Security and GDPR policy

1. Purpose

This document describes the basic security measures and data processing rules used in Akcepta for the website, application and related services.

It supports platform assessment by customers, security teams, data controllers and compliance stakeholders.

2. Roles in data processing

NGITech Sp. z o.o. is the controller for its website, contact handling, sales, billing and service security.

For employee, contractor and campaign recipient data entered into the application by a customer, NGITech Sp. z o.o. generally acts as processor and the customer acts as controller.

3. Data scope in the application

The platform may process user identifiers, email addresses, roles, departments, organization data, document content, attachments, versions, approvals, recipient lists, delivery statuses, acknowledgement statuses, action dates and technical logs.

The customer should enter only data necessary for document rollout and acknowledgements in the organization.

4. Technical and organizational measures

The operator applies measures appropriate to the service, risks and processing scale.

• HTTPS/TLS encrypted transmission;
• account, role and organization-based access control;
• user authentication and session protection;
• administrative access limited to authorized persons;
• logging of relevant events and administrative actions;
• backups and recovery procedures depending on the environment;
• organization data separation through application permissions;
• minimized access to production data;
• dependency updates and vulnerability remediation within a reasonable time;
• security incident handling procedures.

5. Data processing agreement

For customers acting as controllers, processing terms may be defined in the service terms, a data processing agreement or an individual contract.

Processing terms should cover subject matter and duration, nature and purpose, data categories, categories of persons, obligations of parties, sub-processing, support for data subject rights and return or deletion of data.

6. Subprocessors and infrastructure

The operator may use technical subprocessors for hosting, email, payments, file storage, monitoring, analytics, support and security.

If a customer requires restricted subprocessors, a specific processing region, custom SMTP, private cloud or installation on customer infrastructure, this requires configuration in the Organization or Enterprise plan or a separate agreement.

7. Custom SMTP and private deployment

In the Organization plan, optional use of the customer’s own SMTP server is possible if technical and security configuration is correctly set.

In Enterprise, individual deployments may include private cloud, customer infrastructure installation, platform profiling, imports and integrations. The security scope is agreed in the contract or technical document.

8. Incidents

If a security incident is identified, the operator analyses its scope, possible effects, data categories and notification obligations.

If the incident concerns data processed on behalf of a customer, the operator provides the customer with information needed to assess controller obligations, including possible notification to the supervisory authority or affected persons.

9. Export and deletion

The customer should be able to obtain data needed to preserve rollout evidence, in particular documents, versions, approvals, checklists and acknowledgements.

After service termination, data may be deleted or returned according to the agreement, terms, legal requirements, retention rules and backup procedures.

10. Limitations

Akcepta supports policy rollout and evidence processes but does not itself guarantee the customer’s compliance with all legal, industry or regulatory obligations.

The customer should assess documents and processes considering its industry, scale, controller role, HR obligations, information security and local law.