Skip to main content
This page explains how the Integration API handles personal data under the GDPR (EU Regulation 2016/679). It is a technical summary of what the API does — the legally authoritative document is the DPA.

Personal data categories handled

CategoryWhereSensitivity
Business identification (company name, VAT, address)Buyer recordLow (not “personal data” under strict GDPR reading for legal entities)
Contact person details (name, email, phone)Buyer contacts sub-resourcePersonal
Identity documents (ID card, passport, drivers’ license scans)KYC documentsSpecial category (biometric / ID)
Face picture (iDenfy selfie, Mode B)KYC documentsBiometric
AML declaration / source of fundsKYC documentsSpecial category
IBAN and bank detailsPayment, Buyer bank accountFinancial
Driver identification (transport)Transport pickupPersonal
VIN / vehicle dataOrderNot personal data (vehicle, not person)

Lawful basis

  • Contract performance — processing buyer identification, documents, and transaction data is necessary to perform the compliance evaluation contracted via the DPA.
  • Legal obligation — VAT compliance evidence (10-year retention in EU member states) overrides erasure in narrowly-defined cases.
  • Legitimate interest — audit logging, fraud detection, platform integrity. Documented in the DPA.
Consent is not the primary basis for platform processing — it would be unworkable in B2B transactions. Explicit consent may be required for specific downstream uses (e.g. marketing — not part of Integration API).

Controller / processor

Novatrade24 is typically a processor for customer data you provide via the Integration API. Your organization is the controller for the data on the buyers you submit. Joint-controller arrangements exist for certain categories — see your DPA.

Data minimization

The API is designed to minimize surface area for personal data:
  • GET /buyers/{id} returns business-level data only. Personal contact details are on a separate /contacts sub-resource.
  • The /contacts sub-resource requires the allowContactPersonalData capability — off by default.
  • KYC document downloads require the allowKycDocumentDownload capability.
  • Fields tolerate omission (Jackson NON_NULL) — integrations that don’t need personal data never see it.

Data subject rights

Access / portability

Customer can export their own data via existing endpoints (GET /buyers/{id}, GET /orders/...). Per DPA, Novatrade24 assists in fulfilling data-subject-access requests that reach either party.

Rectification

Via PATCH on the relevant resource (buyer, contact). Version-bumps on the entity; Envers records who changed what.

Erasure

Complicated by overlapping obligations:
  • Data subject requests erasure.
  • Platform has legal retention obligation (VAT: 10 years).
  • Integration customer may have independent retention obligation.
Process:
  1. Request reaches NT24 or customer.
  2. NT24 evaluates retention overrides per DPA.
  3. Non-required freeform fields erased.
  4. Records required by law remain with minimal fields (VAT, amount, date, buyer name for the invoice).
  5. A buyer.erasure_required webhook (Phase 3+) notifies customer to cascade deletion in their own datastore.

Objection / restriction

Per DPA. The Integration API does not provide a self-service object-to-processing endpoint; route via support.

Retention

DataRetentionNotes
Buyer / order business dataTransaction lifetime + 10 yearsEU VAT mandatory
KYC documentsTransaction lifetime + 10 yearsLegal audit chain
Envers audit revisionsSame as source entity
HTTP access logs6 yearsPII access audit
Webhook delivery history30 daysDebugging / replay
Idempotency-key cache24 hoursReplay-safety only

Encryption

  • TLS 1.2+ enforced on all API endpoints. Older protocols rejected.
  • At-rest disk encryption on databases and object storage.
  • Field-level encryption on bank account numbers and ID document scans (sensitive fields within otherwise plaintext tables).

International transfers

  • All Integration API data stored in Germany (Hetzner Falkenstein).
  • No third-country transfers as part of platform processing.
  • Limited third-party services (Stripe, iDenfy) process some data within the EU under standard contractual clauses and their own DPAs — see the DPA for the current sub-processor list.

Audit trail

  • Every API call logged with caller identity (API client UUID), partner context, endpoint, timing, status, trace id.
  • Hibernate Envers records every entity write with actor attribution (api_client:{uuid} vs user:{uuid}).
  • PII-access events (reads of contact data, KYC document downloads) logged to a separate stream with 6-year retention.
  • Customer can provide X-Purpose header for per-request justification.

Breach notification

Per DPA — NT24 notifies affected organizations promptly when a security incident meets the classification criteria. Notifications include:
  • Nature, scope, data categories affected.
  • Estimated affected data subjects.
  • Mitigations applied.
  • Recommended customer actions.
GDPR’s 72-hour authority notification deadline applies to NT24 as controller for its own platform data. For processed data, NT24 notifies the customer promptly so the customer (as controller) can meet their own obligation.

Sub-processors

Current sub-processors handling personal data:
  • Hetzner Online GmbH (hosting, Germany)
  • Stripe (payment processing, EU)
  • iDenfy (KYC verification, EU)
Authoritative list in the DPA. Customer is notified before new sub-processors are added.

Reporting a GDPR concern

Next

DPA

Authoritative controller/processor terms.

Security overview

Encryption, residency, audit.