Data Processing & Sovereignty
This document describes how Daxion Technologies Ltd processes, stores and protects your project data within the Traklio platform. It also covers data residency options, encryption standards, and our sub-processor disclosure.
Last updated: 1 January 2025 · Effective: 1 January 2025
Scope
This Data Processing Policy applies to all Customer Data — including project information, documents, task data, user-generated content and any personally identifiable information — uploaded to or created within the Traklio platform by you or your authorised Users.
Daxion Technologies Ltd acts as a data processor with respect to Customer Data, processing it only on your behalf and under your documented instructions. You, the Customer, act as the data controller for that data.
Data Residency Options
We understand that many construction clients — particularly in regulated sectors, government or defence — have strict requirements about where their data is physically stored. Traklio offers the following data residency options:
| Region | Availability | Plan |
|---|---|---|
| United Kingdom (London) | Available | All plans |
| European Union (Ireland) | Available | Professional & Enterprise |
| United Arab Emirates (Dubai) | Available | Enterprise |
| United States (Virginia) | Available | Enterprise |
| Singapore (APAC) | Available | Enterprise |
| On-premise / Private Cloud | Available | Enterprise only |
Your data residency region is specified in your Service Order. Data does not cross into another region without your explicit written consent, except for necessary replication within the same region for backup purposes.
What We Process
Customer Data
- –Project information: names, locations, budgets, schedules, milestones
- –Task and workflow data: assignments, statuses, comments, attachments
- –Documents and drawings: uploaded files, versions, metadata
- –RFI and submittal records: content, workflow history, responses
- –Inspection reports: findings, photographs, sign-offs
- –Procurement records: purchase orders, vendor details, delivery records
- –Financial data: budget entries, invoices, cost records
- –User-generated content: comments, annotations, communications within the platform
Technical metadata
- –Audit logs: who did what and when within the platform
- –Access logs: login timestamps, IP addresses, device information
- –Performance metrics: feature usage, load times (anonymised and aggregated)
Security Measures
Encryption
- –Data in transit: TLS 1.3 for all connections between clients and platform servers
- –Data at rest: AES-256 encryption for all stored data and backups
- –Database-level encryption: transparent data encryption (TDE) enabled
- –File storage: server-side encryption for all uploaded documents and media
Access controls
- –Role-based access control (RBAC): granular permissions at workspace, project and module level
- –Principle of least privilege: DaxionTech staff have no standing access to Customer Data
- –Just-in-time access: temporary elevated access for support, with full audit logging
- –Multi-factor authentication (MFA): available and recommended for all accounts
Infrastructure security
- –Cloud provider SOC 2 Type II certified infrastructure
- –Web Application Firewall (WAF) and DDoS protection at the edge
- –Regular automated vulnerability scanning
- –Annual penetration testing by an independent third party
- –Intrusion detection systems and 24/7 security monitoring
Backups
- –Automated daily backups retained for 30 days
- –Point-in-time recovery available for database data
- –Backups stored in a separate availability zone within the same region
- –Backup restoration tested quarterly
Sub-processors
We engage the following sub-processors to assist in delivering the Traklio platform. All sub-processors are bound by data processing agreements and provide at least equivalent data protection to this policy.
| Sub-processor | Purpose | Region |
|---|---|---|
| Cloudflare R2 / Cloudflare Workers | Object storage, edge compute, CDN | UK / EU |
| Amazon Web Services (AWS) | Cloud infrastructure and database hosting | eu-west-2 (London) |
| Stripe | Payment processing | UK / EU |
| Resend / Postmark | Transactional email delivery | EU |
| Sentry | Error monitoring (anonymised stack traces) | EU |
We will notify you of any intended addition or replacement of a sub-processor with at least 30 days' advance notice, giving you the opportunity to object.
Data Retention and Deletion
- –Customer Data is retained for the duration of your active Subscription.
- –Upon termination or expiry, data is available for export for 30 days.
- –After the 30-day export window, all Customer Data is permanently and irreversibly deleted from our systems and backups within 90 days.
- –Enterprise customers may request an expedited deletion certificate upon termination.
- –Audit logs relating to security events may be retained for up to 12 months after account termination for security and fraud prevention purposes.
Incident Response
In the event of a data breach or security incident affecting Customer Data:
- –We will notify affected customers without undue delay and in any event within 72 hours of becoming aware of a breach, as required by UK GDPR.
- –Notification will include: nature of the incident, categories and approximate volume of data affected, likely consequences, and measures taken or proposed.
- –We will cooperate fully with your incident response and regulatory reporting requirements.
- –All security incidents are logged and reviewed by our security team.
Data Processing Agreement (DPA)
For Enterprise customers and any customer whose use of Traklio involves the processing of personal data of EU or UK data subjects, we can enter into a formal Data Processing Agreement (DPA) in compliance with UK GDPR Article 28 and EU GDPR Article 28.
To request a DPA, contact legal@daxiontech.com.
Customer Responsibilities
As the data controller, you are responsible for:
- –Ensuring you have a lawful basis for processing personal data within the Traklio platform
- –Providing appropriate notices and obtaining consent from individuals whose data is uploaded
- –Ensuring Users comply with acceptable use obligations
- –Promptly notifying us of any data subject access requests relating to Customer Data
- –Configuring role-based access controls appropriately for your organisation
Contact
For data processing enquiries, DPA requests or security concerns:
Daxion Technologies Ltd
19, The Richmonds, Abbeydale
Gloucester, Gloucestershire, GL4 5YA, UK
legal@daxiontech.com