This Privacy Policy applies to all personal data processed by SİNAM CSP in connection with:

• Certificate application, issuance, and delivery

• Identity verification and registration activities

• Certificate lifecycle management, including renewal, suspension, and revocation

• Operation and security of trust services

• Compliance with legal, regulatory, contractual, and audit obligations

This policy applies to:

• Certificate Applicants and Subscribers

• Authorized Representatives

• Registration Authorities operating under SİNAM CSP

• Relying Parties, where applicable

For the purposes of this Privacy Policy:

• Certification Authority (CA): An entity responsible for issuing, managing, revoking, and maintaining digital certificates.

• Subscriber: A natural or legal person to whom a certificate is issued.

• Personal Data: Any information relating to an identified or identifiable natural person.

• Relying Party: An entity that relies on a digital certificate or trust service.

Depending on the type of certificate or trust service, SİNAM CSP may collect and process the following categories of personal data:

• Full name

• Date and place of birth

• National identification number or passport number

• Residential or business address

• Phone number and email address

• Organizational affiliation and job title

• Identity verification data and supporting documentation

• Biometric data, where required by applicable law

• Certificate-related technical data, including public keys and certificate serial numbers

• IP addresses, access logs, audit trails, and transaction records

Personal data shall be processed strictly on a need-to-know basis and solely for purposes directly related to the provision of certification and trust services, including:

• Reliable identification and authentication of certificate applicants

• Secure issuance, renewal, suspension, and revocation of certificates

• Protection of CA systems, infrastructure, and cryptographic assets

• Prevention, detection, and investigation of fraud or security incidents

• Compliance with Certification Policy (CP), Certification Practice Statement (CPS), and internal policies

• Fulfillment of legal, regulatory, and reporting obligations

SİNAM CSP processes personal data based on one or more of the following legal grounds:

• Compliance with applicable legal and regulatory obligations

• Performance of contractual or pre-contractual obligations

• Explicit consent of the data subject, where required by law

• Legitimate interests related to the secure and reliable provision of trust services

SİNAM CSP shall retain personal and certificate-related data only for periods defined by:

• Applicable laws and regulations

• Certification Policy (CP) and Certification Practice Statement (CPS)

• Internal retention schedules and compliance requirements

Unless otherwise required by law, certificate-related records shall be retained for a minimum of three (3) years and up to five (5) years following certificate expiration or revocation.

SİNAM CSP shall implement, maintain, and enforce documented technical, organizational, and physical security controls, including but not limited to:

• Cryptographic protection of data at rest and in transit

• Use of Hardware Security Modules (HSMs) for cryptographic key protection

• Role-based access control and least-privilege principles

• Segregation of duties between trusted roles

• Secure facilities and restricted access zones

• Continuous logging, monitoring, and audit trail retention

• Periodic security risk assessments and control effectiveness reviews

Access to personal data is restricted to authorized personnel only.

Personal data shall not be disclosed except under the following circumstances:

• Disclosure is necessary for the provision of certification services

• Disclosure to Registration Authorities operating under SİNAM CSP’s CPS

• Disclosure to auditors, supervisory authorities, or accreditation bodies

• Disclosure is required by applicable law or court order

SİNAM CSP does not sell, rent, or use personal data for marketing, profiling, or commercial purposes.

Where personal data is transferred outside the country of collection, SİNAM CSP shall ensure that:

• Transfers comply with applicable data protection laws

• Appropriate contractual, organizational, and technical safeguards are implemented

• An equivalent level of data protection is maintained

Subject to applicable law, data subjects may have the right to:

• Access their personal data

• Request correction or update of inaccurate or incomplete data

• Request deletion or anonymization, where legally permitted

• Restrict or object to processing

• Withdraw consent, where processing is based on consent

Requests may be submitted using the contact details provided below.

SİNAM CSP shall maintain documented incident and breach response procedures.

In the event of a personal data breach, SİNAM CSP shall:

• Identify, contain, and remediate the incident without undue delay

• Assess potential impact on data subjects and trust services

• Notify relevant supervisory authorities where legally required

• Inform affected data subjects in accordance with applicable legal requirements

SİNAM CSP reserves the right to amend this Privacy Policy at any time.

Any changes shall be published on the official website of SİNAM CSP and, where required, communicated to affected parties.

SİNAM CSP

Address: Address: 68, B. Vakhabzadeh Str., AZ1141, Baku, Azerbaijan

Email: csp@sinam.net

Phone: +994 12 510 11 00