Axipro Privacy Policy

Effective Date: April 1, 2025

Axipro (“Axipro,” “we,” “us,” or “our”) is a cybersecurity and compliance advisory firm that helps organizations achieve and maintain trust-based frameworks such as ISO 27001, 9001, SOC 2, HIPAA, PCI DSS and DORA. We are committed to protecting the privacy and security of your personal data, and this Privacy Policy outlines how we collect, use, store, disclose, and safeguard information through our websites, platforms, tools, and services (collectively, the “Services”).

1. Scope of this Policy

This Privacy Policy applies to:
• Visitors to our websites (including www.axipro.com and subdomains),
• Users of our compliance and audit platforms,
• Clients and prospective clients,
• Individuals interacting with Axipro through events, support, or sales outreach.
This Policy does not apply to personal data processed on behalf of our clients through
third-party tools like Drata, Vanta, where we act as a data processor or subprocessor. In such cases, the client’s privacy policy governs how your data is handled.

2. What Personal Data We Collect

Depending on how you interact with Axipro, we may collect the following types of personal data:

a. Identification & Contact Information

• Full name
• Business email address
• Phone number
• Job title and company name
• Location (city, country)

b. Account & Authentication Information

• Username and encrypted password
• Role-based access assignments
• Audit trail of logins and activity on our platforms

c. Professional & Compliance Information

• Employment details and responsibilities
• Information related to compliance training, certifications, audit participation
• Risk or control ownership (e.g., assigned controls in Drata)

d. Technical & Device Data

• IP address and device ID
• Browser type and version
• Operating system
• Access times and pages viewed

e. Communication Data

• Emails, chat logs, or support tickets
• Web forms or feedback submitted through our website or platform
• Webinar or event participation info

f. Marketing & Engagement Data

• Newsletter subscription preferences
• Responses to surveys or campaigns
• Analytics data (clicks, open rates, navigation behaviour)

3. How We Collect Personal Data

We collect personal data in the following ways:

• Directly from you: via contact forms, email, demos, webinars, or events.
• Automatically: when you use our website or platform (cookies, device logs).
• From third parties:
o Referrals or channel partners,
o Public sources like LinkedIn,
o Compliance platforms where we are invited as collaborators.

4. How We Use Personal Data

We use personal data to:

a. Deliver and Manage Our Services

• Manage client accounts and access controls,
• Assist with compliance activities. audits, evidence collection, and control
reviews,
• Provide technical and compliance support.
• Conduct vulnerability and penetration testing assessments.

b. Operate and Improve Our Website & Platform

• Analyse usage patterns to improve features,
• Maintain system integrity and prevent fraud,
• Conduct user experience testing and feedback loops.

c. Marketing and Business Development

• Share newsletters, event invites, or product updates (with your consent),
• Personalize communications based on role or industry.

d. Legal and Regulatory Obligations

• Respond to lawful data access requests,
• Maintain records for contractual or regulatory compliance (e.g., ISO 27001
clause 7.5).

5. Legal Basis for Processing (EEA/UK Users)

For individuals located in the European Economic Area (EEA) or United Kingdom (UK),
we rely on one or more of the following legal bases:

• Performance of a contract – to provide our Services to you.
• Legitimate interests – such as improving our platform or protecting against misuse.
• Consent – for optional communications or non-essential cookies.
• Legal obligation – when required to comply with applicable laws.

6. Sharing of Personal Data

We may share personal data with:

a. Service Providers

Trusted vendors who perform services on our behalf, such as:

• Cloud infrastructure (AWS, Azure),
• Compliance automation (Drata, Vanta),
• Customer relationship tools (e.g., HubSpot, Salesforce),
• Email marketing providers (e.g., Mailchimp, Brevo).

All providers are under strict data protection agreements and only process your data as
instructed by Axipro.

b. Auditors and Assessors

When authorized, we share documentation and user information with third-party
assessors (e.g., A-LIGN, Insight Assurance, EY, BARR Advisory, Prescient Security) as
part of your certification journey.

c. Legal Authorities or Law Enforcement

Only when required by law, subpoena, court order, or to prevent fraud or harm.

d. Corporate Transactions

If Axipro undergoes a merger, acquisition, or asset sale, your information may be
transferred to the successor entity, subject to this Privacy Policy.

7. Retention of Personal Data

We retain personal data as follows:

Data Type

Client audit records

Communication data (support, email)

Marketing contact details

Retention Period

Duration of engagement +3 years

3 years from last contact

Until unsubscribed or 2 years of inactivity

We may retain anonymized data indefinitely for analytics or research.

8. International Data Transfers

Axipro is based in the Kingdom of Bahrain and United States. By using our services, you acknowledge that your data may be transferred to the U.S. or other jurisdictions. We implement safeguards such as:

• Data Processing Agreements (DPAs) with Standard Contractual Clauses (SCCs),
• Vendor due diligence aligned with ISO and GDPR standards.

9. Your Privacy Rights

Depending on your region, you may have the right to:

• Access or request a copy of your data,
• Correct inaccuracies,
• Request deletion,
• Restrict or object to processing,
• Withdraw consent (for marketing or optional data collection),
• Lodge a complaint with a supervisory authority

To exercise these rights, contact us at: info@axipro.co

10. Security Measures

We take data protection seriously and implement the following:

• AES-256 encryption for data at rest and TLS 1.2+ for data in transit,
• Role-based access controls and 2FA for platform access,
• SOC 2-compliant cloud infrastructure,
• Quarterly vulnerability assessments and annual penetration testing,
• Security awareness training for all personnel.

11. Cookies and Tracking Technologies

Our websites use cookies and similar technologies for:

• Performance and analytics (e.g., Google Analytics),
• Remembering your preferences,
• Marketing campaigns and ad tracking (e.g., LinkedIn Ads, Meta Pixel).

You can control cookies through your browser settings or our cookie consent banner.

12. Email & Communication Preferences

We may send you:

• Transactional messages (e.g., platform updates, support tickets),
• Marketing messages (e.g., newsletters, event invites),
• Product announcements.

You can unsubscribe at any time by clicking the link in the email or contacting us at
info@axipro.co.

13. Children’s Privacy

Our services are not intended for children under 16. We do not knowingly collect data from minors. If you believe a child has submitted personal information to Axipro, please contact us immediately.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Material changes will be communicated via email or a notice on our website.

15. Contact Us

If you have questions, concerns, or data requests, please contact: