Document ID: POL-PRIV-2026-V4.1
1. Introduction and Scope
This Privacy Protocol outlines how Nexia Systems B.V. ("Nexia", "we", "our", or "us") collects, utilizes, and protects data during the authentication process. By accessing the Identity Gateway, you acknowledge that you are entering a secure, monitored environment governed by this policy.
2. Data Collection and Telemetry
To ensure Zero-Trust compliance and defend against unauthorized access, we automatically collect specific telemetry data during your authentication session. This includes, but is not limited to:
- IP Addresses and network routing paths.
- Device posture information (OS version, browser signature, hardware security module status).
- Cryptographic hashes of successful and failed authentication attempts.
- Geolocation data derived from network points of presence.
3. Legal Basis for Processing (GDPR)
Under the General Data Protection Regulation (EU 2016/679), our legal basis for processing this telemetry data is the Legitimate Interest (Art. 6(1)(f) GDPR) of Nexia Systems to maintain network security, prevent fraud, and fulfill our contractual obligations as a Data Processor for our enterprise clients.
4. Security Measures and Certifications
Nexia Systems employs military-grade encryption protocols. All data in transit is secured using TLS 1.3. Data at rest is encrypted using AES-256 block ciphers. Our infrastructure undergoes continuous penetration testing and maintains the following certifications:
- ISO/IEC 27001:2022 (Information Security Management)
- SOC 2 Type II (Security, Availability, and Confidentiality)
- FIPS 140-2 Level 3 (Hardware Security Modules)
5. Data Retention Policy
Authentication logs and session telemetry are stored in a rolling 90-day retention window to facilitate security audits and forensic investigations. After 90 days, data is permanently obfuscated or destroyed, unless required for active legal or security investigations.
6. Cookie Usage (Strictly Necessary)
We do not deploy marketing, advertising, or third-party tracking cookies on the Identity Gateway. We exclusively use Strictly Necessary Cookies required for load balancing, session persistence, and Cross-Site Request Forgery (CSRF) protection. Because these are essential for the technical operation of the service, explicit consent is not required under the ePrivacy Directive.
7. User Rights
Authorized personnel may request access to, or the deletion of, their personal data by submitting a formal request to the Data Protection Officer (DPO) at dpo@nexia-systems.nl. Note that deletion requests may result in the immediate revocation of network access.