Data Protection

This page explains the current launch posture for data protection and trust controls. It is evidence-linked public copy, not a blanket certification claim.

• DukieX keeps a subprocessor and independent-controller integration register for AWS, Stripe, PostHog, Cloudflare Turnstile, Typesense, and enabled OAuth/social providers.
• Provider DPAs, transfer mechanisms, retention settings, dashboard access, and incident contacts are tracked through a recurring evidence checklist.
• Privacy incidents follow a breach-response runbook with risk assessment, supervisory authority decision points, user notification decision points, and remediation tracking.
• Payment data is minimized through Stripe-hosted or Stripe-controlled payment surfaces; raw card numbers and CVV must not be stored by DukieX.

Current controls include private S3 media storage with public access blocked, TLS-enforced bucket access, encrypted AWS storage services, least-privilege access reviews, consent-gated analytics/session replay, token/log redaction requirements, payment metadata limits, search-index erasure requirements, and a DSR workflow for export, erasure, objection, retention exceptions, and manual vendor evidence.

Core subprocessors include AWS, Stripe, PostHog, Cloudflare Turnstile, and Typesense where enabled. AWS Bedrock supports enabled AI workflows. OAuth/social providers and connected sellers or creators may act as independent controllers for their own services. Users can request the current subprocessor register and material-change information through the privacy contact route.

We do not publish broad "GDPR Compliant" or certification-style claims unless account-specific evidence has been captured and approved. Open launch evidence items include production provider regions, retention settings, DPA records, transfer mechanisms, access reviews, and AI/payment account settings.

official and DukieX privacy questions, DSRs, subprocessor requests, and incident notices can be sent to privacy@charleex.com.