// Trust & Security Report
Nayax Ltd. (operating Syte product line)
AI-powered product discovery platform for apparel ecommerce; includes Visual Search, AI Tagging and Merchandising, Hyper-Personalization, and product recommendation engines
Certifications held
2
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on syte.ai“Syte publishes a formal Data Protection Addendum (DPA) covering EU GDPR, UK GDPR, and CPRA. DPA designates Nayax as Processor and customer as Controller for end-user data: 'Customer shall be regarded as the Controller of End-User Data, and NAYAX shall be regarded and is acting as a Processor of the End-User Data on behalf of the Customer.' Syte's privacy policy (separate on-domain page) additionally documents 'EU Commission-approved Standard Contractual Clauses (SCC) with supplementary measures' for EU/non-EU transfers and names Prighter Group (Dublin) as EU representative and Prighter Ltd (London) as UK representative; these SCC/representative details are not stated in the DPA itself.”
Verify on syte.ai“DPA explicitly covers CPRA (California Privacy Rights Act). 'The term Business, Business Purpose, Consumer, California Consumer, Service Provider and Sell or Sale shall have the meaning ascribed to them in the CPRA.' DPA states 'NAYAX does not receive or process any Personal Data in consideration for the Services' and sharing is not a Sale under CPRA.”
> Show 7 unconfirmed / not-held certifications
source: nayax.comNayax API Suite page states 'we are SOC 2, PCI DSS and ISO 27001 certified' but this claim is scoped to the Nayax API Suite (payment product). No public SOC 2 scope letter or report confirms coverage of the Syte product discovery platform. Scope of coverage for Syte services is unconfirmed.
source: nayax.comNayax Ltd. holds ISO/IEC 27001:2022 (Cert No. I32902, valid until 24.01.2029, issued 25.12.2025 by IQC). However, the certified scope is explicitly limited to 'Information security management of IT operation related to cashless management and payment platform'. The Syte visual search and AI product discovery platform is NOT within the stated ISO 27001 scope. This is a parent-company cert for a different product line.
source: syte.aiNo mention of HIPAA in any Syte or Nayax documentation reviewed. Syte is an ecommerce product discovery platform and is not positioned as a healthcare product. No public evidence of HIPAA compliance or BAA availability.
source: nayax.comNayax Ltd. holds PCI DSS v4.0.1 (valid as of June 30, 2025) but this applies to Nayax's payment processing and cashless management platform, not to the Syte product discovery and visual search platform. Syte does not handle payment card data.
source: syte.aiNo public evidence of ISO 42001 certification or pursuit for the Syte AI platform.
source: syte.aiNo public evidence of CSA STAR registration or certification for Syte or Nayax.
source: syte.aiNo public evidence of FedRAMP authorization. Syte is a commercial ecommerce platform not targeting US government customers.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Not specified for Syte-specific workloads. Sub-processors include US-based services (AWS, Salesforce, Google Drive, Zoom, DocuSign) and Israel-based services (Monday.com). EU/UK data transfers use SCCs.
Syte's Terms & Conditions permit Nayax to collect 'aggregated, anonymized data derived from the use of the Services, including metadata, performance data, and usage patterns' (called Service Data) to 'operate, improve, and develop the Services and Nayax's other products and services'. This data is explicitly stated to be aggregated and anonymized and 'does not identify Client or any individual'. The Syte homepage states the platform is 'Trained on billions of apparel shopper interactions' but this appears to refer to the pre-built AI model, not ongoing training on individual customer data. No explicit opt-out mechanism for Service Data use is documented, and the distinction between historical model training data and ongoing customer data use is not clearly articulated. This ambiguity warrants a flag.
// Security controls
Encryption at rest
High-security data center storage mentioned; specific at-rest encryption standard not stated
syte.aiAccess controls
Role-based authorization policies; 2FA available for Customer Account platform access
syte.aiSecurity audits
External audits for security review referenced in privacy policy; no audit cadence or auditor named
syte.aiBreach notification
DPA commits to written notification of data breaches affecting Customer Personal Data or End-User Data as required by applicable law
syte.aiEmployee training
Employees committed to confidentiality and privacy obligations; GDPR and CCPA compliance training referenced
syte.aiSub-processor management
DPA grants express authorization for Sub-Processors with a maintained list; customers notified of changes with right to object
syte.ai// Products & data scope
data: End-user behavioral data, pseudonymized user IDs, product catalog images, interaction events
Includes Image Search, Inspiration Gallery, and multiple Visual Recommendation Engines. Integrates into ecommerce websites via the Syte platform.
data: Client product catalog data (images, metadata); no personal end-user data in tagging workflow
AI Deep Tags, Deep Tag Analytics, Thematic Tags, AI Tag Editor. Operates on retailer-supplied product data.
data: End-user behavioral signals, purchase history, interaction patterns (pseudonymized)
Uses AI to deliver personalized product recommendations. Data is processed as per DPA with Nayax acting as Processor.
// What to watch
- CERT-SCOPE MISMATCH: Nayax's ISO/IEC 27001:2022 (Cert No. I32902) explicitly scopes to 'cashless management and payment platform' only. It does NOT cover the Syte visual search and AI product discovery platform. Listing Nayax's ISO 27001 as a Syte cert would be an identity-conflation error.
- SOC 2 SCOPE UNCONFIRMED: Nayax API Suite marketing page claims SOC 2 certification but provides no scope letter, type (Type 1 vs Type 2), or report date. No evidence this covers Syte product discovery services. Cannot grade as held=true for Syte.
- AI TRAINING AMBIGUITY: Homepage states the platform is 'Trained on billions of apparel shopper interactions' without clarifying whether this refers to the pre-built model training or ongoing learning from customer data. Terms permit use of aggregated/anonymized Service Data for product improvement with no documented opt-out. The privacy policy does not address AI model training at all.
- NO TRUST CENTER: Syte has no dedicated trust center page. Compliance documentation is split between syte.ai/syte-by-nayax-privacy-dpa/ (DPA), syte.ai/privacy-policy/ (privacy policy), and the parent Nayax legal pages.
- BRAND/ENTITY COMPLEXITY: Syte is now legally operated under Nayax Ltd. (Israeli company). DPA, Terms, and all legal documents reference Nayax as the contracting entity. Certs and compliance posture must be evaluated at the Nayax entity level, with care taken that Nayax's payment-focused certs do not apply to the Syte product line.
// At a glance
Pricing model
B2B SaaS, subscription-based with annual terms; custom pricing via Order Form / demo request; no self-serve tier
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Nayax Ltd. (operating Syte product line)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
syte.ai