Legal

Data Handling Policy

Effective: January 1, 2026 · PCI-Nexus, operated by Joe Eaton · 1350 Hemlock St., Napa, CA 94559

This Data Handling Policy describes how PCI-Nexus collects, stores, processes, and protects data in connection with the Service. This policy supplements our Privacy Policy and applies to all data processed through the platform, including data belonging to your client organizations.

1. What Data We Collect

PCI-Nexus collects and processes the following categories of data:

Organization information: Company name, address, industry, PCI merchant or service provider classification, SAQ type, and related compliance configuration data for each client organization in your portfolio
User accounts: Name, email address, job title, role, and authentication credentials for each named user on the platform
Uploaded evidence files: Documents, screenshots, configuration exports, scan reports, and other files uploaded to the platform for AI-assisted evidence review. These may include network diagrams, firewall configurations, vulnerability scan results, policy documents, and other technical artifacts
Compliance records: SAQ responses, requirement status records, finding logs, remediation notes, compliance calendar entries, and generated documents (SAQs, AOCs, attestation packages)
Audit logs: Timestamped records of all user actions within the platform, including logins, data modifications, evidence uploads, and document generation events

We do not intentionally collect or store actual payment card numbers, PINs, cardholder data, or other sensitive authentication data. You should not upload files containing live cardholder data to the platform.

2. How Data Is Stored

All data stored in PCI-Nexus is protected with the following controls:

Encryption at rest: All stored data, including evidence files and compliance records, is encrypted using AES-256 encryption
Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS on all endpoints
Infrastructure: PCI-Nexus is hosted on SOC 2 Type 2 certified cloud infrastructure. Our infrastructure providers maintain their own independent security certifications
Client isolation: Each client organization in your portfolio is maintained in a fully isolated data environment. Cross-client data access is prevented at the database and application layers. Each client organization is further protected by a 4-digit PIN that prevents access without explicit authorization
Access controls: Role-based access controls (RBAC) restrict data access within the platform to authorized users only. Administrative access to production systems is limited to authorized personnel and is logged

3. AI Processing

PCI-Nexus uses Claude AI (operated by Anthropic) to analyze evidence files uploaded to the platform. When you upload an evidence file, the content of that file is sent to Anthropic’s API for analysis against applicable PCI DSS requirements.

Key facts about our AI processing:

No training use: Your data is not used to train Anthropic’s AI models. Anthropic processes the data solely to generate the analysis returned to PCI-Nexus
Transient processing: Evidence file content sent to the AI API is processed in real time and is not retained by Anthropic beyond the duration of the API request
Purpose limitation: AI processing is used only for evidence review, compliance chat, and related platform features. It is not used for advertising, profiling, or any purpose unrelated to the Service
Human review: AI verdicts are advisory. Final compliance decisions remain with you and your qualified personnel

4. Data Retention

We retain your data for as long as your account is active plus a 90-day post-cancellation period. During the 90-day retention window after cancellation, your data remains available for export. After 90 days, all data associated with your account and client organizations is permanently and irreversibly deleted from our systems and backups.

Audit logs are retained for a minimum of 12 months to support PCI DSS Requirement 10 compliance for organizations using the platform for their own compliance program.

5. Data Deletion

You may request deletion of specific data records or your entire account at any time by contacting us at jeatonit@outlook.com. We will process verified deletion requests within 30 days. We will confirm completion of deletion in writing.

Note that deletion of certain records may affect the integrity of your compliance audit trail. We will advise you of any such implications before processing the deletion request.

6. Subprocessors

PCI-Nexus uses the following third-party subprocessors to deliver the Service:

Subprocessor	Purpose	Data Processed	Location
Anthropic (Claude AI)	AI evidence review and compliance chat	Evidence file contents, compliance queries	United States
Vercel	Web application hosting and delivery	Web traffic, session data	United States / Global CDN
Supabase	Database and authentication infrastructure	All platform data, user credentials	United States
Google Analytics	Marketing site analytics (with consent)	Anonymized page view and session data	United States

We will update this list when we add new subprocessors and will notify subscribers of material changes to our subprocessor arrangements.

7. Data Breach Notification

In the event of a security incident that results in unauthorized access to, disclosure of, or destruction of your data, we will notify you as required by applicable law. For incidents that meet the threshold for notification under CCPA, GDPR, or other applicable regulations, we will provide notification within the timeframe required by the applicable regulation, and in no event later than 72 hours after we become aware of the incident.

8. Contact

For questions about this Data Handling Policy or to make a data-related request, contact us at:

PCI-Nexus
Operated by Joe Eaton
1350 Hemlock St., Napa, CA 94559
jeatonit@outlook.com