Data Processing & GDPR Information
Version 1.0 · Last updated: 24 June 2026
This page summarises how data protection roles and obligations apply to the Sternexus platform. It complements our Privacy Policy and is intended to help business customers understand processing relationships.
Sternexus is a financial technology platform operated by Sterling Quantum SL. Sternexus is not a bank, electronic money institution, payment institution or investment adviser, and does not hold client funds. Regulated financial services are provided by authorised partner institutions where applicable.
1. Controller and processor roles
Sterling Quantum SL is the controller for personal data it determines the purposes and means of processing (for example, website visitors and account administration). Where Sterling Quantum SLprocesses personal data on behalf of a corporate customer under that customer’s instructions, Sterling Quantum SL acts as a processor, and a data-processing agreement governs that relationship. Authorised partner institutions performing regulated onboarding or payments may act as independent controllers for the data they process under their own licences.
2. Hybrid onboarding model
Under our hybrid model, Sterling Quantum SL may collect business onboarding, KYB information, corporate documentation, ownership information and compliance evidence, while regulated KYC and payment onboarding may be performed by authorised partner institutions. The applicable controller/processor roles depend on who determines the purposes of the processing in each case, and we will identify the relevant partner where applicable.
3. Processing principles
- lawfulness, fairness and transparency;
- purpose limitation and data minimisation;
- accuracy and storage limitation;
- integrity, confidentiality and accountability.
4. Sub-processors
We use vetted sub-processors to deliver the service, each bound by a written agreement with appropriate safeguards. We do not name providers that are not actually active.
Currently active
- Microsoft Azure — cloud hosting infrastructure (primary region: EU).
Future categories (activated as services go live)
- Identity verification providers
- Regulated financial partners
- Analytics providers (only if enabled, and subject to consent)
- Customer relationship management (CRM) providers
- Customer support providers
- Security monitoring providers
A current list of material sub-processors will be maintained and updated as services are activated.
5. Hosting and international transfers
Primary hosting is on Microsoft Azure in the EU region. Where processing occurs outside the EEA/UK via approved sub-processors, we rely on appropriate transfer mechanisms: adequacy decisions, Standard Contractual Clauses (with the UK Addendum where relevant) and any supplementary measures required.
6. Security measures
We implement technical and organisational measures appropriate to the risk, including encryption in transit, access controls and least-privilege, audit logging, separation of public and internal services, monitoring, and incident response. Compliance-critical actions are subject to human approval.
7. AI and automated processing
AI features assist with analysis, organisation, extraction and risk review of documents, transaction information, compliance evidence and corporate information. AI does not make final compliance decisions; outputs are decision-support only and remain subject to human review and applicable partner requirements. We assess data protection risks of new features, including via data protection impact assessments where required.
8. Data subject requests and breaches
Data subjects can exercise their rights as set out in our Privacy Policy by contacting privacy@sternexus.com. Where Sterling Quantum SL acts as a processor, we will assist the controller in responding to requests and in meeting breach-notification obligations. We maintain procedures to detect, investigate and, where required, notify personal-data breaches to the competent supervisory authority and affected individuals within applicable timeframes.
9. Data protection contact
No Data Protection Officer is currently appointed. Until one is appointed, data-protection matters are handled by our privacy contact: privacy@sternexus.com. Supervisory authority for Spain: the Agencia Española de Protección de Datos (AEPD).
Versioning & changes
This document is version 1.0, last updated 24 June 2026. We may update it from time to time. When we do, we will revise the version number and date shown above, and for material changes we will provide additional notice where appropriate. Your continued use after changes take effect constitutes acceptance.