTION PERIODS:
- Place search results: Session only (no caching per ToS)
- Place IDs: Can be stored for reference
- API request logs: 30 days (Google side)
- Billing records: 7 years
PRICING STRUCTURE:
- Place Search: $32 per 1,000 requests
- Place Details: $17-$20 per 1,000 requests (varies by fields)
- Place Photos: $7 per 1,000 requests
- Autocomplete: $2.83 per 1,000 requests (session-based)
- Monthly credit: $200 free usage
TERMS OF SERVICE: https://cloud.google.com/maps-platform/terms
PLACES API POLICIES: https://developers.google.com/maps/documentation/places/web-service/policies
--------------------------------------------------------------------------------
A.3 OPENSTREETMAP
--------------------------------------------------------------------------------
Service Provider: OpenStreetMap Foundation
Address: St John's Innovation Centre, Cowley Road, Cambridge, CB4 0WS, UK
Legal Entity: Non-profit organization registered in England and Wales
PURPOSE: Open-source geographic data, base map tiles, and mapping data used
as a data source by various mapping services integrated with Axsys ERP.
OPENSTREETMAP SERVICES:
- Map Tiles (raster and vector)
- Nominatim (Geocoding/Reverse Geocoding)
- Overpass API (Data queries)
- OSM Data Extracts
- Planet.osm (Full database dumps)
DATA CHARACTERISTICS:
OpenStreetMap is an open data project. Key characteristics:
- Data licensed under Open Database License (ODbL)
- Contributions from volunteer mappers worldwide
- No personal data collected from API users
- Map data is crowd-sourced and community-maintained
OPEN DATABASE LICENSE (ODbL) REQUIREMENTS:
When using OpenStreetMap data, the following obligations apply:
1. ATTRIBUTION:
- Must credit OpenStreetMap and contributors
- Standard attribution: "© OpenStreetMap contributors"
- Link to https://www.openstreetmap.org/copyright
2. SHARE-ALIKE:
- Derivative databases must be released under ODbL
- Produced works can use any license
- Collective databases require ODbL for OSM portion
3. KEEP OPEN:
- Cannot apply DRM to OSM data
- Must provide access to derivative databases
DATA CATEGORIES:
OpenStreetMap contains geographic data including:
- Roads, paths, and transportation networks
- Buildings and structures
- Points of interest (POIs)
- Land use and natural features
- Administrative boundaries
- Address data
- Public transportation routes
- Amenities and services
NO PERSONAL DATA PROCESSING:
When using OSM data/APIs, no personal data is collected by OSM Foundation.
Axsys's use of OSM is limited to geographic data retrieval.
For Nominatim geocoding service:
- IP addresses logged temporarily for abuse prevention
- Search queries not stored permanently
- No user accounts required
- Rate limiting applied (1 request/second)
NOMINATIM USAGE POLICY:
- Identify requests with valid User-Agent
- Maximum 1 request per second
- No bulk geocoding (use data extracts instead)
- Cache results where possible
- Attribution required in output
LEGAL BASIS FOR PROCESSING:
- Article 6(1)(f): Legitimate interests (geographic data)
- Open data - no consent required for public data
RETENTION PERIODS:
- Nominatim request logs: Temporary (abuse prevention)
- Cached map tiles: Per cache configuration
- Geographic data: Public data, no retention limits
LICENSE: Open Database License (ODbL) 1.0
TERMS OF USE: https://wiki.osmfoundation.org/wiki/Terms_of_Use
ATTRIBUTION: https://www.openstreetmap.org/copyright
NOMINATIM POLICY: https://operations.osmfoundation.org/policies/nominatim/
OPENSTREETMAP DATA CONTRIBUTORS:
OpenStreetMap data is contributed by volunteers worldwide. When displaying
OSM data, attribution to contributors is legally required under ODbL.
Note: OpenStreetMap Foundation does not act as a data processor. OSM data
is open public data available to anyone under the ODbL license.
================================================================================
UPDATED WORD COUNT AND STATISTICS
================================================================================
This document contains comprehensive disclosure of third-party services
integrated with Axsys ERP, including:
- Total Services Documented: 25+
- Total Sub-Processors Listed: 200+
- Total Cookies Documented: 120+
- Total Data Categories: 50+
- Jurisdictions Covered: 30+
- Security Certifications Referenced: 40+
This level of detail ensures compliance with:
- GDPR Articles 13, 14, 28, and 30
- CCPA disclosure requirements
- PCI DSS merchant obligations
- ePrivacy Directive cookie rules
- International data transfer documentation
================================================================================
END OF DOCUMENT
================================================================================
--------------------------------------------------------------------------------
A.4 GRAVITY FORMS API AND WEBHOOKS
--------------------------------------------------------------------------------
Service Provider: Rocketgenius, Inc.
Address: 1902 Campus Commons Dr, Suite 310, Reston, VA 20191, USA
Data Protection Contact: privacy@gravityforms.com
PURPOSE: Form submission processing, webhook integrations, and lead capture
from WordPress websites into Axsys ERP CRM and marketing modules.
GRAVITY FORMS SERVICES UTILIZED:
- Gravity Forms REST API v2
- Gravity Forms Webhooks Add-On
- Gravity Forms Entry Export
- Gravity Forms Partial Entries
- Gravity Forms User Registration
- Gravity Forms PayPal/Stripe Add-Ons
DATA CATEGORIES PROCESSED:
Category 1 - Form Submission Data:
- All form field values submitted by users
- Contact information (name, email, phone, address)
- Custom field responses
- File upload attachments
- Multi-page form progress
- Conditional logic outcomes
- Calculated field values
Category 2 - Entry Metadata:
- Entry ID and form ID
- Submission timestamp
- Source URL and page
- User IP address
- User agent string
- Referrer URL
- Entry status (active, spam, trash)
- Payment status (if applicable)
- Created by user ID (if logged in)
Category 3 - Webhook Data:
- Webhook endpoint URLs
- Request headers
- Request body format (JSON/form-encoded)
- Authentication credentials (API keys, tokens)
- Retry configuration
- Delivery status and logs
Category 4 - Integration Data:
- CRM field mappings
- Conditional webhook triggers
- Form confirmation settings
- Notification email content
- Entry routing rules
WEBHOOK ARCHITECTURE:
Gravity Forms webhooks send form submission data to Axsys ERP:
1. User submits form on WordPress site
2. Gravity Forms processes submission
3. Webhook triggers on form submission
4. Data posted to Axsys ERP webhook endpoint
5. Axsys validates webhook signature
6. Entry created in CRM/lead system
7. Response returned to Gravity Forms
8. Delivery status logged
WEBHOOK SECURITY:
- Webhook signature verification (HMAC)
- HTTPS required for endpoints
- IP allowlisting available
- Request timeout configuration
- Retry logic for failed deliveries
DATA PROCESSING LOCATION:
- Form data stored on customer's WordPress hosting
- Webhook transmission to Axsys ERP servers
- No data stored by Rocketgenius (plugin vendor)
LEGAL BASIS FOR PROCESSING:
- Article 6(1)(b): Performance of contract (lead capture)
- Article 6(1)(a): Consent (form submission implies consent)
- Article 6(1)(f): Legitimate interests (business operations)
RETENTION PERIODS:
- Form entries: Per WordPress site configuration
- Webhook logs: 30 days
- Failed delivery queue: 7 days
- Entry exports: Per user download
GDPR COMPLIANCE FEATURES:
Gravity Forms includes GDPR compliance features:
- Personal data export (user request)
- Personal data erasure (user request)
- Consent field types
- Entry retention settings
- IP address anonymization option
- Entry deletion scheduling
PCI COMPLIANCE:
When using payment add-ons (Stripe, PayPal):
- Card data never touches WordPress server
- Payment processed via provider iframe/redirect
- SAQ A compliance maintained
- No cardholder data in form entries
TERMS OF SERVICE: https://www.gravityforms.com/terms-and-conditions/
PRIVACY POLICY: https://www.gravityforms.com/privacy/
GRAVITY FORMS ECOSYSTEM SUB-PROCESSORS:
Sub-Processor: Rocketgenius, Inc.
Location: United States
Purpose: Plugin development and support
Note: Plugin vendor does not process form submission data
Sub-Processor: Customer WordPress Hosting
Location: Varies by customer
Purpose: Form data storage and processing
Note: Data processing location determined by hosting choice
Sub-Processor: Stripe, Inc.
Location: United States
Purpose: Payment processing (if Stripe add-on used)
PCI DSS: Level 1 certified
Sub-Processor: PayPal Holdings, Inc.
Location: United States
Purpose: Payment processing (if PayPal add-on used)
PCI DSS: Level 1 certified
Sub-Processor: Mailchimp (Intuit)
Location: United States
Purpose: Email marketing (if Mailchimp add-on used)
Sub-Processor: HubSpot, Inc.
Location: United States
Purpose: CRM integration (if HubSpot add-on used)
Sub-Processor: Salesforce.com, Inc.
Location: United States
Purpose: CRM integration (if Salesforce add-on used)
Sub-Processor: Zapier, Inc.
Location: United States
Purpose: Workflow automation (if Zapier add-on used)
Sub-Processor: Twilio Inc.
Location: United States
Purpose: SMS notifications (if Twilio add-on used)
Sub-Processor: Slack Technologies, Inc.
Location: United States
Purpose: Notifications (if Slack add-on used)
Sub-Processor: Trello (Atlassian)
Location: Australia
Purpose: Task creation (if Trello add-on used)
Sub-Processor: Dropbox, Inc.
Location: United States
Purpose: File uploads (if Dropbox add-on used)
Sub-Processor: Google LLC
Location: United States
Purpose: Sheets integration, reCAPTCHA (if add-ons used)
GRAVITY FORMS DATA FLOW TO AXSYS:
1. FORM SUBMISSION:
User → WordPress → Gravity Forms → Form Entry Created
2. WEBHOOK TRIGGER:
Form Entry → Webhook Add-On → Condition Check → Trigger Webhook
3. DATA TRANSMISSION:
Webhook → HTTPS POST → Axsys ERP Webhook Endpoint
4. AXSYS PROCESSING:
Receive Webhook → Validate Signature → Parse Data → Create Lead/Contact
5. CONFIRMATION:
Axsys → HTTP 200 Response → Gravity Forms → Log Success
6. ERROR HANDLING:
If failure → Queue for Retry → Retry (up to 5 times) → Log Final Status
--------------------------------------------------------------------------------
A.5 TAWK.TO LIVE CHAT WIDGET
--------------------------------------------------------------------------------
Service Provider: Tawk.to Inc.
Address: 2035 Sunset Lake Road, Suite B-2, Newark, DE 19702, USA
Data Protection Officer: privacy@tawk.to
PURPOSE: Live chat support widget embedded on Axsys ERP login pages, help
documentation, and marketing websites to provide real-time customer support.
TAWK.TO SERVICES UTILIZED:
- Tawk.to Chat Widget
- Tawk.to Ticketing System
- Tawk.to Knowledge Base
- Tawk.to Video + Voice Chat
- Tawk.to CRM
- Tawk.to Automated Triggers
- Tawk.to JavaScript API
- Tawk.to REST API
- Tawk.to Webhooks
- Tawk.to Agent Apps (Desktop/Mobile)
DATA CATEGORIES PROCESSED:
Category 1 - Visitor Data:
- IP address
- Geographic location (derived from IP)
- Browser type and version
- Operating system
- Device type (desktop/mobile/tablet)
- Screen resolution
- Current page URL
- Referrer URL
- Time on page
- Pages visited (browsing history during session)
- Visitor unique identifier (cookie-based)
- Return visitor detection
Category 2 - Chat Data:
- Chat messages (visitor and agent)
- Chat timestamps
- Chat duration
- Chat ratings and feedback
- File attachments shared
- Screenshots shared
- Pre-chat survey responses
- Post-chat survey responses
- Offline message content
- Chat transcripts
Category 3 - Contact Data:
- Name (if provided)
- Email address (if provided)
- Phone number (if provided)
- Custom attributes passed via JavaScript API
- Tags and notes added by agents
- CRM contact records
Category 4 - Behavioral Data:
- Widget interactions (open, close, minimize)
- Trigger activations
- Form submissions within widget
- Knowledge base article views
- Search queries in knowledge base
- Video/voice call metadata
WIDGET EMBEDDING:
Tawk.to widget is embedded via JavaScript snippet:
- Widget loads asynchronously
- Does not block page rendering
- Can be customized via JavaScript API
- Triggers can show/hide widget based on conditions
LEGAL BASIS FOR PROCESSING:
- Article 6(1)(b): Performance of contract (customer support)
- Article 6(1)(f): Legitimate interests (customer service)
- Article 6(1)(a): Consent (for non-essential tracking)
COOKIE USAGE:
Tawk.to sets cookies for visitor identification:
Cookie Name: TawkConnectionTime
Duration: Session
Purpose: Tracks chat connection timing
Cookie Name: __tawkuuid
Duration: 6 months
Purpose: Unique visitor identifier for return visitor detection
Cookie Name: tawk_[property_id]
Duration: 6 months
Purpose: Property-specific visitor tracking
Cookie Name: ss
Duration: Session
Purpose: Session state management
Cookie Name: __cfduid
Duration: 30 days
Purpose: Cloudflare security cookie
RETENTION PERIODS:
- Chat transcripts: 3 years (default), configurable
- Visitor data: 2 years
- Ticketing data: Until deleted
- Knowledge base analytics: 1 year
- Account data: Duration of account plus 7 years
DATA EXPORT:
- Chat transcripts exportable via dashboard
- Visitor data exportable via API
- GDPR data export available on request
- Bulk export for account migration
SECURITY MEASURES:
- TLS 1.2+ encryption in transit
- AES-256 encryption at rest
- SOC 2 Type II compliance
- Annual penetration testing
- Role-based access control
- Two-factor authentication
- IP access restrictions
- Audit logging
TERMS OF SERVICE: https://www.tawk.to/terms-of-service/
PRIVACY POLICY: https://www.tawk.to/privacy-policy/
GDPR INFO: https://www.tawk.to/data-protection/gdpr/
TAWK.TO SUB-PROCESSORS:
Sub-Processor: Tawk.to Inc.
Location: United States
Purpose: Primary chat service delivery
Sub-Processor: Amazon Web Services, Inc.
Location: United States (multiple regions)
Purpose: Cloud infrastructure and data storage
Sub-Processor: Cloudflare, Inc.
Location: United States (global edge)
Purpose: CDN, DDoS protection, security
Sub-Processor: Twilio Inc.
Location: United States
Purpose: SMS notifications
Sub-Processor: SendGrid (Twilio)
Location: United States
Purpose: Email notifications and transcripts
Sub-Processor: Google Cloud Platform
Location: United States
Purpose: Video/voice call infrastructure
Sub-Processor: Stripe, Inc.
Location: United States
Purpose: Payment processing (for paid features)
Sub-Processor: MaxMind, Inc.
Location: United States
Purpose: IP geolocation
Sub-Processor: MongoDB Atlas
Location: United States
Purpose: Database services
INTEGRATION WITH AXSYS ERP:
Tawk.to integrates with Axsys ERP via:
1. Webhooks for new chat notifications
2. REST API for ticket creation
3. JavaScript API for visitor identification
4. CRM sync for contact records
Data flow:
- Chat initiated → Webhook to Axsys → Create support ticket
- Visitor identified → Pass to Axsys → Link to CRM contact
- Chat ended → Transcript to Axsys → Attach to ticket
- Rating submitted → Webhook to Axsys → Update ticket metrics
Contact axsys:
Email: ben@axsys.dev Phone: +1 (763) 355-2242
2025 axsys - Made With Astro