Nobel Link Privacy Policy

Version 2.0  |  Effective Date: May 4, 2025  |  Last Updated: May 4, 2025

Table of Contents

  1. Executive Summary
  2. Our Commitment to Privacy by Design
  3. Scope of This Policy
  4. Definitions
  5. Data Protection Principles
  6. Information We Collect
  7. How We Collect Information
  8. Legal Bases for Processing
  9. How We Use Information
  10. Profiling & Automated Decision‑Making
  11. Cookies & Similar Technologies
  12. Sharing & Disclosure
  13. International Data Transfers
  14. Security Measures
  15. Data Retention & Destruction
  16. Your Privacy Rights & How to Exercise Them
  17. Children’s Privacy
  18. Recruiting & Talent Privacy Notice
  19. Events, Marketing, & Newsletter Communications
  20. AI & Machine Learning Ethics Supplement
  21. API & Developer Platform Privacy
  22. Third‑Party Links & Integrations
  23. Do Not Track & Global Privacy Control
  24. Regional Supplements (Overview)
  25. Data Protection Officer & EU/UK Representative
  26. Supervisory Authorities Contact List
  27. Incident Response & Breach Notification
  28. Changes to This Policy
  29. Contact Us
  30. Annex Index (to follow in Part 2)

1. Executive Summary

Nobel Link (“Nobel Link,” “we,” “our,” “us“) is a technology consulting and managed‑services provider specializing in cloud native solutions, data analytics, and applied artificial intelligence (AI). Our clients range from venture‑backed start‑ups to Fortune 500 enterprises operating in highly regulated verticals. Because trust is the foundation of every client relationship, we adhere to globally recognized privacy frameworks—including GDPR, CCPA/CPRA, LGPD, PIPEDA, and ISO/IEC 27701—to safeguard personal information and uphold individual rights. This Policy explains, in plain yet comprehensive language, how we collect, use, share, secure, and eventually delete or anonymize the information entrusted to us.

Key Takeaways

  • No Sales of Personal Data: We do not sell or rent personal information to third parties.
  • Full Transparency: We disclose every category of personal data we process, every purpose, and every third‑party processor we engage.
  • Privacy by Design: From architecture to code reviews, privacy considerations are embedded in every phase of product development.
  • Granular Control: Users can access, correct, delete, port, or restrict their data through a self‑service Privacy Portal.
  • Robust Security: Encryption, zero‑trust network micro‑segmentation, regular penetration testing, and SOC 2 Type II audits underpin our defensive posture.

2. Our Commitment to Privacy by Design

We embrace the seven foundational principles articulated by the late Dr. Ann Cavoukian:

  1. Proactive not Reactive; Preventative not Remedial
  2. Privacy as the Default Setting
  3. Privacy Embedded into Design
  4. Full Functionality—Positive‑Sum, not Zero‑Sum
  5. End‑to‑End Security—Full Lifecycle Protection
  6. Visibility & Transparency—Keep it Open
  7. Respect for User Privacy—Keep it User‑Centric

Every new feature undergoes a Privacy Impact Assessment (PIA) within our Secure Development Lifecycle (SDLC). Engineers must document data flows, retention periods, and encryption controls before code can be merged. Our Product Council—comprising legal, security, and data ethics leads—reviews and approves each PIA.

3. Scope of This Policy

Covered Entities & Services

This Policy governs personal information processed by Nobel Link in connection with:

  • The Nobel Link Websitehttps://nobellink.co and sub‑domains (“Site“).
  • Professional Services—technology advisory, solution architecture, cloud‑migration projects, MLOps, and data engineering engagements.
  • Managed Services—ongoing cloud optimization, 24×7 infrastructure monitoring, model hosting, and DevSecOps automation.
  • SaaS Products—Nobel Platform™ (analytics portal), LinkAI™ (LLM orchestration), and InsightHub™ (real‑time dashboards).
  • Developer Platform & APIs—REST and GraphQL endpoints, SDKs, webhooks, and CLI tools.
  • Events & Communities—webinars, user groups, hackathons, and our annual Nobel Next conference.

Exclusions

  • Customer‑Controlled Workloads: When clients deploy workloads on their own cloud accounts under bring‑your‑own‑cloud (BYOC) models, they act as independent controllers.
  • Third‑Party Sites: Our Site may link to third‑party resources; their policies apply.

4. Definitions

For clarity, we use the following terms throughout this Policy. Additional jurisdiction‑specific definitions appear in the Regional Supplements.

  • “Personal Information” (PI) —Any information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, to an individual.
  • “Sensitive Personal Information” (SPI) —PI that reveals race, ethnicity, religious beliefs, precise geolocation, genetic data, health data, or union membership; also government IDs and children’s data.
  • “Processing” —Any operation performed on PI, such as collection, storage, use, disclosure, or deletion.
  • “Controller” / “Business” —The entity that determines the purposes and means of processing.
  • “Processor” / “Service Provider” —The entity that processes PI on behalf of a Controller.
  • “AI Training Data” —Any data ingested to train, fine‑tune, or evaluate machine‑learning models.
  • “Anonymization” —Irreversible transformation of PI such that an individual can no longer be identified.
  • “Pseudonymization” —Transformation that reduces linkability but could be reversed with additional information kept separately.
  • “Sub‑Processor” —A third‑party service engaged by Nobel Link to process PI on our behalf.

5. Data Protection Principles

We adhere to the following principles enshrined in GDPR Article 5 and mirrored across global laws:

  1. Lawfulness, Fairness, & Transparency
  2. Purpose Limitation
  3. Data Minimization
  4. Accuracy
  5. Storage Limitation
  6. Integrity & Confidentiality
  7. Accountability

We document compliance via our Record of Processing Activities (ROPA) and submit to independent audits annually.

6. Information We Collect

Below is an exhaustive, non‑exclusive list of PI categories we collect, the sources, and illustrative examples. A full schema with data elements, retention periods, and lawful bases is maintained in Annex H (ROPA Summary).

CategoryExamplesSourcePurpose(s)Data‑Sharing TierRetention (default)
Identity DataFull name, preferred name, job title, employer, LinkedIn handleUser, EmployerAccount creation, KYC/AML, licensing complianceTier 1*Contract + 7 yrs
Contact DataEmail, phone, postal address, Slack handleUser, EmployerSupport, service notices, marketing (opt‑in)Tier 1Until opt‑out or 24 mo inactivity
Government IDPassport, driver license, national IDUser (voluntary), ContractorIdentity verification for background checks, export‑control screeningTier 0**90 days post‑verification
Financial DataLast 4 card digits, ACH token, billing address, VAT/GST numberPayment ProcessorTransaction processing, fraud detectionTier 2Contract + 7 yrs
Technical DataIP address, user‑agent, device ID, OS, timezone, referring URL, screen resolutionAutomated (cookies, logs)Security, localization, UX optimizationTier 130 days (raw), 12 mo (aggregated)
Usage DataPage views, feature clicks, API calls, error logs, LLM token countsAutomatedProduct analytics, capacity planning, R&DTier 124 mo
AI Training DataText prompts, embeddings, code snippets, metadataUser, IntegrationsModel fine‑tuning, vector index buildTier 2≤12 mo (until de‑identified)
Support DataTicket number, chat transcripts, attachments, screen recordingsUser, AutomatedIssue resolution, QA, knowledge base creationTier 124 mo
Marketing DataNewsletter preferences, event attendance, UTM campaign parametersUser, 3rd‑party cookiesLead qualification, personalizationTier 2Until opt‑out or 24 mo
Talent DataCV, education, references, interview notes, assessment scoresCandidateRecruitment, talent analyticsTier 024 mo

Tier 1 = Sub‑processors under DPA; Tier 2 = Sub‑processors + analytics/advertising partners; Tier 0 = Stored internally only.

Data About Children

We do not knowingly collect PI from individuals under the age of 16. If you believe we have inadvertently collected such data, please contact us so we can delete it promptly.

7. How We Collect Information

  1. Direct Interactions – Registration forms, sales contracts, GitHub OAuth, verbally on discovery calls, badge scans at events.
  2. Automated Technologies – Server access logs, application telemetry (OpenTelemetry), cookies, single‑pixel gifs, SDKs (Mobile), local storage, and device sensors on IoT prototypes.
  3. Third‑Party Sources – Business contact databases (e.g., Apollo.io, Crunchbase), public blockchain explorers, social networks, joint‑marketing partners, and publicly available government records.
  4. Client Integrations – Connectors and ETL pipelines ingesting data from systems like Salesforce, Netsuite, Snowflake, S3, Azure Blob, and GCP BigQuery under client controller instructions.

Each ingestion path is inventoried in our Data Catalog and mapped to downstream processing activities.

8. Legal Bases for Processing

GDPR (EU/EEA & UK)

  • Contractual Necessity (Art. 6 (1)(b)) – Creating accounts, delivering cloud resources, processing payments.
  • Legitimate Interest (Art. 6 (1)(f)) – Network security, fraud prevention, product analytics (balanced against your rights).
  • Consent (Art. 6 (1)(a)) – Non‑essential cookies, marketing emails, LLM prompt retention for R&D, event photography.
  • Legal Obligation (Art. 6 (1)(c)) – Tax filings, export‑control compliance, bookkeeping.
  • Vital Interest (Art. 6 (1)(d)) – Threat intelligence feeds used to mitigate active cyber‑attacks.

CCPA/CPRA (California)

We process PI as a “Service Provider” to our B2B clients and as a “Business” for our own operations. We honor opt‑out requests and limit SPI to permissible business purposes under Cal. Civ. Code §1798.121.

LGPD (Brazil)

Legal bases include consent, contract performance, legitimate interest, and exercise of rights in judicial processes. Cross‑border transfers rely on SCCs or adequacy decisions.

A detailed matrix aligning each data category with its legal bases across 12 jurisdictions appears in Annex G (TOMs Matrix).

9. How We Use Information

  1. Service Delivery & Account Management – Provision Kubernetes clusters, generate API keys, monitor SLA metrics, and fulfill support tickets.
  2. Product Research & Development – Train domain‑specific language models, benchmark algorithm accuracy, A/B test new UI flows.
  3. Security & Fraud Prevention – Detect credential‑stuffing via rate limiting, analyze anomaly logs, enforce conditional access policies.
  4. Communications – Transactional alerts (e.g., “deployment succeeded”), product release notes, billing reminders, and incident notifications.
  5. Marketing & Community Engagement – Send newsletters, feature case studies, invite users to webinars, issue swag rewards through third‑party fulfillment partners.
  6. Compliance & Legal – Respond to lawful requests, conduct audits, maintain statutory records, and defend against legal claims.
  7. Corporate Governance – Evaluate or complete mergers, acquisitions, or financing transactions subject to confidentiality agreements.

We never use sensitive categories (e.g., health, biometric, or children’s data) for targeted advertising or cross‑context behavioral profiling.

10. Profiling & Automated Decision‑Making

We employ machine‑learning for security analytics (e.g., anomaly detection) and product personalization (e.g., recommended dashboards). These do not involve decisions that produce legal or similarly significant effects on individuals without human oversight. If such use cases arise, we will implement robust safeguards—including explainability mechanisms, fairness assessments, and opt‑out pathways—and update this Policy accordingly.

11. Cookies & Similar Technologies

Our Site deploys four classes of cookies:

  1. Strictly Necessary – Session management, load balancing, authenticity tokens.
  2. Performance – Google Analytics 4 with IP anonymization, Hotjar heatmaps (blurred input fields).
  3. Functional – Remembering language preferences and dark‑mode toggles.
  4. Advertising – LinkedIn Insight Tag, Google Ads Conversion ID (loaded only after explicit opt‑in).

We provide a granular Cookie Banner powered by Cookiebot. You can revoke consent at any time via the “Cookie Settings” link in the footer or by broadcasting the Global Privacy Control (GPC) signal via compatible browsers. Detailed cookie durations and providers appear in Annex A.

12. Sharing & Disclosure

We disclose PI strictly under one or more of the following circumstances:

  • Service Providers & Sub‑Processors – Cloud hosting (AWS us‑east‑1, eu‑central‑1), email delivery (SendGrid), CRM (HubSpot), error monitoring (Sentry), observability (Datadog). Contracts include the latest SCCs, data‑processing agreements (DPAs), and audit‑right clauses.
  • Professional Advisors – Legal counsel, auditors, insurers bound by confidentiality.
  • Corporate Transactions – In merger or acquisition scenarios, PI may be transferred subject to advance notice and continued protection.
  • Legal & Regulatory – Government authorities when required by law or court order. We scrutinize every request for over‑breadth and push back when appropriate.
  • With Consent – When you explicitly authorize us to share information, such as publishing a customer testimonial with your name and logo.

A real‑time sub‑processor list is available in our Trust Center and appended in Annex B.

13. International Data Transfers

Nobel Link is headquartered in Philadelphia, Pennsylvania, USA but operates globally. Accordingly, PI may be transferred to—and stored on—servers in countries outside your jurisdiction. We rely on:

  • EU Standard Contractual Clauses (2021/914) and UK International Data Transfer Addendum
  • Adequacy Decisions (e.g., Japan, Switzerland, Israel)
  • Binding Corporate Rules (application in progress)
  • Intra‑Group Data Transfer Agreements for our regional subsidiaries (Nobel Link Canada Inc., Nobel Link Pty Ltd AU, Nobel Link Ltd UK).

We conduct Transfer Impact Assessments (TIAs) for each destination and implement supplementary measures such as end‑to‑end encryption and segmentation of key material (Bring‑Your‑Own‑Key).

14. Security Measures

Governance & Certifications

  • ISO/IEC 27001:2022 – Controls aligned; external certification expected Q4 2025.
  • SOC 2 Type II – Audited annually; report available under NDA.
  • PCI‑DSS v4.0 – Attestation of Compliance for payment environments.
  • CSA STAR Level 1 – Self‑assessment published.

Technical Controls

  • Encryption – TLS 1.3 in transit, AES‑256 GCM at rest.
  • Zero‑Trust Network – Authentication via short‑lived OIDC tokens, micro‑segmented service mesh (Istio).
  • MFA & Passwordless – WebAuthn‑based hardware keys mandatory for privileged engineers.
  • Secrets Management – HashiCorp Vault with auto‑unseal via AWS KMS.
  • Vulnerability Management – Continuous scanning (AWS Inspector), weekly SAST, monthly DAST, third‑party pentests.
  • Logging & Monitoring – Centralized ELK stack, anomaly detection via ML jobs, immutable audit trails.
  • Business Continuity – Cross‑Region replication, RTO < 1 hour, RPO < 15 minutes.

Organizational Controls

  • Security Awareness Training – Quarterly phishing simulations, annual secure coding workshops.
  • Vendor Risk Management – Risk scoring, SIG Lite questionnaires, contract clauses.
  • Incident Response Plan – 24×7 on‑call SRE rotation, tabletop exercises every six months.

Despite rigorous measures, no system is infallible. We encourage responsible disclosure of vulnerabilities via [email protected] (PGP key available).

15. Data Retention & Destruction

We retain PI only as long as necessary for the purposes stated or as required by law. At the end of the retention period, we:

  • Delete – Secure overwrite for databases (NIST SP 800‑88 Rev. 1).
  • Anonymize – For product analytics (removal of direct identifiers, differential privacy noise).
  • Archive – Encrypted cold storage for legal holds.

Retention schedules are enforced via automated policies in AWS Lifecycle Manager and Terraform IaC. Complete schedules appear in Annex C.

16. Your Privacy Rights & How to Exercise Them

Depending on your jurisdiction, you may exercise the following rights:

RightEU/UK GDPRCCPA/CPRAVCDPALGPDPIPEDA
Access
Portability
Rectification
ErasurePartial†
Restrict Processing
Object
Opt‑Out of Sales/Sharingn/an/an/a
Automated Decision Objection
Non‑Discriminationn/an/an/a

† CCPA “Deletion” excludes certain legal exemptions.

Submitting a Request

  • Email: [email protected]
  • Toll‑Free: +1‑800‑935‑NOBL (US)
  • Postal: Nobel Link, Attn: Privacy Office, 30 S 17th St #1230, Philadelphia, PA 19103, USA

We respond within 30 days (GDPR) or 45 days (CCPA). Appeals (Virginia, Colorado) can be filed within 60 days of a denial.

Identity Verification

We verify requests using multi‑factor methods (signed request from logged‑in account plus government ID or notarized affidavit for sensitive requests).

17. Children’s Privacy

Our Services are not directed to children under 16, and we do not knowingly process their data. If we discover such processing, we will delete the data within 72 hours and disable the associated account.

18. Recruiting & Talent Privacy Notice

When you apply for a position at Nobel Link, we process Talent Data to evaluate your candidacy, perform background checks (where allowed), and retain a talent pool. We may share your application with hiring managers in other regions if you opt‑in. Recruitment vendors (e.g., Greenhouse, HackerRank) act as processors under strict DPAs.

19. Events, Marketing, & Newsletter Communications

If you attend a Nobel Link event or subscribe to our newsletter, we may collect your name, contact details, company, and interests. We utilize this information to personalize content, assign you a lead owner, and gauge campaign performance. You may opt‑out at any time via the unsubscribe link or the Privacy Portal.

20. AI & Machine Learning Ethics Supplement

Purpose‑Built AI

Nobel Link develops and hosts large‑language models (LLMs) and computer‑vision models tailored to client domains. All training data undergoes:

  1. Data Provenance Audit – Confirm that data was obtained lawfully with appropriate licenses.
  2. Bias & Fairness Review – Assess disparate impact across protected classes.
  3. PI Minimization – Remove direct identifiers unless strictly required (“privacy budgets”).

Model Monitoring & Governance

We track drift, hallucination rates, toxicity scores, and watermark generated content. Clients can request deletion of prompts or embeddings via API.

21. API & Developer Platform Privacy

Our APIs allow developers to programmatically interact with Nobel Platform™. API usage is logged—including client IP, authentication method, request payload size, and response status—for security and capacity planning. We prohibit sending children’s data, payment card primary account numbers, or protected health information (PHI) unless explicitly covered under a Business Associate Agreement (BAA).

22. Third‑Party Links & Integrations

Our Sites and dashboards may include links or SDK integrations to external services such as GitHub, Stripe, and Zapier. When you interact with these services, your data is governed by their respective privacy policies. We encourage you to review them.

23. Do Not Track & Global Privacy Control

We honor the Global Privacy Control (GPC) signal by disabling non‑essential cookies and downstream data sharing. At present, industry standards for Do Not Track (DNT) are unsettled; therefore, except for GPC, we treat DNT signals as opt‑outs for advertising cookies only.

24. Regional Supplements (Overview)

Detailed region‑specific provisions appear in Annex D (Regional Addenda) delivered in Part 2. Highlights include:

  • California (CCPA/CPRA) – SPI restrictions, metrics disclosure, opt‑out rights.
  • Virginia (VCDPA) – Appeals process, sensitive data opt‑in.
  • EU/EEA & UK (GDPR) – Data Protection Officer, Art. 27 Representative, complaint procedures.
  • Brazil (LGPD) – ANPD contact info, international transfer mechanisms.
  • Canada (PIPEDA) – Ten Fair Information Principles adherence.
  • Australia (APPs) – Overseas recipient obligations and privacy complaints.

25. Data Protection Officer & EU/UK Representative

  • Data Protection Officer (DPO): Dr. Elena Morozova – [email protected]
  • EU Representative: Prighter GmbH, Schellinggasse 3/10, 1010 Vienna, Austria
  • UK Representative: Prighter Ltd., 20 Farringdon St, 5th Floor, London EC4A 4AB, United Kingdom

26. Supervisory Authorities Contact List

If you are unsatisfied with our response, you may lodge a complaint with your local supervisory authority. See Annex E for a non‑exhaustive directory, including the ICO (UK), CNIL (France), and ANPD (Brazil).

27. Incident Response & Breach Notification

In the event of a data breach likely to result in a risk to your rights and freedoms, we will notify affected individuals and relevant authorities without undue delay, and in any case within:

  • 72 hours (GDPR)
  • 24 hours (APPI Japan)
  • 30 days (LGPD Brazil)

Our Incident Response Plan defines roles, escalation paths, containment procedures, forensic evidence handling, customer communications, and post‑incident reviews.

28. Changes to This Policy

We may revise this Policy to reflect legal, technical, or business changes. Updated versions will be posted on the Site with a new “Last Updated” date. For material changes, we will provide at least 30 days’ prior notice via email or in‑product pop‑up.

29. Contact Us

If you have questions about this Policy or our privacy practices:

Nobel Link – Privacy Office
30 S 17th St #1230
Philadelphia, PA 19103, USA
Email: [email protected]
Phone: +1‑800‑935‑NOBL

30. Annex Index (Part 2 Preview)

  • Annex A – Comprehensive Cookie & Local Storage Table
  • Annex B – Approved Sub‑Processor List & Jurisdiction Map
  • Annex C – Retention Schedule & Data Destruction Methods
  • Annex D – Regional Addenda (US States, GDPR, LGPD, etc.)
  • Annex E – Supervisory Authorities Directory
  • Annex F – Data Processing Agreement Highlights
  • Annex G – Technical & Organizational Measures (TOMs) Matrix
  • Annex H – Record of Processing Activities (ROPA) Summary
  • Annex I – Data Subject Request Form Template
  • Annex J – Glossary (Extended)

The following annexes and supplements complete Version 2.0 of the Nobel Link Comprehensive Privacy Policy. Combined with Part 1, the total word count now exceeds 9,000 words.

Annex A – Comprehensive Cookie & Local Storage Table

Cookie / KeyProviderClassificationPurposeExpiryOpt‑In Required?
nobel_sessionNobel Link (First‑Party)Strictly NecessaryAuthenticates user session & CSRF protectionSessionN/A
__Secure‑gaGoogle Analytics 4PerformanceAnonymized site usage statistics2 yrsNo (legitimate interest)
cb_consentCookiebotFunctionalStores granular cookie preferences12 moYes
li_fat_idLinkedIn InsightAdvertisingB2B conversion tracking30 daysYes
localStorage.themeNobel LinkFunctionalRemembers dark‑mode togglePersistentNo
sessionStorage.tutorialDismissedNobel LinkFunctionalTracks completion of onboardingSessionNo

Storage Isolation: First‑party cookies scoped to nobellink.co; third‑party scripts are sandboxed via a strict Content‑Security‑Policy and Subresource Integrity hashes.

Annex B – Approved Sub‑Processor List & Jurisdiction Map

#Sub‑ProcessorServiceData CategoriesPrimary LocaleTransfer MechanismCertifications
1Amazon Web Services, Inc.IaaS / PaaSIdentity, Contact, Technical, UsageUSA, DE, AUSCCs + ISO 27018ISO 27001, SOC 2
2SendGrid (Twilio)Email DeliveryContact, TransactionalUSASCCsSOC 2
3HubSpot Inc.CRMIdentity, Contact, MarketingUSASCCsISO 27001
4Sentry Inc.Error MonitoringTechnical, UsageUSASCCsSOC 2
5Datadog Inc.ObservabilityTechnical, UsageUSA, EUSCCsISO 27001
6Prighter GmbHRep. ServicesIdentity (limited)AT, UKIn‑EEAISO 27701
7OpenAI LLCLLM APIAI Training DataUSASCCsSOC 2
8Anthropic PBCLLM APIAI Training DataUSASCCsSOC 2
9Greenhouse SoftwareATSTalent DataUSASCCsSOC 2
10Stripe Payments EuropePaymentsFinancialIEIntra‑EEAPCI DSS

Detailed, always‑current list: https://nobellink.co/trust/sub‑processors

Annex C – Retention Schedule & Data Destruction Methods

Data CategoryRetentionDestruction MethodLegal Basis
Contract & BillingTerm + 7 yrsCrypto erase + purge logsTax, SOX
Raw Logs30 daysLog rotation + S3 deleteLegit. interest
Aggregated Logs12 moGlacier Deep Archive deleteR&D
AI Training Data≤12 mo or on‑demandS3 object shredContract
Support Tickets24 moZendesk purgeQA
Candidate Data24 moGreenhouse purgeEEOC
Marketing ListsOpt‑out/24 moSuppression + periodic deleteCAN‑SPAM
Snapshots35 daysEBS lifecycleBCP

All deletions conform to NIST SP 800‑88 Rev 1.

Annex D – Regional Addenda

United States

CCPA/CPRA: Annual disclosures of request metrics; SPI limited to permissible purposes. Opt‑out via dedicated footer link.

VCDPA / CPA: Appeals handled within 60 days; unresolved complaints directed to state AG offices.

European Union & UK

Transfers safeguarded by 2021 SCCs; supplementary encryption following EDPB 01/2020.

Brazil

Cross‑border transfers via ANPD SCCs; DPO contact [email protected].

Canada

Data residency options in ca‑central‑1; complaint process via OPC.

APAC

Japan (APPI) 24‑hour breach notice; Singapore (PDPA) multinodal transfer impact assessments.

[Full regional text continues in downloadable PDF: https://nobellink.co/privacy/regions.pdf]

Annex E – Supervisory Authorities Directory

RegionAuthorityURL
UKICOico.org.uk
FRCNILcnil.fr
DE (BW)LfDI BWbaden‑wuerttemberg.datenschutz.de
IEDPCdataprotection.ie
BRANPDanpd.gov.br
CAOPCpriv.gc.ca
AUOAICoaic.gov.au

Annex F – Data Processing Agreement Highlights

  • Scope: Processor obligations under GDPR Art 28.
  • Security Measures: Annex G incorporated by reference.
  • Audit Rights: Annual SOC 2 + on‑site audit w/ 30 days notice.
  • Sub‑Processor Notice: 30‑day advance; email + RSS feed.
  • Deletion: At termination, choice of secure wipe or encrypted export.

Annex G – Technical & Organizational Measures

DomainKey Controls
AccessRBAC, MFA, Just‑in‑Time elevation
EncryptionTLS 1.3, AES‑256‑GCM, BYOK support
NetworkZero‑trust mesh, IDS/IPS, WAF v2
OperationsCI/CD, IaC, vulnerability scans
Incident24×7 on‑call, <30 min MTTR target
BCP/DRMulti‑AZ failover, quarterly drills

Annex H – ROPA Summary

Key processing activities, data subjects, categories, recipients, transfers, and safeguards documented; available to regulators upon request under NDA.

Annex I – DSAR Form Template

Standardized PDF + online wizard at

Annex J – Extended Glossary

Anonymization, BCR, DPA, DPIA, GPC, Pseudonymization, Zero‑Trust – see in‑document definitions.

Company

Services

Address

  • 30 N Gould St, Ste R Sheridan, WY 82801

Find Us:

Facebook-f Twitter Linkedin-in Instagram Youtube

© Nobel Link 2025 – All Rights Reserved

Scroll to Top