PRIVACY POLICY
AND PERSONAL DATA PROTECTION
(GDPR Privacy Policy)
The ARTEMIS Platform — operated by CAI Technology S.R.L.
Version: v1.0 ARTEMIS • Published on: 2026-05-06 • Effective from: 2026-05-06
Reference framework. This Privacy Policy is drafted in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the General Data Protection Regulation — GDPR), Romanian Law no. 190/2018 implementing the GDPR in Romania, Romanian Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector (as subsequently amended), and the guidelines of the European Data Protection Board (EDPB) and of the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP).
1. Data controller and general information
The personal-data controller, within the meaning of Article 4(7) GDPR, is:
CAI Technology S.R.L.
Registered office: Str. Victor Brauner, bloc 1, sc. 4, ap. 5, sector 3, București, cod poștal 032621, România
Tax identification number: RO50512457 • Trade Registry no.: J2024020380005
Phone: +40 750 292 910
General e-mail: office@caitech.ro
Support e-mail: tehnic@caitech.ro
Person responsible for data protection: dpo@caitech.ro — the Operator has NOT formally appointed a DPO under Article 37 GDPR (the cumulative conditions are not met — see Legal Notice, Section 3, for details). The above address is the dedicated point of contact for exercising data-subject rights (Articles 15–22 GDPR) and for cooperation with ANSPDCP.
1.1. Scope
This Policy applies to all processing of personal data carried out by CAI Technology S.R.L. in connection with the ARTEMIS Platform, accessible at https://artemis.caitech.ro, including the website, mobile apps, ARTEMIS AI agents, support system, commercial communications, and related activities (consulting, LLM50 audit, training).
1.2. GDPR roles
CAI Technology S.R.L. processes personal data in two distinct capacities, which it transparently clarifies:
Controller — for the data of Representatives, Authorized Users, contact persons, site visitors, newsletter subscribers, job applicants, etc., collected to manage the contractual relationship, marketing, security, and fiscal compliance.
Processor — when the Client, as Controller, uploads to the Platform personal data of its own employees, customers, or partners (typically through Questionnaire answers, supporting documents, or queries to ARTEMIS). In this case, the processing is governed by the Data Processing Agreement (DPA) — Annex 1 to this Policy.
2. Categories of data processed
Depending on the way you interact with the Platform, CAI Technology S.R.L. may process the following categories of personal data:
2.1. Identification data of the Client legal person
Tax identification number (CUI/CIF)
Company name
Trade Registry registration number (J__/_/_)
Registered-office address (automatically retrieved from public databases — ANAF, Trade Registry)
NACE code (sector of activity)
Number of employees (estimated — for segmentation and recommendations)
This information is primarily about the legal person; to the extent it refers to professionals who are natural persons, it constitutes personal data.
2.2. Identification data of the Representative and Authorized Users
First name, last name
Position (role within the company)
Professional e-mail address (company or personal address associated with the account)
Phone number (optional)
Authentication data (password — stored only as a hash with bcrypt or Argon2; session tokens; 2FA secret)
2.3. Data about the Client's processes
Questionnaire answers — information on the Client's policies, procedures, technical and organizational controls
Uploaded documents (optional) — policies, procedures, certificates, contracts that the Client chooses to attach
Free-text notes and comments
Important. Insofar as the answers or documents uploaded by the Client contain personal data of other persons (employees, customers, partners of the Client), the Client is the Controller of those data, and CAI Technology S.R.L. acts as Processor; in this case, the relationship is governed by the DPA — Annex 1. Do NOT upload to the Platform special categories of data (Article 9 GDPR — health, political opinions, biometric data, etc.) or data on criminal convictions (Article 10 GDPR), unless there is a specific written agreement with CAI Technology S.R.L..
2.4. Technical and usage data
IP address and approximate geolocation information
Browser type, operating system, device (User-Agent)
Cookie identifiers (see the Cookies Policy)
Authentication logs (timestamp, IP, failed attempts)
Activity logs (actions performed in the Platform)
Aggregate analytics data (pages visited, session duration, conversions)
2.5. Financial data
Billing information (name, CUI, address, bank, IBAN — for invoicing)
Payment tokens generated by PCI-DSS certified processors (full card data is NOT accessible to CAI Technology S.R.L.)
Transaction history and issued invoices
2.6. Data generated by AI systems
Conversations with ARTEMIS (queries, answers, feedback)
Automatic evaluation logs (scores, risk labels, timestamps)
Metadata of prompts and responses (for improvement — in aggregate / anonymized form)
3. Sources of data
Personal data may come from the following sources:
Directly from you — at registration, when filling in forms, when using the Platform, when sending support requests;
Automatically generated — through usage (logs, cookies, IP, risk scores);
From public databases — ANAF, Trade Registry — for CUI verification and pre-filling of the company's identification data;
From authorized third parties — payment processors, SSO providers, technical partners, within the limits of the agreements concluded with them;
From communications — e-mail, phone, chat, contact form.
4. Purposes and bases of processing
CAI Technology S.R.L. processes data exclusively for determined, explicit, and legitimate purposes, on the bases provided by Article 6(1) GDPR. The table below presents, for each purpose, the data used, the legal basis, and the retention period:
| Purpose | Data categories | Basis (Art. 6 GDPR) | Retention |
|---|---|---|---|
| Creating and administering the Account, providing the Services | Company identification, Representative, authentication, Questionnaire answers, reports | Art. 6(1)(b) — contract performance | Active account + 12 months |
| Invoicing, payments, accounting | Identification, financial-fiscal, transactions | Art. 6(1)(c) — legal obligation | 5 years (Romanian Law 82/1991) |
| Technical support and customer relationship | Contact, request content, technical logs | Art. 6(1)(b) — contract; Art. 6(1)(f) — legitimate interest | Active account + 12 months |
| Security, fraud and abuse prevention | IP, User-Agent, authentication/activity logs | Art. 6(1)(f) — legitimate interest | 6 months (security logs) |
| Compliance with fiscal and reporting obligations | Billing data, transactions, as applicable RO e-Factura, SAF-T reporting | Art. 6(1)(c) — legal obligation | Per fiscal law |
| Platform improvement (aggregate analysis, debug, development) | Aggregate/anonymized analytics, usage logs | Art. 6(1)(f) — legitimate interest | 26 months (analytics) |
| Training/improving AI models (aggregate, anonymized data) | Aggregate responses, ARTEMIS usage logs, feedback | Art. 6(1)(f) — legitimate interest, subject to opt-out | Max 36 months, annual review |
| Commercial communications (newsletter, offers) | E-mail, name, preferences | Art. 6(1)(a) — consent | Until withdrawal of consent |
| Defense of rights and establishment, exercise, or defense of a right in court | All relevant data | Art. 6(1)(f) — legitimate interest | 3 years from end of contract (general limitation period) |
| Compliance with requests from public authorities | Data requested by competent authorities under a legal basis | Art. 6(1)(c) — legal obligation | Per the applicable legal framework |
Legitimate interest balancing test. For each processing based on legitimate interest, CAI Technology S.R.L. has documented a balancing test (Legitimate Interest Assessment — LIA), assessing necessity, proportionality, and impact on the rights and freedoms of data subjects. A summary of the test is available on request, by e-mail to dpo@caitech.ro.
5. Recipients and subprocessors
To provide the Services, CAI Technology S.R.L. discloses or allows access to data to the following categories of recipients, on the basis of a contract and with appropriate guarantees:
5.1. GDPR subprocessors (Art. 28)
CAI Technology S.R.L. uses a limited number of certified subprocessors. The up-to-date list is available in Annex 2 — "Subprocessors List", an integral part of this Policy. Changes to the list are notified to Clients at least 30 days in advance, in accordance with the DPA.
5.2. Main categories of subprocessors
Cloud hosting and infrastructure providers (servers, databases, backups) — selection certified ISO/IEC 27001;
Payment processors (card-payment management, PCI-DSS Level 1 certified);
Transactional e-mail provider (notifications, password recovery, Report delivery);
E-mail marketing provider (consent-based only);
Web analytics provider (typically with IP anonymized);
Help-desk and ticketing provider (technical support);
AI model / LLM API provider used by ARTEMIS (see Annex 2 for details);
Accounting, tax, legal consultants and auditors (where they have access to data).
5.3. Public authorities and legal obligations
CAI Technology S.R.L. may disclose data to public authorities when such an obligation arises from law or from an officially substantiated request, for example to:
ANSPDCP (Romanian National Supervisory Authority for Personal Data Processing);
Tax authorities (ANAF — including via the e-Factura, SAF-T systems);
Criminal investigation bodies or courts, under a legal request;
CERT-RO / DNSC (Romanian National Cybersecurity Directorate), for notification of security incidents, where the law so requires.
5.4. International transfers
Data is hosted, as a rule, on servers located in the European Economic Area (EEA). Where a subprocessor is located outside the EEA, CAI Technology S.R.L. ensures that the transfer benefits from an appropriate mechanism under Chapter V of the GDPR:
European Commission adequacy decision (Article 45 GDPR), where one exists;
Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914;
Binding Corporate Rules (BCRs), where applicable;
Certifications such as the EU-US Data Privacy Framework (within the limits of applicability, following Decision (EU) 2023/1795);
Transfer Impact Assessment (TIA) prior to relevant transfers.
6. Retention periods
CAI Technology S.R.L. keeps personal data only for as long as necessary to fulfill the purposes for which it was collected or to comply with a legal obligation, in accordance with the following table:
| Data category | Retention period |
|---|---|
| Account data (CUI, identity, authentication) | For the duration of the Account + 12 months from closure |
| Questionnaire answers and generated Reports | For the duration of the Account + 12 months from closure |
| Financial-accounting documents, invoices, accounting records | 5 years from 1 July of the year following the close of the financial year (Article 25 of Romanian Accounting Law no. 82/1991, as amended by Law no. 36/2023) |
| Security logs (authentication, activity) | Maximum 6 months |
| Error and debug logs | Maximum 90 days |
| Aggregate / anonymized analytics data | Maximum 26 months |
| Conversations with ARTEMIS | 12 months — in identifiable form; subsequently, anonymized or deleted |
| Non-essential cookies | Per the table in the Cookies Policy (typically: 30 days – 13 months) |
| Marketing consent — if withdrawn | The address is removed from active lists and kept in a "suppression" list to prevent further contact |
| Data requested by authorities / related to disputes | For the duration of the dispute + general limitation period of 3 years (Article 2517 Romanian Civil Code) |
Upon expiry of the periods, data is definitively deleted or irreversibly anonymized, so the data subject can no longer be identified directly or indirectly.
7. Data subjects' rights
Under the GDPR, data subjects have the following rights, which they may exercise free of charge (except for manifestly unfounded or excessive requests — Article 12(5) GDPR):
7.1. Right of access (Art. 15 GDPR)
You have the right to obtain confirmation that we process your data and a copy of it, with information on: processing purposes, data categories, recipients, storage period, source of the data (if not provided by you), the existence of the right to rectification/erasure/restriction/objection and of the right to lodge a complaint.
7.2. Right to rectification (Art. 16 GDPR)
You have the right to request the correction of inaccurate data or the completion of incomplete data. Many fields can be updated directly from the "Account Settings" section.
7.3. Right to erasure — "right to be forgotten" (Art. 17 GDPR)
You have the right to request erasure of data in the cases provided by Article 17(1) GDPR (data is no longer necessary; you withdraw consent; you successfully object to processing; processing is unlawful, etc.). The exceptions provided by Article 17(3) GDPR remain applicable, in particular for the fulfillment of a legal obligation (e.g., retention of financial-accounting documents for 5 years).
7.4. Right to restriction of processing (Art. 18 GDPR)
You have the right to request restriction of processing (the equivalent of "freezing" the data) in the cases provided by Article 18(1) GDPR — for example, during the verification of a challenge to data accuracy, where processing is unlawful but you do not want erasure, or for the exercise/defense of a right in court.
7.5. Right to data portability (Art. 20 GDPR)
For data provided by you and processed on the basis of consent or contract, by automated means, you have the right to receive the data in a structured, commonly used and machine-readable format (JSON, CSV, XML), and to transmit it to another controller. The "Export Data" feature is available in the "Account Settings" section.
7.6. Right to object (Art. 21 GDPR)
You have the right to object, at any time and without specific reasons, to processing for direct marketing (Article 21(2) GDPR) and, for reasons relating to your particular situation, to processing based on legitimate interest (Article 21(1) GDPR).
7.7. Right not to be subject to automated decisions (Art. 22 GDPR)
The Platform uses automated algorithms to calculate scores and risks, but these do NOT produce legal effects on you and do NOT significantly affect you within the meaning of Article 22(1) GDPR. You nevertheless have the right to request human intervention, to express your point of view, and to challenge the decision, by e-mail to dpo@caitech.ro.
7.8. Right to withdraw consent (Art. 7(3) GDPR)
Where processing is based on consent, you can withdraw it at any time, without affecting the lawfulness of processing prior to withdrawal. For newsletter, withdrawal is done via the "Unsubscribe" link in e-mails or from Account settings.
7.9. Right to lodge a complaint (Art. 77 GDPR)
You have the right to lodge a complaint with the competent supervisory authority, without prejudice to any other administrative or judicial remedies.
ANSPDCP — Romanian National Supervisory Authority for Personal Data Processing
Address: Bd. Gen. Gheorghe Magheru no. 28-30, sector 1, postal code 010336, Bucharest
Phone: +40 318 059 211 / +40 318 059 212 • Fax: +40 318 059 602
E-mail: anspdcp@dataprotection.ro • Website: www.dataprotection.ro
We encourage you to contact us first at dpo@caitech.ro to try an amicable resolution. The response time for GDPR requests is a maximum of 30 days, which may be extended by a further 60 days for complex or numerous requests, with the data subject being informed.
7.10. How to exercise the rights
The request may be made: (i) by e-mail to dpo@caitech.ro; (ii) via the dedicated form in the Platform; (iii) by letter to the registered office of CAI Technology S.R.L.. The request must include identification of the requester (to avoid fraud) and clearly describe the right being exercised.
8. Technical and organizational security measures
CAI Technology S.R.L. implements appropriate technical and organizational measures to ensure a level of security commensurate with the risk (Article 32 GDPR), including:
8.1. Technical measures
Encryption in transit with TLS 1.2+ (TLS 1.3 preferred)
Encryption at rest of data (typically AES-256)
Secure password hashes (bcrypt or Argon2)
Multi-factor authentication option (MFA/2FA)
Firewall, IDS/IPS, network segmentation
Patch management and server hardening
Encrypted backups and geographic redundancy
Centralized logging and monitoring of security events (SIEM)
Automated retention policies and secure deletion
8.2. Organizational measures
Strict access on the "need-to-know" principle, with logging
Internal policies aligned with ISO/IEC 27001:2022
Confidentiality agreements (NDAs) with personnel and collaborators
Periodic training on GDPR, security, and the AI Act for all personnel
Incident response (IR) plan and breach runbooks
Annual internal audits and third-party penetration testing
Impact assessments (DPIA) for high-risk processing
8.3. Notification of security breaches
In case of a security breach involving personal data, CAI Technology S.R.L.:
notifies ANSPDCP without undue delay and, in any case, within 72 hours of becoming aware (Article 33 GDPR), unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons;
informs the data subjects without undue delay where the breach is likely to result in a high risk (Article 34 GDPR);
informs the Controller-Client within 24 hours where the breach concerns data processed as Processor (DPA — Annex 1);
documents the incident in the Internal Incident Register (Article 33(5) GDPR).
9. Cookies and similar technologies
The Platform uses cookies and similar technologies in the following categories:
| Category | Purpose | Basis | Duration |
|---|---|---|---|
| Strictly necessary | Authentication, security, session, anti-CSRF, load balancing | Art. 6(1)(b) GDPR + Art. 4(5) of Law 506/2004 — exempt from consent | Session – 12 months |
| Functional | Language, preferences, cookie consent | Consent | Up to 12 months |
| Analytics | Usage statistics, optimization | Consent | Up to 13 months |
| Marketing / advertising | Personalization of promotional content | Consent | Up to 13 months |
The detailed list of cookies and management of preferences are available in the Cookies Policy and via the "Cookie Settings" panel in the Platform, in accordance with the 2024 ANSPDCP Guidelines on the use of cookies.
10. Marketing communications
Commercial communications (newsletter, presentations, webinars, upgrade offers) are sent EXCLUSIVELY on the basis of the recipient's express consent, expressed by ticking an explicit box, in accordance with Article 6(1)(a) GDPR and Article 12 of Romanian Law no. 506/2004 on electronic communications.
Soft opt-in exception: for existing customers, communications about products/services similar to those contracted may be sent based on legitimate interest, with the possibility of free opt-out, in accordance with Article 12(2) of Romanian Law no. 506/2004.
11. Minors
The Platform is aimed at companies and professional users. Where the Client is a Consumer (natural person), access is allowed only to persons of legal age (18+). CAI Technology S.R.L. does not knowingly collect data from minors. If we become aware of processing of a minor's data without a legal basis, we delete it promptly.
12. Changes to the Policy
CAI Technology S.R.L. may update this Policy to reflect legislative changes, ANSPDCP/EDPB guidelines, changes to Services or subprocessors. Substantial changes are communicated at least 30 days in advance, by e-mail to the registered address and via in-Platform notification. The "Last updated" date and version number are updated at each revision. Previous versions are archived and available on request.
13. Contact details
CAI Technology S.R.L.
Registered office: Str. Victor Brauner, bloc 1, sc. 4, ap. 5, sector 3, București, cod poștal 032621, România
Bucharest office: (not applicable — see address above)
Timișoara office: Str. Victor Brauner, bloc 1, sc. 4, ap. 5, sector 3, București, cod poștal 032621, România
Phone: +40 750 292 910
Data Protection Officer (DPO): dpo@caitech.ro
General e-mail: office@caitech.ro
Support: tehnic@caitech.ro
Sales: sales@caitech.ro
Hours: Monday–Friday, 09:00–18:00 (Romania time)
ANNEX 1
Data Processing Agreement
Applicability. This Annex constitutes the Data Processing Agreement (the "DPA") concluded under Article 28 GDPR between the Client (as Controller) and CAI Technology S.R.L. (as Processor), for all processing of personal data carried out by CAI Technology S.R.L. on behalf of the Client through the ARTEMIS Platform. The DPA applies automatically as soon as the Client uploads to the Platform personal data of other persons (Client's employees, customers, or partners). If the Client needs a separately signed version, it may request one at dpo@caitech.ro.
A1.1. Subject of the DPA and description of the processing
The Processor processes personal data exclusively in the name and according to the documented instructions of the Controller, for the purpose of providing the Services described in the Terms.
A1.1.1. Subject of the processing
Provision of the ARTEMIS Platform — SaaS tool for assessing compliance with European and national regulatory frameworks, including: storage of Questionnaire answers, generation of Reports, the ARTEMIS conversational assistant, technical assistance.
A1.1.2. Duration of the processing
For the duration of the contract between the Client and CAI Technology S.R.L., plus the retention periods set out in the Policy (Section 6).
A1.1.3. Nature and purpose of the processing
Collection, recording, organization, structuring, storage, adaptation, consultation, use, disclosure by transmission to subprocessors, restriction, erasure — for the purpose of providing the Services.
A1.1.4. Categories of data subjects
Representatives and Authorized Users of the Client (employees, collaborators)
Data subjects whose data is uploaded by the Client in Questionnaires/documents (typically, the Client's employees, customers, or partners)
A1.1.5. Categories of personal data
Identification data (first name, last name, position)
Contact data (professional e-mail, phone)
Data on the Client's processes (where they contain identifiable references to persons)
Technical data (IP, logs) — for Representatives/Authorized Users
The following are NOT processed: special categories of data (Article 9 GDPR) or data on criminal convictions (Article 10 GDPR), unless under a specific written agreement with CAI Technology S.R.L. and with appropriate additional measures.
A1.2. Obligations of the Processor (CAI Technology S.R.L.)
The Processor undertakes to:
process the data only on the documented instructions of the Controller, including with regard to international transfers, save where required by Union or national law; in the latter case, it shall inform the Controller of the legal requirement, unless the law prohibits such information;
ensure that persons authorized to process the data have committed to confidentiality or are under a statutory obligation of confidentiality;
take all measures required under Article 32 GDPR (Annex A1.6 — Technical and organizational measures);
comply with the conditions for engaging another subprocessor (Section A1.4);
assist the Controller, taking into account the nature of the processing, in fulfilling its obligation to respond to data-subject requests (Articles 12–22 GDPR);
assist the Controller in ensuring compliance with the obligations under Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation);
at the Controller's choice, delete or return all data after the end of the Services and delete existing copies, unless Union or national law requires retention;
make available to the Controller all information necessary to demonstrate compliance with the obligations under Article 28 GDPR and allow audits, within the limits of Section A1.7.
A1.3. Obligations of the Controller (the Client)
process the data in compliance with the GDPR, particularly as regards identifying a legal basis, informing data subjects, and managing consent;
give documented, lawful, and GDPR-compliant instructions;
not upload special categories of data (Article 9) or data on criminal convictions (Article 10) without prior written agreement;
keep up-to-date the contact channels for notifications of incidents or changes to subprocessors.
A1.4. Subprocessors
The Controller expressly authorizes the Processor to engage the subprocessors set out in Annex 2 — "Subprocessors List". The Processor may add or replace subprocessors, with the following safeguards:
notify the Controller at least 30 days before engaging a new subprocessor;
the Controller may raise reasoned objections, in writing; failing a solution, the Controller may terminate the contract with proportional refund of the unused period;
the Processor imposes on subprocessors obligations at least equivalent to those in the DPA, by written contract;
the Processor remains fully liable for the acts of subprocessors.
A1.5. International transfers
Where processing involves transferring data outside the EEA, the transfer is carried out exclusively on the basis of a mechanism provided by Chapter V GDPR (adequacy decision, Standard Contractual Clauses 2021/914, BCRs), accompanied, where applicable, by a Transfer Impact Assessment and additional measures (encryption, pseudonymization, access restriction).
A1.6. Technical and organizational measures (Art. 32 GDPR)
The Processor implements at least the measures described in Section 8 of the Policy, including:
encryption in transit (TLS 1.2+) and at rest (AES-256);
role-based access control (RBAC) and the "need-to-know" principle;
multi-factor authentication for privileged accesses;
continuous monitoring (SIEM), alerting, and incident response;
encrypted backups, geographic redundancy, disaster-recovery plans;
annual internal audits and external pentest;
documented policies, procedures, and training, aligned with ISO/IEC 27001:2022.
A1.7. Audit and assistance
The Processor makes available to the Controller, on request, reasonable evidence of compliance (third-party audit reports, certifications, descriptions of TOM measures). The Controller may carry out, annually, an on-site audit, with 30 days' prior notice, during working hours and without disrupting operations; exceptional audits are allowed ad hoc, in case of a confirmed breach or a request from an authority. Audit costs are borne by the Controller, except in cases of documented non-compliance.
A1.8. Breach notification
The Processor notifies the Controller without undue delay and, in any case, within 24 hours of becoming aware of a breach involving data processed on behalf of the Controller. The notification includes: description of the nature of the incident, categories and approximate number of persons affected, measures taken, DPO contact details.
A1.9. Return or deletion of data
Upon termination of the Services, at the Controller's choice, the Processor returns the data in structured format (JSON/CSV) or irreversibly deletes it within 30 days, with issuance of a deletion certificate on request. The Processor may retain data for the period required by legal obligations (e.g., financial-accounting records).
A1.10. Liability
The parties' liability towards data subjects and for administrative sanctions is established under Article 82 GDPR. Reciprocal liability between the Controller and the Processor is governed by the Terms and this DPA, with the mention that the mandatory provisions of Article 82 GDPR prevail.
ANNEX 2
Subprocessors List
Note on completion. The list below is the template form; the categories are those actually used by CAI Technology S.R.L.. The exact subprocessor names, jurisdictions, transfer mechanisms (adequacy decision, Standard Contractual Clauses, certifications) must be completed before publication. The Controller may request the updated version at any time at dpo@caitech.ro.
| Category | Subprocessor | Location / Jurisdiction | Transfer mechanism / Safeguards |
|---|---|---|---|
| Hosting & cloud infrastructure | — | — | — |
| Transactional e-mail | — | — | — |
| Payment processing | — | — | — |
| E-mail marketing | — | — | — |
| Web analytics | — | — | — |
| Help-desk and ticketing | — | — | — |
| AI models / LLM API | — | — | — |
| Monitoring and logging (APM) | — | — | — |
| E-Factura / SAF-T | ANAF — National RO e-Factura System | Romania | Legal obligation — Article 6(1)(c) GDPR |
| CUI verification / Trade Registry | ANAF / National Trade Registry Office | Romania | Official public source |
| Accounting / tax services | — | Romania | Processing agreement + professional confidentiality obligation |
| SSO / federated authentication | CAI-AUTH (operator —) | — | — |
The updated list is available on request and on the dedicated page in the Platform. Changes are notified to Clients at least 30 days before the new subprocessor is effectively engaged, in accordance with Section A1.4.
GDPR compliance statement. CAI Technology S.R.L. undertakes to fully comply with Regulation (EU) 2016/679 (GDPR), Romanian Law no. 190/2018, Romanian Law no. 506/2004 on electronic communications, and the EDPB and ANSPDCP guidelines. This Policy, together with Annex 1 (DPA) and Annex 2 (Subprocessors List), is an integral part of the Terms and Conditions of the ARTEMIS platform.