Privacy Notice

This notice describes how CueCrux (including WebCrux, FactoryCrux, Engine, WatchCrux, SDKCrux, OpsCrux, and InfraCrux) collects, processes, stores, and protects personal data. It explains how users, contributors, and organisations can exercise their rights, how data is handled within the CueCrux platform, and how the system’s architecture ensures lawful, fair, and transparent processing by design.

1. Purpose of this Notice

CueCrux is built on the principle of verifiable knowledge, not personal profiling.
Our platform exists to create trust in information, not to exploit user data. However, certain personal data must be processed to deliver, secure, and improve the services we provide; for example, when you create an account, participate in the CRUX economy, submit a support request, or manage organisational roles within CueCrux.

This Privacy Notice explains in clear terms:

  1. What personal data we collect and why: including account details, organisational information, and operational metadata necessary for authentication, billing, and compliance.
  2. How we store, protect, and minimise that data: through encryption, compartmentalisation, and strict retention schedules.
  3. How you can exercise your privacy rights: such as access, correction, deletion, and objection under data protection law.
  4. How the CueCrux platform enforces compliance through technology: including the provenance ledger, automated retention controls, Vault-based key management, and a privacy-by-design architecture verified by independent audits (WatchCrux).

CueCrux’s privacy framework aligns with the leading data protection and privacy laws governing our operations:

  • UK GDPR and the Data Protection Act 2018 (DPA 2018)
  • EU General Data Protection Regulation (EU GDPR)
  • US Federal and State privacy frameworks, including the California Consumer Privacy Act (CCPA) and emerging equivalents such as the Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (CPA)

We continuously monitor updates to these laws, relevant ICO, EDPB, and FTC guidance, and recognised security frameworks (such as ISO 27001, SOC 2, and NIST 800-53) to maintain compliance and best practice.

This document is therefore intended for users, partners, auditors, and regulators reviewing the CueCrux platform’s privacy, legal, and technical posture under UK, EU, and US data protection standards.

2. Core Principles

CueCrux adheres to internationally recognised privacy and data protection principles derived from the UK GDPR, EU GDPR, and relevant US privacy laws (including CCPA, VCDPA, and CPA).
These principles form the foundation for how we design, operate, and audit all CueCrux services.

PrincipleDescription
Lawfulness & FairnessAll processing of personal data has a lawful basis typically contractual necessity (for account management and service delivery), legitimate interests (for security, analytics, and fraud prevention), or explicit consent (for communications or optional features). Processing is conducted transparently and proportionately, with clear user notice and the right to withdraw consent at any time.
Purpose LimitationData is collected and used only for the specific, legitimate purposes disclosed at the time of collection such as authentication, usage analytics, billing, or support. We never repurpose or sell data for advertising, profiling, or third-party marketing. Any new processing purpose triggers an internal Data Protection Impact Assessment (DPIA) before implementation.
Data MinimisationWe collect only the minimum data necessary to provide and secure the service. Engine responses and AI-generated content exclude personal data unless it has been deliberately included by the user. Identifiers, telemetry, and logs are pseudonymised wherever possible, and personal identifiers are hashed or redacted before storage.
Accuracy & FreshnessUsers can update or correct their information at any time. Metadata such as timestamps, receipts, and provenance entries are versioned to maintain historical accuracy while supporting traceability and compliance reporting.
Storage LimitationRetention periods are time-boxed by data type for example, support tickets (18 months), logs (12 months), and backups (30–90 days). WatchCrux audits verify adherence to these schedules. When data expires, it is securely deleted or anonymised, and the deletion is logged.
Integrity & ConfidentialityData is protected by encryption in transit and at rest using industry-standard protocols (TLS 1.3 and AES-256). Secrets and signing keys are stored in Vault Transit, not on disk. Append-only ledgers ensure provenance records cannot be altered, preserving evidential integrity for audits and dispute resolution.
AccountabilityEvery data flow, system, and purpose is documented in the Register of Processing Activities (ROPA) maintained in OpsCrux. This enables end-to-end visibility, aligns with ICO and EDPB guidance, and ensures that data controllers, processors, and subprocessors can demonstrate compliance on demand.

Together, these principles ensure that CueCrux’s processing of data is lawful, transparent, and technically enforced not merely policy-based.

3. Data Categories Processed

CueCrux processes a limited set of personal and operational data required to deliver its services, ensure platform security, and maintain verifiable integrity.
We deliberately avoid collecting sensitive categories of personal data (e.g., health, race, religion, political opinions) unless strictly necessary for a specific contractual purpose and with explicit consent.

Data TypeExample FieldsPurpose
Account Dataname, email address, hashed password (Argon2id), organisation membership, verification statusUsed for authentication, role-based access control, and session management. Account credentials are securely hashed and never stored in plain text. Email addresses are used solely for account recovery, notifications, or security alerts.
Usage Metadataquery IDs, timestamps, mode (light / verified / audit), feature flags, performance logsEnables service analytics, reliability monitoring, and service-level objective (SLO) reporting. Metadata is pseudonymised and used to improve response quality and system efficiency never for profiling or marketing.
Support Dataticket body, attachments, sender address, support channel identifiersManaged by SupportCrux for ticket triage and resolution. Attachments and message bodies are stored only as long as required to resolve the case, subject to the retention policy. Sensitive content is automatically redacted or flagged for limited access.
Organisation Datateam name, member roles, plan tier, entitlements, usage limitsFacilitates workspace management, billing, and role-based permissions. Organisation administrators can review or delete member data through their admin interface.
Receipts & Provenance Datacryptographic hashes (BLAKE3), timestamps, citation sources, verification signaturesCore to CueCrux’s proof and auditability framework. These records demonstrate that data has not been tampered with and ensure compliance with integrity and trust policies. Receipts are append-only and immutable.
System Telemetrylatency, error rates, cost metrics, model token usage, queue depthUsed for reliability, budget control, and FinOps reporting. Contains no personal content; identifiers are anonymised at the point of collection.
Cookies / Session IDssecure httpOnly refresh tokens, short-lived session identifiersSupport user session continuity and authentication without storing personal information in browser-accessible form. No third-party or tracking cookies are used.

CueCrux does not use personal data for marketing, advertising, profiling, or automated decision-making beyond essential operational functions such as rate limiting, security analysis, or fraud prevention.

4. Lawful Basis & Roles

CueCrux operates within a multi-role data governance model, acting as both data controller and data processor depending on the context of processing.
These distinctions ensure compliance with UK GDPR, EU GDPR, and major US privacy frameworks (e.g., CCPA / VCDPA / CPA) while maintaining transparency for enterprise customers and end users.

Processing ContextLawful BasisController / Processor RoleExplanation
Account RegistrationContractual necessityControllerPersonal data is required to create and maintain user accounts. Processing enables access, authentication, and security notifications. Without this data, the service cannot be provided.
Query ProcessingContract / Legitimate InterestProcessor (on behalf of the organisation)Queries, including artefacts and evidence sets, are processed under the organisation’s control. CueCrux acts as a data processor, handling information on their behalf in accordance with documented contracts and data processing agreements (DPAs).
Support TicketsContract / Legitimate InterestControllerSupport data (e.g., ticket content) is processed by CueCrux to diagnose and resolve issues. Limited operational analytics (e.g., resolution times, categories) may be derived without exposing message content.
Telemetry & SLO MetricsLegitimate InterestControllerAnonymous telemetry and performance metrics are collected to maintain service quality, detect abuse, and meet operational SLOs. No personal identifiers are retained.
CRUX Economy ParticipationConsent / ContractControllerData related to participation (e.g., user balance, contribution records) is processed with explicit consent and contract acceptance. These records are pseudonymous and verifiable through signed receipts, not personal financial data.
Audit & Provenance StorageLegal Obligation / Security IntegrityControllerProvenance and receipt data are required for audit and compliance with integrity laws and certification standards (e.g., SOC 2, ISO 27001). Records are immutable and retained for evidentiary purposes.

Cross-Border Transfers

Where data leaves the UK or EEA, CueCrux ensures lawful and secure transfer using one or more of the following safeguards:

  1. Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum for any transfers to non-adequate jurisdictions.
  2. Encryption in transit and at rest for all data, with keys held in UK/EU regions.
  3. Data localisation and federated proof mechanisms for enterprise tenants (via Private Stack), allowing verification without exposing personal or proprietary data beyond their jurisdiction.

CueCrux regularly reviews its subprocessors and publishes a transparency report detailing all data locations and legal bases for transfer.

5. Privacy by Design & Technical Enforcement

CueCrux applies privacy by design and by default across every architectural layer of the platform.
Each service implements specific technical safeguards that collectively ensure lawful, secure, and transparent processing.
These safeguards are auditable, measurable, and independently verified through automated checks and periodic reviews by WatchCrux.

WebCrux (Front-end & Backend-for-Frontend)

  • Role: Manages user-facing authentication, session security, and API request mediation between users and the Engine.
  • Key Safeguards:
    • Uses short-lived JWTs (RS256) and rotating httpOnly, Secure, SameSite=Strict cookies for session control.
    • Engine credentials are never exposed to browsers: all requests route through the WebCrux BFF, which signs and proxies requests on the user’s behalf.
    • Strict Cross-Origin Resource Sharing (CORS) and Content Security Policy (CSP) headers prevent unauthorised data access.
    • The JWKS endpoint (/.well-known/jwks.json) provides public key material for verification, supporting transparent validation of all access tokens.
    • All authentication events are logged, versioned, and auditable within OpsCrux under the ROPA registry.

Engine (Knowledge & Provenance Layer)

  • Role: Core compute and evidence system; processes factual data, not personal data.
  • Key Safeguards:
    • Stores only evidence metadata: such as URLs, canonical domains, timestamps, and content hashes (BLAKE3).
    • Excludes personal or user-generated identifiers unless explicitly submitted in a query.
    • Implements append-only provenance ledgers with ed25519 digital signatures, ensuring each record’s authenticity and immutability.
    • Supports QUORUM (MiSES) (Quorum of Unified Observations and Referenced Underlying Material) for verifiable transparency without revealing sensitive inputs; QUORUM selects MiSES (Minimal Evidence Sets) per claim where evidence is required.
    • Retention and replay are enforced via WatchCrux audits; records are cryptographically linked and non-modifiable.

FactoryCrux (Ingestion & Data Sourcing)

  • Role: Policy-aware ingestion service that transforms public data into verified artefacts.
  • Key Safeguards:
    • Fully honours robots.txt, X-Robots-Tag, and explicit licence headers when fetching or parsing content.
    • Offers a metadata-only mode for sources with uncertain or restrictive licences to avoid processing or storing personal data.
    • Implements anti-PII scanning (based on the ATAM framework) to redact or flag sensitive information automatically.
    • Retains artefacts under clear jurisdictional and licence tags (license_id, jurisdiction) to enforce downstream compliance.
    • Ingested data is subject to deduplication via BLAKE3 hashes, reducing redundant or repeated storage of similar content.
    • Access to ingestion jobs and results is authenticated via WebCrux’s BFF and audited by WatchCrux.

WatchCrux (Independent Audit Operator)

  • Role: Acts as an independent, read-only observer that continuously validates system health, metrics, and privacy posture.
  • Key Safeguards:
    • Polls /healthz, /readyz, and /metrics across all services every 15 seconds; logs compliance outcomes.
    • Executes deterministic audits of data retention, backup success, and security configurations.
    • Maintains its own Postgres schema (watchcrux) for audit logs, ensuring separation of duties and evidence integrity.
    • Publishes PASS/WARN/FAIL findings to OpsCrux dashboards, enabling transparent privacy oversight.
    • Verifies Vault key rotation, JWKS overlap, and data deletion completeness as part of each audit cycle.

InfraCrux (Infrastructure & Security Plane)

  • Role: Provides the secure, monitored foundation for all services compute, networking, and storage.
  • Key Safeguards:
    • Enforces TLS 1.3 encryption in transit and AES-256 encryption at rest across all databases and object stores.
    • Centralises secrets management through HashiCorp Vault Transit, ensuring keys never reside on disk.
    • Implements Point-in-Time Recovery (PITR) for Postgres and nightly snapshot verification for ClickHouse.
    • Conducts monthly restore drills to ensure recoverability and RTO < 30 minutes.
    • Maintains immutable logs and metrics through Prometheus and Grafana, forming part of WatchCrux’s validation loop.
    • Operates under strict network segmentation, separating internal systems (Engine, DBs) from public endpoints.

SDKCrux (Developer Integration Layer)

  • Role: Provides standardised data contracts, safe type definitions, and client libraries for developers.
  • Key Safeguards:
    • All SDK data transfer objects (DTOs) exclude raw credentials or sensitive tokens.
    • Enforces Zod-based schema validation for every API payload to prevent malformed or unsafe inputs.
    • Uses secure header injection (X-WebCrux-User, X-WebCrux-Org) in server contexts only, preventing exposure to browsers.
    • Includes built-in cryptographic verification utilities for receipts, ensuring any consumer can verify provenance without trusting CueCrux blindly.
    • Version compatibility (sdkVersion, compat.requires) is reported in /healthz endpoints for transparency and auditability.

ATAM (Auth, Trust & Anti-Manipulation Framework)

  • Role: Detects, mitigates, and flags bias, misinformation, or malicious manipulation attempts across ingestion and retrieval.
  • Key Safeguards:
    • Scans artefacts and retrieved data for personally identifiable information (PII), prompt-injection attempts, and other anomalies.
    • Identifies retracted or predatory sources, labelling them clearly without suppressing content promoting transparency over censorship.
    • Applies reputation weighting and contradiction scoring to maintain trust without subjective moderation.
    • Annotates flagged content with contextual badges (e.g., “retracted source”, “weak quote”) displayed within WebCrux and OpsCrux UIs.
    • All detections are recorded in WatchCrux audit logs, ensuring visibility for legal and compliance reviews.

By enforcing these layered controls, CueCrux ensures privacy is not just a policy but a built-in feature of its architecture.
Each subsystem contributes to a holistic model of defensible privacy, enabling compliance with UK, EU, and US laws while maintaining the verifiability that defines CueCrux.

6. Data Retention & Deletion

CueCrux maintains strict, verifiable retention policies to ensure personal and operational data are only kept for as long as necessary.
Every dataset has a defined retention period, documented deletion method, and automated audit trail managed through OpsCrux and verified by WatchCrux.

All deletions manual or automated are recorded as immutable audit events and form part of CueCrux’s demonstrable compliance under UK GDPR Article 5(1)(e) (storage limitation) and DPA 2018 Schedule 1 (security and retention).

Data CategoryDefault RetentionDeletion Method
User AccountsUntil voluntary closure or inactivity exceeding 24 monthsSecurely erases login credentials, session data, and organisation memberships. Keys and tokens are invalidated in Vault; related logs are anonymised. A closure confirmation and deletion receipt are issued to the account holder.
Support Tickets18 months from resolutionCascade deletion across support_tickets, support_messages, and attachments tables. WatchCrux verifies purge completion and flags any residual rows for follow-up.
Receipts & Provenance RecordsPermanent (append-only, tamper-evident)Not deleted. These records form part of CueCrux’s verifiable integrity framework. They are cryptographically signed (BLAKE3 + ed25519) and stored as immutable ledger entries. Deletion would undermine legal and evidential trust obligations; instead, access is restricted where required.
Logs / Telemetry12 monthsAutomatically pruned from ClickHouse according to partitioned retention policies. Summarised aggregates (non-personal, statistical data) are retained for trend and performance analysis. WatchCrux validates pruning success in each audit cycle.
KYC/KYB Records (IDs, beneficial owners)Up to 5 years after account closure or final payoutEncrypted storage with restricted access; deletion scheduled post-retention unless under legal hold.
Payout & Beneficiary Verification RecordsUp to 5 yearsEncrypted storage, access‑logged; retained for audit/regulatory reporting.
AML Flags & Case Notes (WatchCrux/OpsCrux)Up to 5 years or as required by lawAccess‑restricted case management; periodic review and purge after retention.
Backups30–90 days, depending on dataset and regionOverwritten as part of Point-in-Time Recovery (PITR) schedules. Monthly restore drills verify recoverability and ensure expired snapshots cannot be restored. Backups remain encrypted with keys rotated via Vault Transit.
PII-Flagged Artefacts≤ 6 monthsFactoryCrux automatically redacts, masks, or purges artefacts identified as containing personal data. Redaction logs and proof-of-purge receipts are stored for accountability. Audit confirmation is required before closure.

Deletion Requests (DSAR Workflow)

CueCrux honours all Data Subject Access Requests (DSARs) and erasure requests in line with UK GDPR Articles 15–17.

  • Requests can be made through the in-app privacy portal or by emailing privacy@cuecrux.com.
  • Each request is triaged by OpsCrux and assigned a unique reference ID.
  • Where data resides in operational systems, deletion tasks are executed within 30 calendar days and verified by WatchCrux.
  • Completed requests generate a deletion confirmation receipt and are logged in the OpsCrux DSAR ledger for compliance reporting.

Certain datasets such as cryptographically signed receipts, provenance ledgers, and legal audit artefacts may be exempt from full deletion due to legal obligations or public interest archiving.
In such cases, access is restricted, anonymisation is applied where feasible, and the data subject is informed of the limitation.

CueCrux’s data lifecycle management is proactive and auditable: combining automation, encryption, and oversight to ensure that no personal data outlives its lawful purpose.

AML & KYC Retention

We retain AML/KYC datasets under a distinct lawful basis (legal obligation and legitimate interests: fraud prevention). Access is limited to vetted personnel, and all access is logged. Retention periods above apply unless a legal hold requires extension. See also: Terms §9A/§9B and the Economy guide’s Redemption section.

7. Security Controls

CueCrux’s security model is engineered to meet and exceed international standards including ISO 27001, SOC 2 Type II, and UK NCSC Cyber Essentials Plus principles.
Security is not treated as an afterthought or compliance checkbox, but as a verifiable and measurable discipline built into the platform’s architecture, operations, and culture.

Every service, from the Engine to WebCrux and InfraCrux, follows a defence-in-depth model: secrets are centrally managed, traffic is encrypted, access is tightly controlled, and all actions are logged in an immutable ledger.

Vault Transit Signing

  • Purpose: To ensure that cryptographic operations never expose private key material.
  • Implementation:
    • All signing operations (JWTs, provenance receipts, API tokens) are performed via HashiCorp Vault Transit Engine.
    • JWTs use RSA-2048 keys; provenance receipts use ed25519 signatures.
    • Private keys never reside on disk: Vault signs transactions in memory and returns the signed payload only.
    • Each signing event is auditable via Vault logs and WatchCrux, which verifies key rotation and signing integrity.
    • Vault keys rotate on a 90-day cadence, and overlapping versions are supported to prevent downtime during renewal.

End-to-End Encryption

  • Purpose: To protect data confidentiality and authenticity in transit and at rest.
  • Implementation:
    • All communication between services is secured with TLS 1.3 using strong cipher suites and perfect forward secrecy (PFS).
    • All databases (Postgres, ClickHouse, and backup archives) are encrypted at rest with AES-256-GCM.
    • Certificates are managed through InfraCrux’s automated ACME or internal CA pipeline, with monitoring for expiry.
    • WatchCrux audits confirm the validity of TLS endpoints and encryption policies weekly.

Access Controls & Privilege Management

  • Purpose: To enforce least privilege and separation of duties across all services and personnel.
  • Implementation:
    • Role-Based Access Control (RBAC) is applied per organisation, defining roles such as owner, admin, and member.
    • OpsCrux enforces privilege levels and logs every administrative or configuration change.
    • API keys and service accounts are scoped to the minimum required permissions; they cannot escalate privileges.
    • Multi-factor authentication (MFA) and device validation are mandatory for administrative accounts.
    • WatchCrux monitors access patterns and alerts on anomalies, failed logins, or privilege escalations.

Backups & Disaster Recovery

  • Purpose: To ensure business continuity and protect against data loss or corruption.
  • Implementation:
    • Point-in-Time Recovery (PITR) is available for Postgres databases, ensuring recovery to within 30 minutes of any event.
    • Nightly backup verification checks snapshot integrity for Postgres, ClickHouse, and Vault.
    • Monthly restore drills simulate full environment recovery to validate runbooks and RTO/RPO compliance.
    • Backup data remains encrypted at rest, versioned, and geographically redundant where applicable.
    • Results of restore drills are published in OpsCrux and validated by WatchCrux for audit purposes.

Audit Trails & Accountability

  • Purpose: To maintain full traceability and non-repudiation of privileged or sensitive actions.
  • Implementation:
    • Every administrative, system, or user action that affects configuration, access, or data retention generates a signed ledger entry in OpsCrux.
    • WatchCrux independently ingests and verifies these ledger entries, ensuring audit evidence cannot be altered or deleted.
    • Audit data includes timestamp, actor, reason, affected resource, and digital signature.
    • Ledger immutability ensures compliance with ISO 27001 Annex A.12 and SOC 2’s Security & Integrity principles.

Data Integrity & Provenance Assurance

  • Purpose: To ensure that evidence and records remain verifiable, tamper-evident, and immutable throughout their lifecycle.
  • Implementation:
    • The Provenance Ledger enforces append-only semantics once written, no record can be modified or deleted.
    • Each entry is hashed using BLAKE3 and signed with ed25519, producing verifiable cryptographic receipts.
    • Any attempted modification or rollback produces a signature mismatch, instantly flagged by WatchCrux.
    • OpsCrux dashboards surface integrity metrics, including provenance OK rate, ledger gap alerts, and contradiction rate trends.

CueCrux’s layered security approach provides cryptographic assurance, operational transparency, and auditable accountability at every stage aligning legal, technical, and ethical standards into a single unified trust framework.

8. Cookies & Tracking

CueCrux adopts a privacy-first cookie policy, using only cookies essential to the operation and security of the platform.
We do not deploy advertising trackers, third-party analytics, fingerprinting tools, or behavioural profiling technologies.
All cookies are scoped to CueCrux-owned domains and comply with the UK GDPR, EU ePrivacy Directive, and US state privacy laws such as the CCPA.

CookieTypePurpose
cc_refreshSecure, httpOnlyMaintains authenticated sessions without exposing tokens to the browser or client-side scripts. This cookie cannot be accessed via JavaScript and expires automatically after a short duration or on logout.
cc_modePreferenceStores the user’s last selected trust mode (light, verified, or audit) to improve usability without retaining personal identifiers. The preference is local to the device and never transmitted externally.
cc_consentConsentRecords a user’s cookie consent choice in line with GDPR and ePrivacy regulations. It ensures that optional or non-essential cookies (if introduced in the future) are never set without prior consent.

Operational Safeguards

  • Cookies are set using the Secure and SameSite=Strict attributes to prevent cross-site attacks.
  • Session cookies are rotated periodically and invalidated upon logout or account inactivity.
  • All cookie policies are transparently listed in the in-app Privacy Settings page and are subject to user review at any time.
  • No data collected via cookies is shared with external parties or analytics providers.

CueCrux believes that functionality should never come at the expense of privacy our session design eliminates tracking dependencies while maintaining full compliance across UK, EU, and US regulatory frameworks.

9. User Rights

CueCrux respects and enables all data subject rights defined under the UK GDPR, EU GDPR, CCPA, and comparable privacy frameworks.
We provide users and organisational administrators with clear mechanisms to access, manage, and control their data at any time.

Your Rights

RightDescription
AccessYou can request a copy of the personal data CueCrux holds about you, including account, organisational, and support records.
RectificationYou can correct inaccurate or incomplete information directly through your account settings or by contacting support.
Erasure (“Right to be Forgotten”)You may request deletion of your personal data where it is no longer required for lawful processing, subject to legal and evidentiary obligations (e.g., provenance ledgers cannot be deleted but can be restricted).
Restriction / ObjectionYou may restrict or object to specific processing activities, such as non-essential analytics or optional product updates.
Data PortabilityYou can export your account data in a structured, machine-readable format (JSON or CSV) for transfer to another provider.
Withdrawal of ConsentYou can withdraw consent for optional data uses (e.g., newsletters or beta participation) at any time without affecting your access to the core service.

How to Exercise Your Rights

You can submit a request in one of the following ways:

  1. By email: support@cuecrux.com
  2. Through the in-app privacy portal: Accessible from Settings → Privacy → Manage My Data

All requests are handled by CueCrux’s Data Protection Team and logged in the OpsCrux DSAR workflow, which tracks each request from submission to resolution.

Response Times & Verification

  • Acknowledgement: Within 5 working days of receipt.
  • Completion: Within 30 calendar days, extendable by an additional 30 days for complex cases (per Article 12(3) UK GDPR).
  • Verification: Identity verification is required to prevent unauthorised access to personal data.

All DSAR actions are audited by WatchCrux and preserved as immutable entries for regulatory accountability.
Users receive written confirmation when a request has been fulfilled, declined (with reason), or partially restricted under a lawful exemption.

CueCrux’s privacy governance ensures that every user retains full ownership and oversight of their data, supported by traceable, compliant, and verifiable privacy operations across the entire platform.

10. Independent Oversight & Auditing

CueCrux operates under a multi-layered governance model designed to provide independent, continuous, and verifiable oversight of all privacy, integrity, and compliance functions.

WatchCrux - Independent Audit Operator

  • Role: WatchCrux functions as an autonomous, read-only service responsible for verifying data integrity, retention adherence, and key management across all CueCrux systems.
  • Operation:
    • Continuously polls /healthz, /metrics, and retention endpoints for anomalies.
    • Executes automated PASS / WARN / FAIL audits covering deletion completeness, backup freshness, and encryption status.
    • Verifies Vault Transit key rotation, ensuring all cryptographic material is current and overlapping rotations are honoured.
    • Produces immutable artefacts containing hash-verified audit results.

OpsCrux - Compliance & Visibility Layer

  • OpsCrux dashboards display key Privacy & Security KPIs, including:
    • DSAR completion times and volumes.
    • Retention and deletion policy adherence.
    • Audit lag (time between scheduled and completed reviews).
    • Provenance integrity rate and ledger consistency checks.
  • Service owners receive automated alerts for out-of-policy findings, with remediation tracked in OpsCrux’s incident and change calendar modules.
  • The Legal and Security teams jointly perform quarterly compliance reviews.
  • Results are summarised in CueCrux’s Transparency Report, published to the /docs/policies/ directory and mirrored in the Transparency Portal within WebCrux.
  • Any material findings (e.g., delayed deletions, rotation gaps, DSAR non-compliance) trigger immediate alerting via OpsCrux, with WatchCrux verification logs providing independent corroboration.

11. International Transfers

CueCrux recognises its obligations under the UK GDPR, EU GDPR Chapter V, and US state transfer frameworks governing data movements outside their originating jurisdiction.
Cross-border transfers are designed to preserve both privacy and verifiability.

Key Safeguards

  1. Data Localisation by Default: Primary hosting occurs within UK and EU data centres with redundancy in privacy-adequate regions only.
  2. Standard Contractual Clauses (SCCs) & UK Addendum: Implemented for subprocessors located outside the UK/EEA, ensuring equivalent protection under international transfer rules.
  3. Encryption & Transport Security: All data transferred between regions is encrypted in transit (TLS 1.3) and at rest (AES-256). Plaintext exports are strictly prohibited.
  4. Federated Proof Model: Enterprise tenants using Private Stack can verify proofs via federated hashing without exporting raw or personal data outside their jurisdiction.
  5. Continuous Monitoring: WatchCrux validates regional routing, data flow compliance, and transfer logs, ensuring adherence to contractual and regulatory controls.

CueCrux maintains an up-to-date list of subprocessors and hosting regions in its Transparency Page, accessible through OpsCrux and the public documentation repository.

12. Contact & Dispute Resolution

CueCrux is committed to transparency, fairness, and full cooperation with regulators in all privacy matters.

RoleContact Details
Data ControllerCueCrux Ltd.
Email (Data Protection Office)privacy@cuecrux.com
AddressCompany HQ Address Placeholder
Data Protection Officer (DPO)Name Placeholder

How to Raise Concerns

  • Users may raise concerns or file complaints directly with CueCrux’s DPO via email or through the in-app privacy portal.
  • If unsatisfied with CueCrux’s response, individuals may escalate to the Information Commissioner’s Office (ICO, UK) or their local data protection authority in the EU/EEA or other applicable jurisdictions.
  • CueCrux will cooperate fully with all regulatory inquiries, provide evidence of compliance upon request, and publish anonymised summaries of investigation outcomes on its Transparency Page within WebCrux.

13. Future Updates

CueCrux’s privacy commitments evolve in step with legal requirements, technological developments, and user expectations.

Policy Versioning & Notifications

  • All material changes to this Privacy Notice or related subprocessors are:
    • Versioned and archived in the /docs/policies/ repository.
    • Changelog entries are automatically propagated to OpsCrux dashboards.
    • Users are notified at least 14 days in advance of substantive updates (e.g., new subprocessors, new categories of data use, or jurisdictional changes).
  • Minor clarifications or formatting adjustments may be released without advance notice but will still appear in the policy version history.

Governance & Review Cycle

  • The Privacy Notice is reviewed at least annually, or sooner following legal or architectural changes.
  • Legal, Security, and OpsCrux teams jointly certify each version through the governance workflow logged in WatchCrux.

Last Updated: November 2025
Version: 0.9

Table of Contents