MiceX: agentic exchange for MICE event travel
Trust & compliance

Built to be reviewed by the procurement team that reads everything.

MiceX takes compliance as a product property, not a quarterly audit panic. This page is the start of the answer to your security questionnaire — not the end.

DPDP Act readiness

India's Digital Personal Data Protection Act, 2023 sets the rules for how personal data of Indian data principals is processed. MiceX is built around those rules from day one — not retrofitted.

Operationally, that means data residency for Indian delegates inside India, consent that is captured granularly and tied to the version of the terms in force at capture-time, and a defined Data Protection Officer reachable by name and email.

  • Data residency — Indian delegate personal data is stored on infrastructure provisioned in Indian regions.
  • Granular consent — separated essential, analytics, and marketing consent, captured per session, mirrored in a first-party cookie and durable record.
  • DPO contact — dpo@micex.ai, with a defined response SLA on rights requests.
  • Right to erasure — exposed via /api/data-rights/delete, gated by an email-confirmation flow.

GDPR alignment

MiceX serves European data subjects via the InScotia UK entity, which is the data controller for those interactions. We operate to the GDPR's lawful basis matrix — every processing operation has an identified lawful basis, and that basis is documented per process.

Standard Contractual Clauses are available for transfers where required, and a DPA template is offered to enterprise customers as part of the standard contracting flow.

  • EU data residency — EU data subjects' personal data stored in EU regions; email transactional traffic routed via Resend's EU region.
  • Lawful basis matrix — documented per processing activity; published to enterprise customers under NDA.
  • Cross-border transfers — SCCs in place where required.
  • Subject rights — access, rectification, erasure, portability, objection — operationalised via /api/data-rights/* endpoints.

PCI-DSS scope minimisation

MiceX does not store, process, or transmit primary account numbers. Card data is captured directly by our payment processor's hosted fields and never touches MiceX infrastructure. That puts us on the SAQ-A path — the lightest scope under PCI-DSS — and keeps it that way.

Settlement to vendors uses bank transfer or established payout rails; we never see card-on-file data. The point isn't certification theatre; it's keeping the surface area small enough that the certification we eventually pursue is genuinely meaningful.

Audit trail

Every booking, every agent decision, every override is recorded in an append-only ledger with cryptographic integrity. The ledger is exportable in formats enterprise auditors actually use, and it captures enough context that a year-from-now reviewer can reconstruct why a decision was made.

The audit trail is not optional and not bypassable. The compliance agent sits in front of every commit; the ledger writes happen as part of the same transaction as the booking itself.

Sub-processors

We maintain a public, machine-readable list of sub-processors at /trust/sub-processors.json. The list will be populated before general availability and updated with at least thirty days' notice for material changes.

Status — to be published before GA