Privacy, retention, and residency
Data-processing roles, retention periods, residency, subprocessors, rights requests, and production evidence.
Privacy, retention, and residency
MyStocks and each partner document their controller/processor roles in the executed Data Processing Addendum (DPA). The API contract does not itself promise a particular legal role or storage location. Before production access, the signed order form and DPA must identify the approved Google Cloud region, permitted transfers, security contacts, and deletion schedule.
Operational retention
| Record | Default retention | Purpose |
|---|---|---|
| Idempotency responses | 24 hours | Safe request replay |
| Webhook delivery logs | 90 days | Delivery reconciliation and dispute support |
| Partner API audit events | 365 days | Security and compliance investigation |
| SLA measurements | 90 days | Availability reporting |
Customer, KYC, order, settlement, and financial records follow the executed DPA and applicable financial-record obligations. Contractual or legal holds override routine deletion. Sandbox data is synthetic and must not contain real personal data.
Evidence required for production
Production certification requires an executed DPA, an approved residency/transfer record, named privacy and security contacts, a tested rights-request workflow, and links to evidence for every partner-owned certification check. MyStocks-owned checks cannot be self-approved by a partner.
The current template and subprocessor register are maintained in the repository under docs/legal/. Partners receive the executed versions through the onboarding process. Material subprocessor changes are communicated to the contractual contact under the notice period in the DPA.
Privacy or data-subject requests: privacy@mystocks.africa. Security incidents: security@mystocks.africa. SLA escalation: sla@mystocks.africa.
Was this page useful?
Your signal helps us tighten partner onboarding docs.
Last updated on