Is my health data secure with VaxCPass?

Your health data is protected with military-grade AES-256 encryption and zero-knowledge architecture. We are SOC 2 Type II audited, GDPR-compliant, and HIPAA-aligned.

Which countries are supported by VaxCPass?

VaxCPass supports 180+ countries with real-time health requirement data and AI-powered live updates for all supported destinations.

Does VaxCPass work offline?

Yes. Once your records are uploaded and verified, they are stored securely on your device. Your QR codes and health passport work without any internet connection.

VaxCPass | Digital Health Passport for Travelers

This GDPR Compliance Notice ("Notice") explains how Atlas Software Corporation ("we," "us," or "our"), the developer and operator of VaxCPass, complies with the General Data Protection Regulation (EU) 2016/679("GDPR"), the Kenya Data Protection Act 2019, the Protection of Personal Information Act (POPIA) of South Africa, and the California Consumer Privacy Act (CCPA). This Notice is supplementary to our Privacy Policy and should be read alongside it.

1. Our Commitment to GDPR Compliance

VaxCPass is a digital health passport application designed to help travelers securely store, manage, and present their vaccination certificates and health records. Given that our product processes special category data (health information) as defined under GDPR Article 9, we hold data protection as a foundational principle of our operations — not merely a regulatory obligation.

Our compliance programme is built upon the seven data protection principles set out in GDPR Article 5(1), which guide every processing activity we undertake:

Lawfulness, fairness, and transparency — Personal data is processed lawfully, fairly, and in a transparent manner in relation to the data subject (Article 5(1)(a)).
Purpose limitation — Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes (Article 5(1)(b)).
Data minimisation — Data collection is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed (Article 5(1)(c)).
Accuracy — Personal data is accurate and, where necessary, kept up to date; every reasonable step is taken to ensure inaccurate data is erased or rectified without delay (Article 5(1)(d)).
Storage limitation — Personal data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of processing (Article 5(1)(e)).
Integrity and confidentiality — Data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage (Article 5(1)(f)).
Accountability — The controller is responsible for, and must be able to demonstrate, compliance with the above principles (Article 5(2)).

We implement these principles through technical and organisational measures including AES-256 encryption, a zero-knowledge architecture, strict access controls, regular Data Protection Impact Assessments (DPIAs), and ongoing staff training. Our Data Protection Officer oversees all data protection matters and reports directly to senior management.

2. Data Controller Information

Under GDPR Article 4(7), the data controller determines the purposes and means of processing personal data. For VaxCPass, the data controller is:

Entity: Atlas Software Corporation
Registered Address: Karen Ngong Rd, Nairobi, Kenya
Website: https://vaxcpass.com

Data Protection Officer (DPO)

In accordance with GDPR Article 37(1)(c), we have appointed a Data Protection Officer given that our core activities involve regular and systematic monitoring of data subjects on a large scale and the processing of special categories of personal data (health information) under Article 9.

DPO Email: vaxcpass@gmail.com
Phone: +254-727-730-363

You may contact our DPO directly with any questions, concerns, or requests related to data protection. Under GDPR Article 38(3), you are not required to provide any personal data in order to contact our DPO, and you have the right to communicate directly with the DPO at any time.

3. Lawful Basis for Processing (Article 6)

GDPR Article 6(1) requires that every processing activity has a valid legal basis. The table below sets out the lawful basis we rely upon for each category of processing conducted through VaxCPass. Where we process special category data (health information), an additional condition under Article 9 applies — see Section 4.

Processing Activity	Legal Basis	Article Reference
Account registration and identity verification	Contractual necessity — processing is necessary for the performance of the service agreement between us and the user	Article 6(1)(b)
Subscription billing and payment processing	Contractual necessity — processing is required to fulfil the subscription agreement and process payments	Article 6(1)(b)
Storage and management of vaccination certificates and health records	Explicit consent — the user has given clear, affirmative consent to the processing of their health data for the specific purpose of digital health passport functionality	Article 6(1)(a) + Article 9(2)(a)
Generation of tamper-proof QR codes from health records	Explicit consent — QR code generation is contingent upon the user's informed consent to encode their health data	Article 6(1)(a) + Article 9(2)(a)
AI-powered health recommendations and risk assessments	Explicit consent — AI analysis of health data is performed only after the user actively opts in to this feature	Article 6(1)(a) + Article 9(2)(a)
Customer support and communication	Legitimate interests — processing is necessary for responding to user enquiries and providing technical support; we have conducted a Legitimate Interests Assessment (LIA) confirming that the user's rights and freedoms do not override our interests	Article 6(1)(f)
Security monitoring and fraud prevention	Legitimate interests — processing is necessary to protect the integrity of the platform, prevent unauthorised access, and detect fraudulent activity; supported by an LIA	Article 6(1)(f)
Compliance with legal and regulatory obligations	Legal obligation — processing is necessary for compliance with applicable laws including travel health regulations, KYC/AML requirements, and tax obligations	Article 6(1)(c)
App performance analytics and crash reporting	Legitimate interests — anonymised and aggregated analytics help us improve app stability and user experience; supported by an LIA with data minimisation controls	Article 6(1)(f)

Where we rely on consent (Article 6(1)(a)), consent is freely given, specific, informed, and unambiguous, and may be withdrawn at any time as described in Section 4. Where we rely on legitimate interests (Article 6(1)(f)), we have documented Legitimate Interests Assessments (LIAs) which balance our legitimate business interests against the rights and freedoms of data subjects. These assessments are available upon request to our DPO.

4. Special Category Data: Health Information (Article 9)

VaxCPass processes health data — including vaccination records, immunisation histories, test results, and related medical information — which constitutes special category personal data under GDPR Article 9(1). The processing of such data is prohibitedunless one of the exceptions in Article 9(2) applies. We rely on Article 9(2)(a) — explicit consent — as the primary legal basis for all health data processing.

How We Obtain Explicit Consent

In compliance with GDPR Article 4(11) and the guidelines of the European Data Protection Board (EDPB), we ensure that consent meets all of the following requirements:

Granular opt-in: Consent is obtained through separate, specific consent prompts for each distinct processing purpose (e.g., storing vaccination records, generating QR codes, enabling AI recommendations). Users are not presented with bundled or pre-ticked consents.
Clear and affirmative action:Consent requires an unambiguous affirmative action, such as toggling an "On" switch or checking a box. Silence, inactivity, or pre-selected boxes do not constitute valid consent.
Informed consent: Before giving consent, users are presented with a clear and concise explanation of what health data will be processed, for what purposes, who will have access, and how long the data will be retained. This information is provided in plain language, not legal jargon.
Freely given: Consent is a genuine choice. Where the provision of our service does not require health data processing (e.g., basic account management), users may use VaxCPass without providing health data. Consent to health data processing is never a precondition for using the core application.
Documented consent: We maintain a record of when, how, and what consent was given by each user, including the version of the consent text presented at the time of consent, in accordance with Article 7(1).

Your Right to Withdraw Consent

Under GDPR Article 7(3), you have the right to withdraw your consent at any time. Withdrawal of consent is as easy as giving it. You can withdraw consent through the following methods:

Within the VaxCPass app: navigate to Settings → Privacy → Manage Consents to revoke specific consents or all health data processing consents.
By contacting our DPO at vaxcpass@gmail.com.

Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal (Article 7(3)). Upon withdrawal, we will cease processing your health data for the relevant purposes and securely delete it in accordance with our Data Retention Policy (Section 11), subject to any legal obligations to retain certain data.

Additional Safeguards for Health Data

Recognising the sensitive nature of health data, we implement additional safeguards beyond those required for general personal data:

End-to-end encryption: Health data is encrypted using AES-256 at rest and in transit. Encryption keys are managed through a zero-knowledge architecture, meaning Atlas Software Corporation cannot access the plaintext content of your health records.
Local-first storage: Health records are stored primarily on your device. Data is only transmitted to our servers when you explicitly synchronise or when necessary to generate a verifiable QR code.
Secure enclaves: On supported devices, sensitive cryptographic operations are performed within hardware-backed secure enclaves (e.g., Apple Secure Enclave, Android StrongBox) to prevent tampering.
Access logging: All access to health data is logged with timestamps and user identifiers. These logs are reviewed regularly for unauthorised access attempts.
Dedicated DPIA: A comprehensive Data Protection Impact Assessment has been conducted for health data processing activities (see Section 9).

5. Data Subject Rights (Articles 12-23)

GDPR Chapter III (Articles 12-23) grants data subjects specific rights regarding their personal data. We are committed to facilitating the exercise of these rights. There are no fees for exercising your data subject rights, and we will respond to all requests within one month, extendable by two further months where necessary, in complex cases — in which case we will notify you within the first month (Article 12(3)).

Overview of Your Rights

Right	GDPR Article	Description	How to Exercise	Response Time
Right of Access	Article 15	You have the right to obtain confirmation of whether your personal data is being processed, and if so, access to that data along with supplementary information including the purposes, categories, recipients, retention period, and the existence of automated decision-making.	Submit a verified request via the app (Settings → Privacy → Data Access Request) or email our DPO.	30 days
Right to Rectification	Article 16	You have the right to have inaccurate personal data rectified and incomplete personal data completed without undue delay. For health records, you may update vaccination details directly within the app, and changes propagate to your stored QR codes.	Edit data directly in the app, or submit a request to our DPO for data that cannot be self-served.	30 days
Right to Erasure (Right to be Forgotten)	Article 17	You have the right to request the deletion of your personal data where it is no longer necessary, consent is withdrawn, you object to processing, or the data has been unlawfully processed. This right is not absolute — we may retain data where required by law (e.g., financial records for tax compliance).	Submit a request via the app (Settings → Privacy → Delete My Data) or email our DPO.	30 days
Right to Restriction of Processing	Article 18	You have the right to request the restriction (limitation) of processing of your personal data in circumstances including: contesting the accuracy of data, where processing is unlawful but you prefer restriction over erasure, where we no longer need the data but you require it for legal claims, or while we verify an objection.	Email our DPO specifying the data and grounds for restriction.	30 days
Right to Data Portability	Article 20	You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON, CSV, or HL7 FHIR), and to transmit that data to another controller without hindrance. This applies to data processed by consent or contract.	Download your data export from the app (Settings → Privacy → Export My Data) or request via email.	30 days
Right to Object	Article 21	You have the right to object to processing based on legitimate interests (Article 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.	Email our DPO specifying the processing activity you object to and your reasons.	30 days
Rights Related to Automated Decision-Making and Profiling	Article 22	You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects. Where our AI features produce health recommendations, these are advisory only and do not produce legally binding effects.	Disable AI features in the app (Settings → Privacy → AI Recommendations), or contact our DPO to request human review of any AI-generated output.	30 days

Exercising Your Rights

To exercise any of the above rights, you may:

Use the in-app privacy controls (available under Settings → Privacy).
Email our DPO at vaxcpass@gmail.com with the subject line "Data Subject Request."
Call us at +254-727-730-363 and request to be connected with the DPO.

We may need to verify your identity before processing your request. We will ask for information such as your registered email address and, where appropriate, government-issued identification. We will not retain copies of identification documents beyond the verification period (GDPR Article 12(6)). If we are unable to identify you from the information provided, we may request additional information but will never ask for more than is reasonably necessary.

Under GDPR Article 12(4), where we refuse to act on a request, we will inform you of the reasons without undue delay and of your right to lodge a complaint with a supervisory authority and to seek a judicial remedy.

Data exports under the Right to Data Portability (Article 20) will be provided in a machine-readable format (JSON by default; CSV or HL7 FHIR available on request) and, where technically feasible, transmitted directly to another controller of your choice.

6. Data We Collect

We collect and process the following categories of personal data. The table below details each category, provides examples, identifies the source from which data is obtained, and states the applicable retention period.

Category	Examples	Source	Retention Period
Identity Data	Full name, date of birth, nationality, government-issued ID / passport number	Provided directly by the user during account registration	Duration of the account plus 5 years after account closure (for legal and audit purposes)
Contact Data	Email address, phone number, physical address	Provided directly by the user	Duration of the account plus 2 years after account closure
Payment Data	Payment card token, billing address, transaction history, subscription tier	Provided by the user and processed through our payment processor	7 years from the date of the last transaction (tax and financial regulatory requirements)
Health Data (Special Category)	Vaccination records (vaccine type, batch number, date, administering facility), immunisation history, COVID-19 test results, travel health screening results, medical declarations	Provided by the user via manual entry or document upload; verified through integration with certified health authorities where available	Until consent is withdrawn or the account is deleted, whichever is earlier
Technical Data	Device type and model, operating system and version, unique device identifiers (for synchronisation), IP address, browser/app version	Collected automatically when the app is used	13 months from collection (in line with CNIL guidance on log data retention)
Usage Data	App session duration and frequency, features used (e.g., QR scan, health data export), pages viewed, crash reports, error logs	Collected automatically through the app and analytics services	24 months (aggregated/anonymised data may be retained indefinitely)

We apply the principle of data minimisation (Article 5(1)(c)) and only collect data that is strictly necessary for the specified purposes. Health data, in particular, is only collected when the user provides explicit consent.

7. Data Processing Activities (Article 30 Records of Processing)

In compliance with GDPR Article 30, we maintain a comprehensive record of our processing activities. The table below provides a summary. The full Article 30 Record of Processing Activities (ROPA) is available upon request to our DPO.

Purpose	Data Categories	Recipients / Categories	Retention	Safeguards
Account management and user authentication	Identity, Contact, Technical	Internal teams (engineering, customer support); Cloud hosting provider	Account lifetime + 5 years	AES-256 encryption, TLS 1.3, role-based access control, MFA
Storage and verification of vaccination certificates	Health, Identity	Internal engineering team; Certified health authority APIs (where applicable for verification)	Until consent withdrawn	Zero-knowledge encryption, secure enclaves, end-to-end encryption, access logging
QR code generation and verification	Health, Identity	Third-party QR verification services (on user-initiated scan only); no data stored by verifier	Until consent withdrawn	Timestamped digital signatures, tamper-evident encoding, AES-256 encryption
AI-powered health recommendations	Health, Usage, Technical	AI/ML processing engine (hosted on our secure infrastructure); No data shared with third parties	Until AI feature disabled or consent withdrawn	Model trained on anonymised data; user data processed in isolated environment; no profiling for non-health purposes
Subscription billing and payment processing	Payment, Contact, Identity	Payment processor (Stripe); Internal finance team	7 years (financial records)	PCI-DSS compliant processor; no raw card data stored; tokenised payments
Customer support	Identity, Contact, Usage, Technical (limited to the support query)	Customer support team; Email service provider (for support ticket communications)	3 years after ticket closure	Need-to-know access; ticket data encrypted at rest; no access to health data unless user explicitly grants permission
Analytics and app improvement	Technical, Usage (anonymised / pseudonymised)	Analytics provider (Plerdy — for heatmaps and user behaviour); Internal product team	24 months (raw); indefinite (anonymised)	Data pseudonymised before transmission; no health data included; cookie consent required (see Cookie Policy)

8. International Data Transfers (Articles 44-49)

As a company headquartered in Kenya with a global user base, VaxCPass may transfer personal data outside of the European Economic Area (EEA). GDPR Articles 44-49 impose strict requirements on such transfers. We are committed to ensuring that your data receives an adequate level of protection regardless of where it is processed or stored.

Countries Where Data May Be Transferred

Your personal data may be transferred to or accessed from the following jurisdictions:

European Economic Area (EEA): Data centres in the EU (Ireland, Germany) for EEA users — no transfer restriction applies.
United Kingdom: The UK has an adequacy decision (effective from June 2021). Transfers to the UK are treated as intra-EEA transfers.
Kenya: Our primary operating jurisdiction. Kenya does not have an EU adequacy decision. Transfers to Kenya are covered by Standard Contractual Clauses (SCCs) with supplementary measures.
United States: The US does not have a comprehensive adequacy decision. Where data is transferred to US-based service providers, transfers are governed by the EU-US Data Privacy Framework (where applicable) or Standard Contractual Clauses.
South Africa: No EU adequacy decision. Transfers covered by SCCs with supplementary measures.
Other countries: Data may occasionally be transferred to other jurisdictions where our sub-processors operate. All such transfers are covered by SCCs.

Transfer Mechanisms

We use the following legal mechanisms to ensure that international data transfers comply with GDPR Chapter V:

Adequacy Decisions (Article 45): Where the European Commission has determined that a third country ensures an adequate level of data protection, transfers proceed without additional safeguards. We rely on adequacy decisions for transfers to the UK, Japan, South Korea, and other adequate jurisdictions.
Standard Contractual Clauses (SCCs) (Article 46(2)(c)):For transfers to countries without an adequacy decision, we use the European Commission's 2021 Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as amended. Our SCCs incorporate Module Two (Controller to Controller) and Module Three (Controller to Processor) as applicable.
EU-US Data Privacy Framework: For US-based service providers that have self-certified under the EU-US Data Privacy Framework, transfers are permitted under Article 45 as a functional adequacy mechanism.
Derogations (Article 49): We will only rely on derogations for specific situations in exceptional circumstances (e.g., where necessary for the establishment, exercise, or defence of legal claims), and never as a systematic basis for transfers.

Supplementary Measures (Schrems II)

Following the Court of Justice of the European Union's ruling in Schrems II(Case C-311/18), we implement supplementary measures to ensure that data transferred to non-adequate countries receives protection essentially equivalent to that guaranteed in the EEA. These measures include:

Encryption: All personal data is encrypted using AES-256 before transmission. Encryption keys are managed through our zero-knowledge architecture, ensuring that data is unintelligible to any third party, including foreign authorities, without access to user-held keys.
Pseudonymisation: Data transferred for analytics purposes is pseudonymised before leaving the EEA.
Technical measures to prevent government access: We select cloud providers and sub-processors that commit to storing EU data within EU data centres where technically feasible, and that provide robust transparency reporting regarding government access requests.
Transfer Impact Assessments (TIAs): We conduct TIAs for each non-adequate destination country to assess the legal framework and the risk of government access, and implement additional safeguards where risks are identified.

9. Data Protection Impact Assessments (Article 35)

Under GDPR Article 35(1), we are required to carry out a Data Protection Impact Assessment (DPIA) for processing operations that are likely to result in a high risk to the rights and freedoms of natural persons. Given that VaxCPass processes special category health data on a large scale and employs automated profiling through AI, we have conducted DPIAs for our core processing activities.

DPIA 1: Health Data Processing and Storage

Scope: The collection, storage, encryption, synchronisation, and retrieval of vaccination certificates and health records.

Key findings:

Health data, if breached, could lead to discrimination, identity theft, or harm to the individual's physical integrity.
Large-scale processing of health data of travelers creates cross-jurisdictional risk.
The zero-knowledge architecture significantly mitigates risk, as Atlas Software Corporation cannot access plaintext health data.

Mitigations implemented:

AES-256 encryption with user-controlled keys (zero-knowledge architecture).
Local-first storage — health data resides primarily on the user's device.
Hardware-backed secure enclaves for cryptographic operations.
Strict access controls — no health data is accessible to customer support staff unless the user explicitly grants temporary access.
Regular penetration testing (annual) and vulnerability assessments (quarterly).

DPIA 2: AI-Powered Health Recommendations and Profiling

Scope: The processing of health data through machine learning models to generate personalised health recommendations, travel health risk assessments, and vaccination schedule reminders.

Key findings:

Automated profiling of health data for recommendations constitutes processing that could significantly affect users (e.g., influencing travel or health decisions).
Model bias could lead to inaccurate or discriminatory recommendations for certain demographic groups.
Under Article 22, users have the right not to be subject to decisions based solely on automated processing with legal or similarly significant effects.

Mitigations implemented:

AI recommendations are explicitly advisory and informational — they do not produce legally binding decisions or restrict the user's rights.
Explicit opt-in consent is required before AI features are activated.
Users can request human review of any AI-generated recommendation.
The AI model is trained on anonymised datasets only; individual user data is processed in isolation and never used to retrain the model without explicit consent.
Regular bias audits conducted by an independent third party.
Clear labelling of all AI-generated content within the app.

DPIA 3: QR Code Generation and Third-Party Verification

Scope: The encoding of health data into tamper-proof QR codes and the verification process when QR codes are scanned by third parties (border agents, employers, event organisers).

Key findings:

QR codes encode personal health data that may be scanned by unknown third parties, creating a risk of unauthorised access and data leakage.
Verification processes must balance security with usability at border crossings.

Mitigations implemented:

QR codes are cryptographically signed and timestamped to prevent tampering.
Users can control what data is encoded in each QR code (minimal data QR codes vs. full health record QR codes).
Each QR code scan is logged with the verifier's IP address, timestamp, and location (where available), and the user is notified of each scan.
QR codes expire after a configurable period (default: 72 hours) to limit the window of potential misuse.
Verification does not store or cache the user's health data on the verifier's device.

10. Data Breach Procedures (Articles 33-34)

We take data breaches extremely seriously and have established comprehensive procedures for detecting, assessing, containing, and notifying breaches in compliance with GDPR Articles 33 and 34.

Detection and Internal Assessment

We maintain continuous security monitoring through automated intrusion detection systems, real-time access logging, and regular security audits. Upon detecting a suspected breach, our Incident Response Team (comprising the DPO, CTO, and security engineers) will immediately conduct an assessment to determine:

The nature of the breach (confidentiality, integrity, or availability compromise).
The categories and approximate number of data subjects affected.
The categories and approximate volume of personal data concerned.
The likely consequences and severity of the breach.
Whether the breach is likely to result in a risk to the rights and freedoms of natural persons.

Notification to Supervisory Authorities (Article 33)

Where a breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Article 33(1)). The notification will include:

The nature of the breach, including where possible the categories and approximate number of data subjects and records affected.
The name and contact details of our DPO.
The likely consequences of the breach.
The measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where it is not possible to provide all information within the 72-hour window, we will provide it in phases without further undue delay (Article 33(4)).

Notification to Data Subjects (Article 34)

Where a breach is likely to result in a high risk to the rights and freedoms of natural persons, we will communicate the breach to the affected data subjectswithout undue delay (Article 34(1)), unless one of the exceptions in Article 34(3) applies (e.g., data was encrypted rendering it unintelligible, or subsequent measures ensure the high risk is no longer likely to materialise). Notifications to data subjects will be delivered via:

In-app push notification and banner alert.
Email to the registered email address.
Notice on our website (https://vaxcpass.com) if the breach affects a large number of users.

Measures to Prevent Breaches

We implement a range of technical and organisational measures to prevent data breaches from occurring (Article 32):

Encryption: AES-256 encryption at rest and in transit; zero-knowledge architecture ensures we cannot read health data.
Access control: Role-based access control (RBAC) with the principle of least privilege; multi-factor authentication (MFA) for all staff.
Network security: TLS 1.3 for all communications; firewall and intrusion detection/prevention systems (IDS/IPS); regular vulnerability scanning.
Staff training: Mandatory annual data protection and cybersecurity training for all employees; phishing simulation exercises quarterly.
Incident response: Documented incident response plan tested through tabletop exercises at least twice per year.
Penetration testing: Annual third-party penetration testing with mandatory remediation of critical and high-severity findings within 30 days.

11. Data Retention Policy

In accordance with GDPR Article 5(1)(e), we retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following table sets out our retention periods:

Data Category	Retention Period	Justification
Identity data (name, DOB, ID number)	Account lifetime + 5 years after account deletion	Legal and audit obligations; prevention of fraud and account recovery
Contact data (email, phone, address)	Account lifetime + 2 years after account deletion	Service delivery; post-deletion communication for legal or security purposes
Payment data (transaction records, billing info)	7 years from last transaction	Tax and financial regulatory requirements in Kenya and applicable jurisdictions
Health data (vaccination records, test results)	Until consent is withdrawn or account is deleted, whichever is earlier	Consent-based processing — no retention beyond consent (Article 9)
Technical data (IP addresses, device info)	13 months	Security monitoring and CNIL guidance on log data retention
Usage data (analytics, crash reports)	24 months (raw); indefinite (anonymised/aggregated)	Service improvement; anonymised data no longer constitutes personal data
Customer support records	3 years after ticket closure	Quality assurance; handling of potential disputes or follow-up queries
Consent records	Duration of processing + 5 years	Demonstration of lawful processing; regulatory compliance evidence

Criteria for Determining Retention

Retention periods are determined based on the following criteria:

The original purpose for which the data was collected (Article 5(1)(b)).
Applicable legal or regulatory retention requirements (e.g., tax laws, financial regulations).
Statute of limitations that may give rise to legal claims.
The sensitivity of the data — more sensitive data (e.g., health data) is retained for the shortest period consistent with its purpose.
User preferences expressed through consent management settings.

Secure Deletion Procedures

When data reaches the end of its retention period, or when a user exercises their right to erasure (Article 17), we implement the following deletion procedures:

Server-side deletion: Data is securely deleted using cryptographic erasure (destruction of encryption keys), rendering the data permanently unrecoverable.
Backup purging: Data is purged from all backups within 90 days of the deletion request, in line with our backup rotation schedule.
Cache and CDN: Any cached copies of personal data in content delivery networks (CDNs) or edge caches are purged within 48 hours.
Third-party processors: We instruct all sub-processors to delete data within 30 days and require written confirmation of deletion.
Device-side data: Upon account deletion, the user's device is prompted to delete all locally stored VaxCPass data. The app provides a clear confirmation of deletion.

12. Data Security Measures (Article 32)

In accordance with GDPR Article 32(1), we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

Technical Measures

AES-256 encryption: All personal data, including health data, is encrypted at rest using the Advanced Encryption Standard with a 256-bit key length (AES-256). This is the gold standard for data encryption and is approved by the US National Institute of Standards and Technology (NIST) and the European Union Agency for Cybersecurity (ENISA).
Zero-knowledge architecture:We employ a zero-knowledge (end-to-end encrypted) architecture for health data. Encryption keys are derived from the user's device credentials and are never transmitted to or stored on our servers. This means Atlas Software Corporation cannot access, read, or decrypt your health data under any circumstances.
TLS 1.3: All data in transit is protected using Transport Layer Security version 1.3, the latest and most secure version of the TLS protocol, with strong cipher suites and forward secrecy.
Hardware-backed secure enclaves: On supported devices, sensitive cryptographic operations (key generation, signing, encryption) are performed within hardware-backed secure enclaves (e.g., Apple Secure Enclave, Android StrongBox Keymaster). This provides protection against software-level attacks and ensures that encryption keys cannot be extracted even from a compromised device.
Multi-factor authentication (MFA): All users and staff are required to enable MFA for account access. We support TOTP-based MFA and biometric authentication (fingerprint, face recognition) on supported devices.
Role-based access control (RBAC): Internal access to production systems is governed by RBAC with the principle of least privilege. Engineering staff have access only to the systems and data required for their specific role, and all access is logged and auditable.
Intrusion detection and prevention: We deploy web application firewalls (WAFs), intrusion detection systems (IDS), and intrusion prevention systems (IPS) to detect and block unauthorised access attempts in real time.
Regular security testing: Annual third-party penetration testing, quarterly vulnerability assessments, and continuous automated security scanning of our codebase and infrastructure.

Organisational Measures

Access controls and need-to-know basis: Only authorised personnel with a legitimate business need have access to personal data. Access rights are reviewed quarterly and immediately revoked upon termination of employment or change of role.
Staff training: All employees and contractors receive mandatory data protection and cybersecurity training upon onboarding and annually thereafter. Training covers GDPR obligations, data handling procedures, phishing awareness, and incident reporting protocols. Quarterly phishing simulation exercises are conducted to reinforce awareness.
Incident response plan: A documented and regularly tested incident response plan is maintained, with clear roles, responsibilities, escalation procedures, and communication templates. Tabletop exercises are conducted at least twice per year.
Background checks: All employees with access to personal data undergo background checks prior to employment, in accordance with applicable law.
Confidentiality agreements: All employees and contractors sign confidentiality and data protection agreements as a condition of employment or engagement.
Vendor management: All third-party processors undergo a security assessment prior to onboarding and are subject to annual review. Data Processing Agreements (DPAs) are in place with all processors (Article 28).

Physical Measures (Cloud Provider)

Our cloud infrastructure provider maintains the following physical and environmental security controls at their data centres:

ISO 27001 and SOC 2 Type II certified facilities.
24/7 on-site security personnel and CCTV surveillance.
Biometric and multi-factor access control to data centre facilities.
Fire suppression, environmental monitoring, and redundant power and cooling systems.
Hardware destruction and secure disposal procedures for decommissioned equipment.

13. Third-Party Processors (Article 28)

Under GDPR Article 28(1), where we engage a processor to process personal data on our behalf, we do so by means of a contract that imposes the obligations set out in Article 28(3). The following table lists our current sub-processors:

Processor	Purpose	Location	DPA Status
Cloud Hosting Provider (AWS / Google Cloud)	Infrastructure hosting, data storage, computing services, content delivery	Multiple regions including EU (Ireland, Germany), US, Africa (Cape Town)	DPA in place; SCCs executed; SOC 2 Type II certified; GDPR Article 28(3) obligations included
Stripe, Inc.	Payment processing, subscription billing, card tokenisation	United States (EU-US Data Privacy Framework certified)	DPA in place; PCI-DSS Level 1 certified; data processed under the EU-US DPF where applicable
Plerdy	Website and in-app analytics, heatmap tracking, user behaviour analysis	United States	DPA in place; data pseudonymised before transmission; no health data processed; cookie consent required
Email Service Provider (Resend / SendGrid)	Transactional email delivery (account verification, notifications, data subject request communications)	United States (EU-US Data Privacy Framework certified)	DPA in place; emails transmitted via TLS; no personal data used for the provider's own marketing purposes

We carefully vet all sub-processors prior to onboarding and conduct annual reviews of their security posture, compliance certifications, and adherence to our DPA requirements. Under GDPR Article 28(2), we do not engage additional sub-processors without our prior specific or general written authorisation, and we impose the same Article 28(3) obligations on any sub-processor engaged by our existing processors.

We maintain an up-to-date list of all sub-processors, which is available upon request to our DPO. Users will be notified of any material changes to our sub-processor list in accordance with Article 28(3).

14. Your Right to Lodge a Complaint

If you believe that our processing of your personal data violates GDPR, the Kenya Data Protection Act 2019, POPIA, or any other applicable data protection law, you have the right to lodge a complaint with the relevant supervisory authority. Under GDPR Article 77(1), the right to lodge a complaint applies without prejudice to any other administrative or judicial remedy.

European Union

You may lodge a complaint with the data protection authority in your EU Member State of residence, place of work, or where the alleged infringement took place. Notable supervisory authorities include:

Irish Data Protection Commission (DPC): www.dataprotection.ie — our lead supervisory authority under the one-stop-shop mechanism (Article 56).
Commission Nationale de l'Informatique et des Libertés (CNIL) — France: www.cnil.fr
Information Commissioner's Office (ICO) — United Kingdom: ico.org.uk
Bundesbeauftragter für den Datenschutz (BfDI) — Germany: www.bfdi.bund.de

Kenya

Under the Kenya Data Protection Act 2019, you may lodge a complaint with the Office of the Data Protection Commissioner (ODPC):

Office of the Data Protection Commissioner: www.odpc.go.ke
Email: complaints@odpc.go.ke
Phone: +254-20-2229095

South Africa (POPIA)

Under the Protection of Personal Information Act (POPIA), you may lodge a complaint with the Information Regulator:

The Information Regulator (South Africa): www.inforegulator.org.za

California (CCPA)

Under the California Consumer Privacy Act, you may lodge a complaint with the California Attorney General:

California Attorney General — Privacy Unit: oag.ca.gov/privacy

We encourage you to contact our DPO first at vaxcpass@gmail.com if you have concerns about how your data is being processed. We are committed to resolving complaints promptly and will investigate and respond to all concerns raised.

15. Children's Data

VaxCPass is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16 without verified parental or guardian consent. However, we recognise that minors may require digital health passports for travel, and we have implemented the following safeguards:

Age Requirements

EEA: In accordance with GDPR Article 8(1), children under 16 may not use VaxCPass unless they have verifiable parental or guardian consent. In Member States where the law provides for a lower age (between 13 and 16), the lower age threshold applies in that Member State.
Kenya: Under the Kenya Data Protection Act 2019, the minimum age for valid consent is 18 years. For minors under 18, parental or guardian consent is required.
United States (CCPA/COPPA):We comply with the Children's Online Privacy Protection Act (COPPA), which requires verifiable parental consent for children under 13.

Age Verification

During the registration process, we ask users to confirm their date of birth. Where a user indicates that they are below the applicable minimum age, we:

Do not proceed with account creation.
Provide a mechanism for a parent or guardian to create an account on the child's behalf.
Where parental consent is required, obtain it through a clear, affirmative consent flow that includes the parent or guardian's identity verification.

Parental Consent

Where parental consent is required, we obtain it through the following process:

The parent or guardian creates their own VaxCPass account and verifies their identity.
The parent or guardian links the child's profile to their account.
The parent or guardian provides explicit consent to the processing of the child's health data on the child's behalf.
The parent or guardian can manage, review, and revoke the child's data and consents at any time through their account settings.

If we discover that we have collected personal data from a child without verified parental consent, we will take immediate steps to delete that data from our servers and backups in accordance with our secure deletion procedures (Section 11).

16. Kenya Data Protection Act 2019 Alignment

As a company headquartered in Kenya, Atlas Software Corporation is registered with and regulated by the Office of the Data Protection Commissioner (ODPC) under the Kenya Data Protection Act 2019. We maintain compliance with the Kenyan legal framework alongside our GDPR obligations. The following table outlines specific alignments:

Kenya DPA 2019 Provision	GDPR Equivalent	VaxCPass Compliance
Section 25: Registration of data controllers and processors	Article 28 (DPA requirement); national registration requirements	Atlas Software Corporation is registered with the ODPC as a data controller and data processor. Registration details are available upon request.
Section 5: Conditions for lawful processing of personal data	Article 6 (Lawful basis for processing)	We process personal data only where a valid legal basis exists under both the Kenya DPA and GDPR (see Section 3 of this Notice).
Section 45: Conditions for processing sensitive personal data	Article 9 (Special category data)	Health data is processed only with explicit consent under Section 45 of the Kenya DPA and Article 9(2)(a) of the GDPR (see Section 4 of this Notice).
Section 26: Data protection impact assessments	Article 35 (DPIAs)	DPIAs have been conducted for all high-risk processing activities (see Section 9 of this Notice). These DPIAs are available for review by the ODPC upon request.
Section 27: Appointment of a Data Protection Officer	Article 37-39 (DPO)	We have appointed a DPO who is registered with the ODPC and can be contacted at vaxcpass@gmail.com.
Section 29: Cross-border data transfers	Articles 44-49 (International transfers)	International data transfers are subject to assessment of the recipient country's data protection adequacy, and appropriate safeguards (SCCs) are in place (see Section 8 of this Notice).
Section 35: Data breach notification	Articles 33-34 (Breach notification)	We notify the ODPC of any notifiable data breach within 72 hours of becoming aware of it, and notify affected data subjects without undue delay where the breach is likely to result in a high risk (see Section 10 of this Notice).
Sections 13-20: Data subject rights (access, rectification, erasure, etc.)	Articles 12-23 (Data subject rights)	All data subject rights under the Kenya DPA are respected and facilitated (see Section 5 of this Notice). Users may exercise their rights via the app or by contacting our DPO.
Section 24: Security measures	Article 32 (Security of processing)	Comprehensive technical and organisational security measures are in place, including AES-256 encryption, zero-knowledge architecture, RBAC, and regular security testing (see Section 12 of this Notice).

17. Changes to This Notice

We may update this GDPR Compliance Notice from time to time to reflect changes in our processing activities, changes in applicable law, or updates to our organisational structure or sub-processors. In accordance with GDPR Article 12(1), we will ensure that this Notice is concise, transparent, intelligible, and easily accessible, using clear and plain language.

When we make material changes to this Notice, we will:

Update the "Last updated" date at the top of this page.
Notify users via in-app notification or email for significant changes that affect how their data is processed.
Obtain fresh consent where required, particularly where changes affect the processing of special category data (Article 9).
Maintain a version history of this Notice, which is available upon request from our DPO.

We encourage you to review this Notice periodically to stay informed about how we protect your data. Your continued use of VaxCPass after any changes constitutes your acceptance of the updated Notice.

18. Contact Information

If you have any questions, concerns, or requests regarding this GDPR Compliance Notice, our data protection practices, or the exercise of your data subject rights, please contact us:

Atlas Software Corporation

Data Protection Officer: vaxcpass@gmail.com

Phone: +254-727-730-363

Address: Karen Ngong Rd, Nairobi, Kenya

Website: https://vaxcpass.com

We will acknowledge receipt of all data protection enquiries within 3 business days and endeavour to provide a substantive response within the timelines set out in this Notice and required by applicable law.