Records of Processing Activities (ROPA)

Formal GDPR Article 30 compliant Records of Processing Activities for Maelstrom AI

Public

Status: pre-launch. This evidence reflects implemented code and deployed infrastructure. Provii is not yet serving end-user production traffic, so production operational metrics and audit history are not yet available.

Records of Processing Activities (ROPA)

Document Type: GDPR Article 30 Compliance Record Regulation: EU General Data Protection Regulation (GDPR) Article 30 Controller: Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust (trading as “Provii”) Last Updated: 2026-06-06 Review Frequency: Annually or upon material changes to processing activities Next Review Date: 2026-11-21

Executive Summary

This document constitutes Maelstrom AI’s formal Records of Processing Activities (ROPA) as required by GDPR Article 30. Maelstrom AI operates a zero knowledge age verification platform with minimal personal data processing by architectural design.

Key Characteristics:

Zero-PII Architecture on the wallet plane. The wallet and verification flows are designed so that traditional PII (names, DOB, addresses) is not collected beyond the ephemeral issuance window where DOB is processed in memory and discarded
Minimal Data Collection on the wallet plane. Only hashed IP addresses in audit logs (90-day retention)
Cryptographic Privacy. Zero knowledge proofs are designed to provide strong cryptographic privacy properties during verification
Administrator plane is distinct. Administrator staff and verifier onboarding contacts are processed by the administrator plane using dedicated sub-processors; this is separate from the wallet and verification data paths
Sub-processors. Cloudflare (infrastructure), GitHub (development infrastructure), Apple App Attest and Google Play Integrity (mobile attestation), Resend (transactional email, administrator plane), Silverhand operating Logto (administrator authentication, administrator plane), Grafana Labs operating Grafana Cloud (log aggregation; governed by Grafana Labs’ standard published Data Processing Addendum, incorporated by reference into the Grafana Cloud terms, including Standard Contractual Clauses for the US transfer)

Compliance Status:

✅ GDPR Article 30 compliant
✅ ISO 27701:2019 aligned
✅ Demonstrates privacy by design (GDPR Article 25)

Section 1: Controller Information

1.1 Data Controller Identity

Legal Entity: Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust Trading Name: Provii Industry: Privacy-preserving identity verification technology

Registered Address: PO Box 169, St Arnaud VIC 3478, Australia

Contact Information:

1.2 Data Protection Contact

Role: Privacy Officer Email: privacy@maelstrom.au Responsibilities:

GDPR compliance oversight
Data subject request handling
Privacy breach coordination
Privacy by design implementation

Note: Maelstrom AI is not required to appoint a formal Data Protection Officer (DPO) under GDPR Article 37 as:

We are not a public authority
Core activities do not require regular and systematic monitoring of data subjects on a large scale
Core activities do not involve large scale processing of special categories of data

However, we maintain a designated privacy contact for all data protection matters.

1.3 Controller Role

Maelstrom AI operates as:

Data Controller for:

Operational IP address logging (fraud prevention, security)
Audit logging (security monitoring, compliance)
Administrative systems (internal operations)

Data Processor when:

Providing age verification services to relying party websites
Processing IP addresses on behalf of clients (optional feature)

Section 2: Processing Activities (Controller)

Activity 2.1: Age Verification Request Logging

Basic Information

Activity Name. Age Verification Request Logging
Processing Owner. Provii Verifier API
Status. Pre-launch (not yet in production)
System. provii-verifier (Cloudflare Workers)

Purposes of Processing

Primary Purpose. Fraud prevention and abuse detection
Secondary Purposes:
Security monitoring and threat detection
Service reliability and performance diagnostics
Compliance with legal obligations (Australian law)

Legal Basis: Article 6(1)(f) - Legitimate interests

Legitimate Interest. Preventing fraudulent use of age verification services, protecting platform integrity, ensuring service security
Balancing Test. Minimal data collection (IP only), short retention (90 days), hashed in logs, proportionate to fraud prevention need

Categories of Data Subjects

End users requesting age verification through relying party websites
No registration required - anonymous by default
Global user base (all jurisdictions)

Categories of Personal Data Processed

Data Category	Data Elements	Processing Method	Identifiability
Network identifiers	IP addresses	Collected at verification request	Pseudonymous (hashed)
Technical metadata	User-Agent strings, timestamps	Automatic collection	Non-identifying
Request metadata	Challenge IDs (UUID), verification outcomes	Generated by system	Non-identifying

Data NOT Collected:

❌ Names, email addresses, physical addresses
❌ Dates of birth (transmitted once during issuance for Pedersen commitment, then immediately discarded; never stored)
❌ Identity documents or government IDs
❌ Biometric data
❌ Financial information
❌ Browsing history or behavioural data
❌ Device identifiers (no fingerprinting)

Categories of Recipients

Internal Recipients:

Security Lead (sole operator. handles incident response, fraud investigation, system diagnostics, performance monitoring)

External Recipients: None

No data sharing with third parties
No marketing or analytics providers
No law enforcement access without valid legal process

Sub-Processors: See Section 3

Third Country Transfers

Transfer Mechanism: Cloudflare global infrastructure

Countries. United States, European Union, Australia, and other jurisdictions
Safeguards. Standard Contractual Clauses (SCCs) - EU Commission approved
Legal Basis. Article 46(2)(c) - Standard data protection clauses adopted by Commission
Transfer Impact Assessment. See DPIA (February 2026)

Cloudflare Data Processing:

Data Processing Agreement in place (2024)
EU SCCs incorporated
ISO 27001, SOC 2 Type II certified
GDPR-compliant infrastructure
Data residency: Cloudflare Workers KV (global replication)

Retention Periods

Data Type	Retention Period	Deletion Method	Justification
IP addresses (audit logs)	90 days (hashed with SHA-256)	Automated deletion via retention policy / Grafana Loki tenant retention	Fraud detection, abuse prevention, security investigation
Challenge records	5 minutes	Automatic expiry (KV TTL)	Only needed for active verification session
Verification outcomes	90 days (anonymised)	Automated deletion via KV TTL	Security metrics, no IP linkage

Retention Policy Reference: /trust/security/data-retention.mdx

Deletion Verification: Automated compliance checks via retention policy enforcement (see provii-verifier/src/storage/retention.rs)

Technical and Organisational Security Measures

Technical Measures:

Encryption in Transit:

TLS 1.3 enforced on all API endpoints (Cloudflare Universal SSL)
HSTS preload with 1-year max-age
No plaintext HTTP communication

Encryption at Rest:

Cloudflare Workers KV: AES-256 encryption
Durable Objects: Encrypted storage
No unencrypted data persistence

Pseudonymization:

IP addresses hashed with SHA-256 in audit logs
Challenge IDs are random UUIDs (not sequential)
No persistent user identifiers

Access Controls:

Role-based access control (RBAC) for admin operations
Multi-factor authentication (MFA) required for production access
API key authentication with HMAC-SHA256 signing
Least privilege principle enforced

Data Minimization by Design:

Zero knowledge architecture prevents PII collection
Server-side Pedersen commitment generation (DOB transmitted once during issuance, immediately discarded; never transmitted during verification)
Cryptographic nullifiers prevent tracking

Monitoring and Logging:

Security event logging (90-day retention; critical security event logs are retained for up to 365 days)
Automated anomaly detection
Audit trail for all admin actions

Organisational Measures:

Privacy by Design:

Architecture review for all new features
Privacy impact assessment for material changes
Security-first development culture

Access Management:

Background checks for team members
Confidentiality agreements signed
Annual security awareness training
Segregation of duties for critical operations

Incident Response:

24-hour breach detection target
72-hour breach notification procedure (GDPR Article 33)
Incident response playbooks documented
Regular tabletop exercises

Vendor Management:

Security assessment for all critical vendors
Data Processing Agreements with processors
Annual vendor security reviews
Sub-processor register maintained

Documentation and Governance:

ISO 27001:2022 aligned ISMS
Privacy policies published and maintained
Regular compliance audits
Data protection training for all staff

Security Evidence: /trust/compliance/evidence/security-controls/api-security-evidence.md

Activity 2.2: Credential Issuance Processing

Basic Information

Activity Name. Age Credential Issuance via Government ID Verification
Processing Owner. Provii Issuer API
Status. Pre-launch (not yet in production)
System. provii-issuer (Cloudflare Workers)

Purposes of Processing

Primary Purpose. Issuance of age verification credentials to eligible users
Secondary Purposes:
Identity verification officer authentication
Anti-fraud protection (prevent multiple issuances)
Compliance with Australian age verification regulations

Legal Basis: Article 6(1)(f) - Legitimate interests

Legitimate Interest. Ensuring credential integrity, preventing credential forgery, protecting age-restricted content access systems

Categories of Data Subjects

Individuals requesting age credentials at authorised issuance locations
Identity verification officers (authorised personnel)
No online registration - in-person issuance only

Categories of Personal Data Processed

Data Category	Data Elements	Processing Method	Identifiability
Network identifiers	IP addresses (verification officer session)	Collected during issuance session	Pseudonymous (hashed)
Credential metadata	Credential commitment hashes, issuance timestamps	Cryptographic binding	Non-identifying (one-way hash)
Session identifiers	Temporary session IDs (UUID)	Generated for issuance flow	Non-identifying

Zero knowledge Issuance:

User presents government ID to verification officer (in-person)
Officer verifies identity and age eligibility
Date of birth extracted and input by officer (not retained in system)
Credential generated with cryptographic commitment to DOB
DOB immediately discarded after credential issuance
User receives signed credential commitment (stores in wallet app)

Data NOT Collected:

❌ Name from ID document (not retained)
❌ Date of birth (used for credential generation only, not stored)
❌ ID document number or photo
❌ Address or contact information
❌ Biometric data

Architectural Design: The system is designed with no database or persistent storage for PII; credentials are mathematical commitments only.

Categories of Recipients

Internal Recipients:

Authorised identity verification officers (trained personnel)
Security Lead (audit log review only. no PII in logs)

External Recipients: None

Sub-Processors: Cloudflare (infrastructure only - see Section 3)

Third Country Transfers

Transfer Mechanism: Same as Activity 2.1

Cloudflare global infrastructure
Standard Contractual Clauses (SCCs)
Minimal data transferred (credential commitments only)

Retention Periods

Data Type	Retention Period	Deletion Method	Justification
Session identifiers	24 hours	Automatic expiry (KV TTL)	Session cleanup
Credential commitments	For the operational lifetime of the issued credential, up to the next issuer key-rotation cycle at which point orphaned commitments are purged (legal basis: Article 6(1)(f) - legitimate interest in maintaining the integrity of the verification system for the duration of the credential’s validity)	Purged at issuer key-rotation; orphaned commitments deleted on rotation	One-way cryptographic binding; retention bounded to credential validity period
Officer authentication logs	90 days	Automated deletion	Security audit trail
IP addresses (hashed)	90 days	Automatic expiry	Fraud prevention

Cryptographic Privacy Property: Credential commitments are based on cryptographic one-way functions and are designed to be computationally infeasible to reverse to the original date of birth. Commitments are nonetheless retained only for the operational lifetime of the issued credential and are purged at each issuer key-rotation cycle; orphaned commitments (those not associated with a valid key epoch) are deleted on rotation. The legal basis for retention during this bounded period is Article 6(1)(f) - legitimate interest in maintaining verification system integrity for the duration of credential validity.

Technical and Organisational Security Measures

Technical Measures:

Zero knowledge Cryptography:

BLS12-381 elliptic curve (128-bit security level)
Pedersen commitments for DOB binding
Nullifiers prevent issuer tracking of subsequent verifications; DOB processed ephemerally during issuance and immediately discarded
No plaintext DOB storage anywhere in system

Officer Authentication:

YubiKey HMAC-SHA1 challenge-response authentication
Session timeout (30 minutes idle)
IP whitelisting for issuance terminals
Hardware security key support

Credential Security:

Cryptographic signing with issuer private key
Public key published via JWKS endpoint
Commitment binding prevents credential modification
Nullifier derivation prevents reuse across verifiers

Same as Activity 2.1: Encryption, access controls, monitoring (see above)

Organisational Measures:

Officer Training:

Privacy and data protection training required
Identity verification procedures documented
Annual recertification
Background checks for all issuance personnel

Physical Security:

Controlled access to issuance locations
Supervised issuance sessions
No cameras or recording devices during issuance
Secure disposal of any temporary notes

Same as Activity 2.1: Incident response, vendor management, governance (see above)

Cryptographic Evidence: /trust/compliance/evidence/cryptography/crypto-implementation-evidence.md

Activity 2.3: Security Audit Logging

Basic Information

Activity Name. Security and Compliance Audit Logging
Processing Owner. All Maelstrom AI services (Verifier API, Issuer API, Management API)
Status. Active
System. Cloudflare Workers KV (audit log storage)

Purposes of Processing

Primary Purpose. Security monitoring and incident detection
Secondary Purposes:
Compliance auditing (ISO 27001, GDPR)
Forensic investigation after security incidents
Performance and reliability monitoring

Legal Basis: Article 6(1)(f) - Legitimate interests

Legitimate Interest. Ensuring service security, detecting unauthorized access, compliance with legal obligations

Categories of Data Subjects

System administrators
API consumers (relying party websites)
Identity verification officers
Security personnel

Categories of Personal Data Processed

Data Category	Data Elements	Processing Method	Identifiability
User identifiers	Admin usernames, API key IDs	Logged for access control	Pseudonymous (no real names)
Network identifiers	IP addresses (hashed with SHA-256)	Automatic collection	Pseudonymous
Activity metadata	Timestamps, action types, resource IDs	Logged automatically	Contextual

Logged Events:

API authentication attempts (success/failure)
Administrative actions (configuration changes)
Security events (rate limit violations, invalid signatures)
Error conditions (system failures, exceptions)

Data NOT Logged:

❌ Request/response bodies (may contain sensitive data)
❌ User credentials or secrets
❌ Raw IP addresses (only hashed versions)
❌ Personal data from verification requests

Categories of Recipients

Internal Recipients:

Security Lead (sole operator. handles incident response, troubleshooting)
External compliance auditors (ISO 27001 alignment review, on-premises review only)

External Recipients: None

No sharing with third parties
Auditors may review on-premises only (no data export)

Third Country Transfers

Transfer Mechanism: Same as Activity 2.1 (Cloudflare global infrastructure with SCCs)

Retention Periods

Data Type	Retention Period	Deletion Method	Justification
Security audit logs	90 days	Automated deletion via KV TTL	Sufficient for incident investigation
Compliance logs	1 year	Manual review + deletion	ISO 27001 audit trail
Critical security events	365 days	Manual retention	Security investigation and lessons learned

Retention Policy: /trust/security/data-retention.mdx (lines 19-48)

Technical and Organisational Security Measures

Technical Measures:

Log Protection:

Encryption at rest (AES-256)
Append-only logging (immutable)
Hash verification (tamper detection)
Access logging (who accessed what logs)

Sanitization:

Automatic PII redaction in logs
IP address hashing (SHA-256)
Secret masking (API keys, passwords)
Structured logging (JSON format)

Same as Activity 2.1: Encryption, access controls (see above)

Organisational Measures:

Access Restrictions:

Logs accessible only to authorised personnel
MFA required for log access
Annual access reviews
Audit trail for all log queries

Same as Activity 2.1: Privacy by design, incident response (see above)

Evidence: /trust/compliance/evidence/security-controls/logging-monitoring-evidence.md

Activity 2.4: Website Analytics (Minimal)

Basic Information

Activity Name. Privacy-Preserving Website Analytics
Processing Owner. Marketing Website (docs.provii.app)
Status. Proposed, not active (analytics are disabled by design)
System. Cloudflare Web Analytics (server-side, privacy-preserving) - not enabled

Purposes of Processing

Primary Purpose. Understanding website usage patterns
Secondary Purpose. Improving user experience and documentation

Legal Basis: Article 6(1)(f) - Legitimate interests

Legitimate Interest. Understanding how users interact with documentation to improve content quality

Categories of Data Subjects

Website visitors (documentation readers)
Potential customers
General public

Categories of Personal Data Processed

Data Category	Data Elements	Processing Method	Identifiability
Network identifiers	IP addresses (aggregated only)	Cloudflare Web Analytics	Non-identifying (aggregated)
Technical metadata	Browser type, country (from IP)	Automatic collection	Non-identifying
Usage metadata	Page views, session duration	Aggregated statistics	Non-identifying

Privacy-First Analytics:

No cookies or client-side tracking
No cross-site tracking
No user profiling
No third-party data sharing
Server-side analytics only (Cloudflare)

Categories of Recipients

Internal Recipients: ISMS Owner (aggregated reports only)

External Recipients: None. Cloudflare Web Analytics processes data within the existing Cloudflare infrastructure (no additional sub-processor)

Third Country Transfers

Same as Activity 2.1. data processed within Cloudflare’s global network under existing DPA and SCCs.

Retention Periods

Data Type	Retention Period	Deletion Method	Justification
Analytics data	90 days	Automatic expiry (Cloudflare)	Sufficient for trend analysis
Aggregated reports	Indefinite (anonymized)	N/A	No personal data in aggregates

Technical and Organisational Security Measures

Technical Measures:

Server-side analytics only (no client-side JavaScript tracking)
IP anonymization (last octet removed)
No persistent cookies
No fingerprinting

Organisational Measures:

Privacy policy disclosure (when published)
Analytics data access restricted to ISMS Owner (sole operator)
No sale or sharing of data

Status: Planned. Cloudflare Web Analytics is the planned analytics solution if analytics are activated. No third-party analytics (e.g., Google Analytics) are used or planned. CSP headers already permit cloudflareinsights.com. This section will be updated when analytics are activated.

Activity 2.5: Employee and Contractor Data (HR)

Basic Information

Activity Name. Human Resources and Employee Management
Processing Owner. Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust (HR function)
Status. Active
System. External HR systems (not part of Provii platform)

Purposes of Processing

Primary Purpose. Employment relationship management
Secondary Purposes:
Payroll and benefits administration
Performance management
Compliance with employment law

Legal Basis:

Article 6(1)(b) - Performance of employment contract
Article 6(1)(c) - Legal obligation (tax, employment law)

Categories of Data Subjects

Sole operator (all ISMS roles held by one person. currently the only personnel)
Contractors and consultants (when engaged)

Categories of Personal Data Processed

Data Category	Data Elements	Processing Method	Identifiability
Identity data	Full name, address	Collected at engagement	Identifying
Contact data	Email, phone number	Direct provision	Identifying
Financial data	Bank account details, ABN/TFN	Tax and payment processing	Identifying
Contractor records	Contract terms, engagement dates, invoices	Encrypted local storage	Identifying

Sensitive Data (Article 9 - Special Categories):

❌ None collected. no health data, biometric data, or other special categories

Categories of Recipients

Internal Recipients:

ISMS Owner (sole operator. all HR functions)

External Recipients:

Australian Taxation Office (ATO. tax compliance)
Superannuation funds (if employees engaged)
Banks (payment processing)

Third Country Transfers

Status: ✅ No international transfers. all HR/contractor data processed and stored in Australia using local systems.

Retention Periods

Data Type	Retention Period	Deletion Method	Justification
Contractor records	7 years after engagement ends	Manual deletion from encrypted storage	Australian tax law requirement
Financial records	7 years	Manual deletion	Australian tax law requirement
Job applications (unsuccessful)	12 months	Manual deletion	Recruitment needs

Retention Policy: Australian employment and tax law requirements

Technical and Organisational Security Measures

Technical Measures:

Full disk encryption (FileVault) on all workstations
MFA on all accounts (GitHub, Cloudflare, email)
Password manager (encrypted credential storage)
No dedicated HR platform. sole operator uses encrypted local storage
Contractor records stored in encrypted local files, not cloud HR systems

Organisational Measures:

ISMS Owner is sole operator with direct access to all records
Contractor confidentiality agreements signed at engagement
Annual privacy training completed (CISSP holder)
Secure disposal: cryptographic erasure for digital records

Status: ✅ Complete. reflects current sole-operator structure. Will be updated when team grows and dedicated HR systems are engaged.

Activity 2.6: Cloudflare Bot Protection Cookies (Docs Origin)

Basic Information

Activity Name. Cloudflare Bot Protection (__cf_bm, cf_clearance)
Processing Owner. Cloudflare, Inc. (processor) under instruction from Maelstrom AI (controller)
Status. Active (in production on docs.provii.app and preview.docs-sandbox.provii.app)
System. Cloudflare Bot Fight Mode and Cloudflare Cloudflare managed challenge, fronting the docs sandbox gateway

Purposes of Processing

Primary Purpose. Protect the docs sandbox gateway from automated abuse, credential-mint flooding, and credit exhaustion
Secondary Purposes:
Enforce per-IP and per-session rate limits at the edge
Maintain availability of the developer onboarding surface

Legal Basis: Article 6(1)(f). Legitimate interests

Legitimate Interest. Bot protection is operational security for an infrastructure-grade developer endpoint. Without it, automated agents could exhaust the shared sandbox issuer credit pool and degrade the developer experience for legitimate users.
Balancing Test. Developers expect bot protection on infrastructure-grade APIs; the cookies are pseudonymous and managed by Cloudflare; no profiling or behavioural targeting occurs. See Legitimate Interest Assessment.

Categories of Data Subjects

External developers browsing the docs site or interacting with the sandbox gateway
Visitors to the styler iframe at preview.docs-sandbox.provii.app

Categories of Personal Data Processed

Data Category	Data Elements	Processing Method	Identifiability
Bot scoring cookie	`__cf_bm` value (HMAC-tied to browser fingerprint by Cloudflare)	Set by Cloudflare on first request	Pseudonymous PII
Challenge clearance	`cf_clearance` value (issued after a successful Cloudflare managed challenge or managed-challenge response)	Set by Cloudflare on challenge pass	Pseudonymous PII
Bot-scoring inputs	IP address, User-Agent, request fingerprint	Processed in-flight by Cloudflare	Pseudonymous PII

Data NOT processed by Maelstrom AI: The cookie values are read by Cloudflare to score subsequent requests; Maelstrom AI does not parse, log, or persist __cf_bm or cf_clearance values.

Categories of Recipients

Internal Recipients: None (Maelstrom AI does not read these cookies).

External Recipients: Cloudflare, Inc. (sub-processor. see Section 3.1).

Third Country Transfers

Same as Activity 2.1. Cloudflare global infrastructure under existing DPA and SCCs (EU Commission Decision 2021/914, Module 2 Controller-to-Processor).

Retention Periods

Data Type	Retention Period	Deletion Method	Justification
`__cf_bm`	30 minutes (Cloudflare-managed)	Cookie expiry	Bot scoring window
`cf_clearance`	Cloudflare-managed (up to 30 days)	Cookie expiry	Challenge clearance lifetime

Maelstrom AI does not retain bot protection cookie values server-side.

Technical and Organisational Security Measures

Technical Measures:

Cookies set with Secure, HttpOnly, and SameSite=Lax attributes by Cloudflare
TLS 1.3 transport
No Maelstrom AI-side persistence of cookie values

Organisational Measures:

Disclosed in the Cookie Policy alongside the strictly-necessary __Host-docs_session cookie
Covered by the Docs Sandbox DPIA
Covered by the Children’s Code Standard 2 DPIA for child-impact considerations

Evidence: Docs Sandbox DPIA; Cloudflare DPA in compliance/evidence/vendors/third-party-evidence.md.

Activity 2.7: Docs Gateway Session State

Basic Information

Activity Name. Docs Sandbox Gateway Session State (__Host-docs_session)
Processing Owner. Provii Docs Gateway Worker (provii-demos/demo-web-provii-agegate, docs.provii.app/api/*)
Status. Active (sandbox-only)
System. Cloudflare Workers with DocsEnv binding set; KV-backed session state

Purposes of Processing

Primary Purpose. Bind developer sandbox interactions to a session so that credential mints, API explorer calls, and styler iframe interactions can be rate-limited and audited
Secondary Purposes:
Enforce the 4-hour session hard cap on sandbox sessions
Allow KV-sweep response if a sandbox compromise is suspected

Legal Basis: Article 6(1)(b). Performance of pre-contractual measures at the request of the developer

Notes. The __Host-docs_session cookie is strictly necessary to provide the developer-requested sandbox onboarding service. It is exempt from the PECR consent requirement under the strictly-necessary exemption.

Secondary Basis (audit retention): Article 6(1)(f). Legitimate interest in security monitoring and abuse investigation, with hashed-IP and session-ID retention bounded by a 90-day audit retention ceiling.

Categories of Data Subjects

External developers browsing the docs site or interacting with the sandbox gateway
Visitors to the styler iframe at preview.docs-sandbox.provii.app

Categories of Personal Data Processed

Data Category	Data Elements	Processing Method	Identifiability
Session cookie	`__Host-docs_session` value (HMAC-signed by `DOCS_SESSION_HMAC_KEY` with `kid` prefix)	Issued by gateway on first interaction	Pseudonymous PII
Session record	`session_id`, issued timestamp, last-touched timestamp, hard-cap deadline	Stored in KV under the session key	Pseudonymous PII
Hashed IP	HMAC-SHA-256 of source IP keyed by `PII_HASH_KEY`	Computed at ingest	Pseudonymous PII
Audit metadata	Session ID, request method, route, timestamp, outcome	Logged on credential mint, attestation sign, and rate-limit decisions	Pseudonymous PII

Data NOT collected:

Names, email addresses, account profiles
Real DOB strings (schema-rejected at the gateway boundary; see Section 9.4)
Cross-site tracking identifiers
Behavioural analytics

Categories of Recipients

Internal Recipients: Security Lead (sole operator. for incident response and audit review).

External Recipients: None.

Sub-Processors: Cloudflare (KV storage, Workers compute). see Section 3.

Third Country Transfers

Same as Activity 2.1. Cloudflare global infrastructure under existing DPA and SCCs.

Retention Periods

Data Type	Retention Period	Deletion Method	Justification
`__Host-docs_session` cookie	15-minute sliding TTL, 4-hour hard cap	Cookie expiry; KV TTL on server-side record	Strictly necessary for the developer-requested service
Session record (KV)	4-hour hard cap	KV TTL	Bounded session lifetime
`docs-cred-v:`, `docs-cred-i:` (credential cache)	1 hour	KV TTL	Caching layer for sandbox credential lookups
`docs-chal:*` (challenge state)	24 hours	KV TTL	Challenge replay protection
`mwallet-sbx-*` (mobile install entries)	7 days	KV TTL	Per Decision 13. mobile sandbox install lifetime
Audit metadata	90 days	KV TTL	Security monitoring ceiling

Technical and Organisational Security Measures

Technical Measures:

__Host- cookie prefix (path=/, secure, no domain)
HMAC-SHA-256 signing with kid-prefixed key rotation on a 90-day cadence; both old and new keys retained for the full 4-hour hard-cap window; single-shot kid-keyed lookup
Narrowed DocsEnv binding excludes DEMO_TOKEN_SECRET and the playground KVs
HMAC-SHA-256 IP hashing at ingest with PII_HASH_KEY
Strict-prefix isolation: production middleware rejects docs-sbx-* and mwallet-sbx-* prefixes across body, path, query, and authorisation header
Disjoint Ed25519 attestation seed (DOCS_ATTESTATION_ED25519_SEED) held only inside the AttestationSigner closure; never materialised as a JS string

Organisational Measures:

Quarterly key rotation rehearsal
KV-sweep compromise response procedure documented
Schema-rejection log review weekly
Disclosed in the Cookie Policy and the Developer Privacy Notice
Covered by the Docs Sandbox DPIA

Evidence: Asset Register entries CRYPTO-006, CRYPTO-007, INFRA-006, INFRA-007, KV-006, KV-007; Statement of Applicability ISO 27701 A.7.4.5 / A.7.4.6 / A.7.4.7 entries; Docs Sandbox DPIA.

Activity 2.8: Transactional Email Delivery (Administrator and Verifier Onboarding)

Basic Information

Activity Name. Transactional Email Delivery via Resend
Processing Owner. Provii Management API and Admin Portal (provii-management, admin-portal)
Status. Active (production since 2025-11-01)
System. Resend API (https://api.resend.com/emails), called from provii-management/src/services/email-service.ts and provii-management/src/routes/email.ts

Purposes of Processing

Primary Purpose. Deliver low-volume transactional email to administrator staff and verifier customer onboarding contacts
Secondary Purposes:
Organisation invitation emails during verifier account provisioning
Operational notifications issued by the administrator plane (account status, verifier welcome emails)

Resend is not used for marketing, bulk mailing, product update broadcasts, or any end-user correspondence. No wallet user, end consumer, or child ever receives email routed through this path.

Legal Basis:

Recipient population	Lawful basis	Notes
Administrator staff of Maelstrom AI	Article 6(1)(b). performance of the employment or contractor engagement	Email is necessary to operate Maelstrom AI staff accounts on the administrator plane.
Verifier customer onboarding contacts (named business contacts of verifier organisations)	Article 6(1)(b). performance of the verifier onboarding contract	Email is necessary to complete verifier account provisioning and invite named contacts into the administrator surface.
Verifier customer onboarding contacts, where onboarding is pre-contractual	Article 6(1)(b). pre-contractual measures taken at the request of the prospective controller	Applies during evaluation before contract execution.

Consent is not relied upon. Australian Privacy Principle 3 applies: collection of the recipient address is reasonably necessary for the purpose of sending the requested transactional message.

Categories of Data Subjects

Administrator staff of Maelstrom AI Pty Ltd (sole operator currently; expandable on team growth)
Named verifier organisation administrators and onboarding contacts

Not end consumers. Not children. Not wallet users.

Categories of Personal Data Processed

Data Category	Data Elements	Processing Method	Identifiability
Recipient identifiers	Recipient email address	Supplied by `provii-management` to Resend on send	Identifying
Recipient display data	Recipient display name where present in the send payload	Supplied by `provii-management` on send	Identifying
Message content	Plain-text email body, HTML email body, subject line	Generated by `provii-management` per template; passed through Resend	Business contact data
Sender data	Configured sender address, reply-to address	Static configuration	Non-identifying
Delivery telemetry	Resend-side delivery status, bounce, and open events tied to the message identifier	Returned by Resend; not persisted in Maelstrom AI storage beyond the immediate response	Pseudonymous

Data NOT processed:

No age verification data, zero knowledge proofs, or wallet attestations
No children’s personal data
No credential identifiers (docs-sbx-*, mwallet-sbx-*) and no __Host-docs_session cookie value
No date of birth, name, address, or government identity document
No payment data

Categories of Recipients

Internal Recipients: Security Lead (sole operator. send history reviewable through the administrator surface for incident response and onboarding audit).

External Recipients: Resend, Inc. (processor on behalf of Maelstrom AI).

Sub-Processors: See Section 3.

Third Country Transfers

Transfer Mechanism: Resend operates primarily from US-based infrastructure.

Safeguards. EU Standard Contractual Clauses (European Commission Decision 2021/914, Module 2 controller-to-processor) incorporated into the Resend Data Processing Addendum
Legal Basis. Article 46(2)(c). standard data protection clauses adopted by the Commission
APP 8. The SCCs are the overseas-disclosure safeguard relied on for Australian Privacy Principle 8

Retention Periods

Data Type	Retention Period	Deletion Method	Justification
Send-payload record in Maelstrom AI systems	Not retained beyond the immediate API call	Transient in-memory send; no Maelstrom AI-side persistence	Data minimisation
Resend-side message history (recipient address, subject, status)	Per Resend-managed retention as documented in the Resend DPA	Resend-managed automated deletion	Transactional delivery audit
Administrator onboarding records (Maelstrom AI side)	7 years after engagement ends (shared retention with Activity 2.5 HR records)	Manual deletion from encrypted local storage	Australian tax and employment law
Verifier onboarding records (Maelstrom AI side)	For the duration of the verifier contract plus 7 years	Manual review and deletion	Contract evidence retention

Maelstrom AI does not copy Resend-side delivery telemetry into long-term storage; the telemetry is inspected transiently for send-error handling.

Technical and Organisational Security Measures

Technical Measures:

Transport security: TLS 1.3 on all calls to https://api.resend.com/emails; hardcoded endpoint, no dynamic URL construction (provii-management/src/services/email-service.ts:524).
API key protection: RESEND_API_KEY held in the Cloudflare Secrets Store (administrator-plane namespace), retrieved via a cached Secrets Store binding on cold start.
Schema validation: Recipient address format validated before the send request is issued.
Data minimisation: Only the fields required for the transactional message are included in the send payload. No speculative personalisation fields, no tracking pixels added by Maelstrom AI, no cross-linking to wallet data.
Same as Activity 2.1: Encryption, access controls, monitoring (see above).

Organisational Measures:

Vendor management: Resend added to the supplier register; SOC 2 Type II report available under NDA and reviewed on engagement.
DPA execution: Resend Data Processing Addendum accepted via the Resend dashboard; mirror retained at compliance/evidence/vendors/third-party-evidence.md.
Supplier monitoring: Resend status and incident announcements monitored as part of supplier management.
Same as Activity 2.1: Incident response, documentation governance (see above).

Evidence: Sub-Processors List section 3.1, Third-Party Vendor Evidence.

Activity 2.9: Administrator Authentication (OIDC)

Basic Information

Activity Name. Administrator Authentication via Logto
Processing Owner. Provii Admin Portal and Issuer API (admin-portal, provii-issuer)
Status. Active (production since 2025-10-17)
System. Logto hosted tenant at auth.provii.app, operated by Silverhand Inc.

Purposes of Processing

Primary Purpose. Authenticate Maelstrom AI administrator staff and identity verification officers, including MFA enrolment and enforcement
Secondary Purposes:
Role and organisation membership for the administrator surface
Session and refresh token lifecycle for the administrator plane
Sign-in event audit for security monitoring

Logto is not used for end-user wallet flows. Wallet users never interact with Logto.

Legal Basis:

Processing	Lawful basis	Notes
Administrator identity, MFA factors, session lifecycle	Article 6(1)(b). performance of the employment or contractor engagement	Authentication is necessary to operate the administrator plane on behalf of Maelstrom AI.
MFA factor enrolment (TOTP seed reference, WebAuthn credential identifier, phone number for SMS OTP where enabled)	Article 6(1)(c). compliance with ISO 27001 Annex A.8.5 access-control obligations that form part of Maelstrom AI’s legal and contractual ISMS commitments	Supplements 6(1)(b) for MFA specifically.
Sign-in event retention	Article 6(1)(f). legitimate interest in security monitoring of the administrator surface	Balancing test in Legitimate Interest Assessment.

Consent is not relied upon. Australian Privacy Principle 3 applies: collection is reasonably necessary for the purpose of authenticating authorised administrators.

Categories of Data Subjects

Administrator staff of Maelstrom AI Pty Ltd
Identity verification officers authenticating into provii-issuer

Not end consumers. Not children. Not wallet users.

Categories of Personal Data Processed

Data Category	Data Elements	Processing Method	Identifiability
Identity data	Administrator email address, display name, Logto user identifier	Collected at account provisioning; stored in the Logto tenant	Identifying
Organisation data	Organisation membership, role assignments	Assigned via the administrator surface; stored in the Logto tenant	Identifying
MFA factor metadata	TOTP seed reference, email OTP factor registration, SMS OTP phone number where enabled, WebAuthn credential identifier	Collected at MFA enrolment; stored in the Logto tenant	Identifying
Session data	Session tokens, refresh tokens, `kid`-bound session references	Issued by Logto on sign-in; relayed to `admin-portal`	Pseudonymous
Sign-in events	Timestamp, source IP (Logto-side), success or failure outcome, factor used	Logged by Logto; cross-referenced in Maelstrom AI audit logs by event ID only	Pseudonymous

Data NOT processed:

No wallet data, zero knowledge proofs, or age verification outcomes
No children’s personal data
No end-user date of birth or identity document
No credential commitments
Logto does not receive __Host-docs_session cookie values or the docs gateway session records

Categories of Recipients

Internal Recipients: ISMS Owner (sole operator. administrator, role-assignment, and MFA policy administration through the Logto console and the admin portal).

External Recipients: Silverhand Inc. (processor on behalf of Maelstrom AI, operating the Logto hosted tenant).

Sub-Processors: Silverhand’s own hosting infrastructure provider, per the Logto DPA; see Section 3.

Third Country Transfers

Transfer Mechanism: Logto hosted tenant deployed on infrastructure managed by Silverhand per the Logto published hosting terms. Processing locations follow Silverhand’s hosting footprint.

Safeguards. EU Standard Contractual Clauses (European Commission Decision 2021/914, Module 2 controller-to-processor) incorporated into the Logto Data Processing Addendum for transfers out of the EEA
UK transfers. UK International Data Transfer Addendum applied for transfers out of the UK
Legal Basis. Article 46(2)(c). standard data protection clauses adopted by the Commission
APP 8. The SCCs are the overseas-disclosure safeguard relied on for Australian Privacy Principle 8

Retention Periods

Data Type	Retention Period	Deletion Method	Justification
Administrator account, role assignments, organisation membership	For the duration of the engagement, deleted on offboarding	Administrator-triggered deletion through the Logto console	Access-control lifecycle
MFA factor metadata (TOTP seed, WebAuthn credential, SMS OTP phone number)	For the duration of the engagement; re-enrolled on factor rotation	Administrator-triggered deletion on factor rotation or offboarding	Factor-lifecycle management
Session and refresh tokens	Session lifetime per Logto defaults with Maelstrom AI-configured ceilings	Logto-managed expiry and revocation	Session-lifecycle security
Sign-in event history (Logto-side)	Per the Logto-managed retention window documented in the Logto DPA	Logto-managed automated deletion	Security monitoring
Maelstrom AI-side audit cross-reference (event ID, timestamp)	90 days	KV TTL in Maelstrom AI audit logs	Aligns with audit retention ceiling in Activity 2.3

Technical and Organisational Security Measures

Technical Measures:

Transport security: TLS 1.3 on all OAuth 2.0 and OIDC flows between admin-portal and the Logto tenant.
Secrets handling: LOGTO_APP_SECRET and LOGTO_M2M_APP_SECRET held in the Cloudflare Secrets Store (administrator-plane namespace), retrieved via cached Secrets Store bindings.
MFA enforcement: MFA required for all administrator accounts; supported factors are TOTP, email OTP, SMS OTP, and WebAuthn.
Short-lived tokens: OIDC access tokens short-lived; refresh-token rotation in effect.
Disjoint secret material: Logto secrets are scoped to the administrator plane and are not shared with any docs-sandbox or wallet surface.
Same as Activity 2.1: Encryption, access controls, monitoring (see above).

Organisational Measures:

Vendor management: Silverhand added to the supplier register; compliance posture tracked on engagement renewal.
DPA execution: Logto Data Processing Addendum accepted during tenant provisioning; mirror retained at compliance/evidence/vendors/third-party-evidence.md.
Offboarding procedure: Administrator offboarding includes Logto account deletion, session revocation, and removal of organisation memberships.
Same as Activity 2.1: Incident response, documentation governance (see above).

Evidence: Sub-Processors List section 4.1, Third-Party Vendor Evidence, Asset Register entries for administrator-plane key material.

Section 3: Sub-Processors and Third-Party Data Recipients

3.1 Sub-Processor Register

Maelstrom AI engages the following sub-processors for personal data processing:

Sub-Processor 3.1.1: Cloudflare, Inc.

Entity Information:

Name. Cloudflare, Inc.
Address. 101 Townsend St, San Francisco, CA 94107, United States
Website. https://www.cloudflare.com
Privacy Contact. privacyquestions@cloudflare.com

Services Provided:

Cloudflare Workers (serverless compute platform)
Cloudflare Workers KV (key-value storage)
Cloudflare Durable Objects (stateful compute)
Cloudflare R2 (object storage - backups)
Cloudflare Workers Logs (structured console.log JSON shipped to Grafana Loki, the operational telemetry recipient)
DDoS protection and CDN services

Data Processed:

IP addresses (end user requests)
HTTP request metadata (User-Agent, Referer, etc.)
API request/response data (in memory only - not persisted)
Audit logs (stored in KV)
Application data (credential commitments, challenge state)

Processing Location: Global (United States, European Union, Asia-Pacific)

Transfer Safeguards:

Mechanism. Standard Contractual Clauses (EU Commission Decision 2021/914)
Agreement. Cloudflare Data Processing Addendum (DPA) executed 2024
Certifications. ISO 27001, SOC 2 Type II, C5 (Germany), PCI DSS
Transfer Impact Assessment. See DPIA (February 2026)

Sub-Processor Role: Infrastructure provider (processor on behalf of Maelstrom AI)

Contract Terms:

Data Processing Agreement in place
Security and confidentiality obligations
Data subject rights assistance
Breach notification (24-hour requirement)
Audit rights
Sub-processor notification requirements

Monitoring:

Annual security review
Continuous monitoring of service status (status.cloudflare.com)
Quarterly contract compliance review

Evidence: /trust/compliance/evidence/vendors/third-party-evidence.md (lines 36-76)

Sub-Processor 3.1.2: GitHub, Inc. (Microsoft)

Entity Information:

Name. GitHub, Inc. (Microsoft Corporation)
Address. 88 Colin P Kelly Jr St, San Francisco, CA 94107, United States
Website. https://github.com
Privacy Contact. https://support.github.com/contact/privacy

Services Provided:

Git repository hosting (source code)
GitHub Actions (CI/CD pipelines)
GitHub Advanced Security (Dependabot, CodeQL, secret scanning)
GitHub Container Registry (artifact storage)

Data Processed:

Developer identities (GitHub usernames, email addresses)
Source code and documentation (public repositories)
Commit metadata (timestamps, commit messages)
CI/CD logs (build and deployment logs)
Security scan results

Processing Location: Global (United States, European Union)

Transfer Safeguards:

Mechanism. Standard Contractual Clauses (GitHub DPA)
Agreement. GitHub Data Protection Agreement (standard terms)
Certifications. ISO 27001, SOC 2 Type II
Note. Source code is publicly available (open source) - no confidential data

Sub-Processor Role: Development infrastructure provider

Contract Terms:

Standard GitHub Enterprise Cloud terms
Data Protection Addendum (DPA)
Security obligations
Incident notification

Monitoring:

Annual security review
GitHub security advisories monitored
Status monitoring (githubstatus.com)

Evidence: /trust/compliance/evidence/vendors/third-party-evidence.md (lines 77-99)

Sub-Processor 3.1.3: Resend, Inc.

Entity Information:

Name. Resend, Inc.
Address. 2261 Market Street #5039, San Francisco, CA 94114, United States
Website. https://resend.com
Privacy Contact. Per the Resend Data Processing Addendum

Services Provided:

Transactional email delivery API for administrator and verifier onboarding emails issued by provii-management and admin-portal

Data Processed:

Recipient email address, recipient display name where present, email body (plain-text and HTML), subject line, sender address
No age verification data, no wallet attestations, no zero knowledge proofs, no children’s personal data

Processing Location: Primarily United States

Transfer Safeguards:

Mechanism. Standard Contractual Clauses (EU Commission Decision 2021/914)
Agreement. Resend Data Processing Addendum
Certifications. SOC 2 Type II

Sub-Processor Role: Transactional email processor on behalf of Maelstrom AI

Contract Terms:

Resend Data Processing Addendum accepted via the Resend dashboard
Security and confidentiality obligations
Breach notification procedure per the DPA
SOC 2 Type II report available under NDA

Monitoring:

Supplier register review at engagement renewal
Incident announcements tracked as part of supplier management

Evidence: Sub-Processors List section 3.1, Third-Party Vendor Evidence.

Sub-Processor 3.1.4: Silverhand Inc. (Logto)

Entity Information:

Name. Silverhand Inc., operator of Logto
Address. Per Silverhand’s published corporate record
Website. https://logto.io
Privacy Contact. Per the Logto Data Processing Addendum

Services Provided:

Logto OAuth 2.0 and OpenID Connect identity provider hosted tenant at auth.provii.app
MFA enrolment and enforcement (TOTP, email OTP, SMS OTP, WebAuthn)
Role and organisation membership, session lifecycle

Data Processed:

Administrator email address, display name, Logto user identifier
Organisation membership, role assignments
MFA factor metadata (TOTP seed reference, WebAuthn credential identifier, phone number where SMS OTP is enabled)
Session and refresh tokens, sign-in events
No wallet data, no age verification data, no children’s data

Processing Location: Silverhand-managed hosting footprint per the Logto published hosting terms

Transfer Safeguards:

Mechanism. Standard Contractual Clauses (EU Commission Decision 2021/914) for EEA transfers; UK International Data Transfer Addendum for UK transfers
Agreement. Logto Data Processing Addendum accepted during tenant provisioning
Certifications. Per Logto’s published compliance posture; tracked at engagement renewal

Sub-Processor Role: Administrator-plane identity provider operating on behalf of Maelstrom AI

Contract Terms:

Logto Data Processing Addendum
Silverhand’s own sub-processors covered under the Logto DPA
Security and confidentiality obligations
Incident notification per the Logto DPA

Monitoring:

Supplier register review at engagement renewal
Logto incident and advisory announcements tracked as part of supplier management

Evidence: Sub-Processors List section 4.1, Third-Party Vendor Evidence.

Sub-Processor 3.1.5: Grafana Labs (Grafana Cloud)

Entity Information:

Name. Grafana Labs, Inc.
Address. Per Grafana Labs’ published corporate record (United States)
Website. https://grafana.com
Privacy Contact. privacy@grafana.com

Services Provided:

Grafana Cloud (SaaS) - log aggregation via Grafana Loki tenant; receives structured logs shipped from Cloudflare Workers Logs

Data Processed:

Salted-hash IP addresses (HMAC-SHA-256, domain-separated)
Audit metadata (timestamps, action types, request identifiers, outcome codes)
No raw IP addresses, no names, no dates of birth, no credential commitments

Processing Location: Grafana Cloud-managed region per the Grafana Cloud data residency settings configured for the Maelstrom AI tenant

Transfer Safeguards:

Mechanism. Standard Contractual Clauses (EU Commission Decision 2021/914), incorporated into the Grafana Labs standard published Data Processing Addendum
Agreement. Grafana Labs’ standard published Data Processing Addendum, incorporated by reference into the Grafana Cloud terms of service. No bespoke DPA is required; the standard DPA governs processing. Note: only salted-hash IP addresses and audit metadata are shipped to the Loki tenant (no direct identifiers); the service is pre-launch.
Certifications. Per Grafana Labs’ published compliance posture (SOC 2 Type II - supplier-held)

Sub-Processor Role: Log aggregation SaaS processor on behalf of Maelstrom AI

Contract Terms:

Grafana Labs standard published Data Processing Addendum (incorporated by reference into the Grafana Cloud terms)
Standard Contractual Clauses for the US transfer (incorporated into the Grafana Labs DPA)
Security and confidentiality obligations per the Grafana Labs DPA
Breach notification procedure per the Grafana Labs DPA

Monitoring:

Supplier register review at annual renewal
Grafana Cloud status and incident announcements monitored as part of supplier management

Evidence: Cloudflare Workers Logs configuration; /trust/compliance/evidence/vendors/third-party-evidence.md; Grafana Labs published DPA at https://grafana.com/legal/data-processing-addendum/.

Sub-Processor 3.1.6: HR/Payroll Provider

Status: Not applicable. no external HR or payroll sub-processor is currently engaged. The sole operator (ISMS Owner) manages all HR and financial records using encrypted local storage and direct ATO lodgement. This section will be completed if/when an external HR or payroll provider (for example Xero or MYOB) is engaged.

3.2 Sub-Processor Notification

Change Notification Process:

New sub-processors evaluated via vendor risk assessment
Clients notified 30 days before engagement (if acting as processor for clients)
Objection period provided (14 days)
Documentation updated in this ROPA

Current Status: Cloudflare (infrastructure), GitHub (development infrastructure), Apple App Attest and Google Play Integrity (mobile attestation), Resend (transactional email, administrator plane), Silverhand operating Logto (administrator authentication, administrator plane), and Grafana Labs operating Grafana Cloud (log aggregation; governed by Grafana Labs’ standard published Data Processing Addendum including SCCs). The canonical enumeration lives at Sub-Processors v1.1.

Section 4: International Data Transfers

4.1 Transfer Inventory

Data Category	Origin	Destination	Transfer Mechanism	Safeguards
IP addresses	EU/EEA	United States (Cloudflare)	Standard Contractual Clauses	SCCs + TIA
Audit logs	EU/EEA	Global (Cloudflare KV)	Standard Contractual Clauses	SCCs + encryption
Source code	Australia	United States (GitHub)	N/A (public data)	None required (public repo)
Administrator and verifier onboarding email	Australia, EEA, UK	United States (Resend)	Standard Contractual Clauses	SCCs + Resend DPA
Administrator identity, MFA factors, sign-in events	Australia, EEA, UK	Silverhand-managed hosting (Logto)	Standard Contractual Clauses, UK IDTA	SCCs + Logto DPA

4.2 Standard Contractual Clauses (SCCs)

Cloudflare SCC Details:

Version. EU Commission Decision 2021/914 (Module 2: Controller-to-Processor)
Effective Date. 2024 (Cloudflare DPA incorporation)
Parties. Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust (Controller) → Cloudflare, Inc. (Processor)
Governing Law. Irish law (Cloudflare EU entity: Cloudflare Ireland)

GitHub SCC Details:

Version. EU Commission Decision 2021/914
Effective Date. GitHub standard DPA terms (automatic application)
Parties. Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust → GitHub, Inc. (Microsoft)

Resend SCC Details:

Version. EU Commission Decision 2021/914 (Module 2: Controller-to-Processor)
Effective Date. 2025-11-01 (first production send from provii-management)
Parties. Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust (Controller) → Resend, Inc. (Processor)

Logto SCC Details:

Version. EU Commission Decision 2021/914 (Module 2: Controller-to-Processor); UK International Data Transfer Addendum for UK transfers
Effective Date. 2025-10-17 (first production administrator sign-in via Logto)
Parties. Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust (Controller) → Silverhand Inc. (Processor)

4.3 Transfer Impact Assessment (TIA)

Completed: 2025-01-13 (part of Cloudflare sub-processor DPIA)

Key Findings:

Risk Level. Low
Reasoning:
Minimal personal data transferred (IP addresses only, hashed)
Strong encryption in transit and at rest
Cloudflare has legal and technical safeguards
No government access requests expected (no surveillance interest)
SCCs provide adequate safeguards

Supplementary Measures:

IP address pseudonymization (SHA-256 hashing)
90-day retention limit (minimise exposure)
Encryption at rest (AES-256)
No onward transfers without notification

Evidence: Data Protection Impact Assessment

Section 5: Data Subject Rights Implementation

5.1 Rights Exercisable

Maelstrom AI supports all GDPR data subject rights:

Right	Article	Implementation Status
Right to be informed	Art. 13-14	✅ Privacy policy published
Right of access	Art. 15	✅ DSAR procedure documented
Right to rectification	Art. 16	✅ Self-service (wallet app)
Right to erasure	Art. 17	✅ Automated deletion after retention period
Right to restrict processing	Art. 18	⚠️ Limited applicability (no ongoing processing)
Right to data portability	Art. 20	✅ Credential export from wallet
Right to object	Art. 21	✅ Opt-out of analytics (if applicable)
Automated decision-making	Art. 22	N/A (no automated decisions)

5.2 Data Subject Access Request (DSAR) Process

Request Method:

Email: privacy@maelstrom.au

Response Timeline:

Acknowledgment: 48 hours
Response: 30 days (extendable to 60 days if complex)

Verification:

Identity verification required (prevent disclosure to unauthorized parties)
Challenge-response or similar authentication

Response Format:

Machine-readable format (JSON)
Human-readable summary
Explanation of processing activities

Evidence: DSAR procedures documented; email-based process operational

5.3 Right to Erasure Implementation

Automatic Deletion:

IP addresses and audit logs: 90 days (Grafana Loki tenant retention via Workers Logs / KV TTL)
Challenge records: 5 minutes (KV TTL expiry)

Manual Deletion:

On request: Immediate deletion from active systems
Backups: Purged at next backup rotation (7-day cycle)

Exceptions (Article 17(3)):

Compliance with legal obligations (e.g., tax records: 7 years)
Establishment, exercise, or defence of legal claims

Evidence: Data retention policy (/trust/security/data-retention.mdx)

Section 6: Security Incident and Breach Management

6.1 Breach Detection

Monitoring Systems:

Automated security event logging (24/7)
Anomaly detection (rate limiting violations, authentication failures)
Third-party security advisories (Cloudflare, GitHub)

Detection Targets:

Unauthorized access to systems
Data exfiltration attempts
Accidental data disclosure (misconfigured permissions)
Sub-processor security incidents

6.2 Breach Notification Timeline

GDPR Article 33 Compliance:

Timeline	Action	Responsible Party
0-24 hours	Detect and contain breach	Security Lead
24-72 hours	Assess impact, document breach	Privacy Officer + Security Lead
Within 72 hours	Notify supervisory authority (if high risk)	Privacy Officer
Without undue delay	Notify affected data subjects (if high risk)	Privacy Officer + Legal

Supervisory Authority:

Primary. Australian Information Commissioner (OAIC) - for Australian operations
EU. Applicable EU supervisory authority will be determined if/when an EU representative is appointed under GDPR Article 27

Breach Documentation:

Incident report template (see incident response playbook)
ROPA updated if processing changes required
Lessons learned review within 30 days

Evidence: Privacy breach notification procedures (GAP-H005 - Q1 2026 completion)

6.3 Breach Risk Assessment

Risk Factors:

Type of data involved (IP addresses vs. names)
Number of affected individuals
Ease of identification
Severity of consequences
Special characteristics of individuals (children)

Low-Risk Example:

Temporary exposure of hashed IP addresses from audit logs
Limited number of records
No identification possible
→ Internal documentation only (no notification required)

High-Risk Example:

Unauthorized access to issuer service credential signing keys
Potential for credential forgery
→ Supervisory authority + data subject notification required

Section 7: Privacy by Design and Default

7.1 Architectural Privacy Measures

Zero knowledge Architecture:

Ephemeral Server-Side Processing: Date of birth transmitted once during issuance for Pedersen commitment computation, then immediately discarded; never transmitted during verification
Cryptographic Commitments: Pedersen commitments bind DOB without revealing it
Unlinkability: Each verification uses unique cryptographic nullifiers
No Centralized Database: No PII storage infrastructure exists

Privacy by Default:

Minimum data collection by default (IP addresses only)
Short retention periods (90 days standard)
No opt-in required for privacy (privacy is the default)
No behavioural tracking or profiling

Evidence:

/trust/compliance/evidence/privacy-controls/privacy-architecture-evidence.md
/trust/compliance/standards/privacy-by-design/privacy-by-design-assessment.md

7.2 Data Protection Impact Assessments (DPIAs)

Completed DPIAs:

Consolidated DPIA (February 2026). covers Verifier API, Issuer API, and Cloudflare sub-processing. See Data Protection Impact Assessment.

DPIA Triggers:

New processing activities involving personal data
Material changes to existing processing
New third-party processors engaged
Regulatory changes requiring reassessment

Evidence: Data Protection Impact Assessment (completed February 2026)

Section 8: Accountability and Governance

8.1 ROPA Maintenance

Review Schedule:

Quarterly. Review for material changes (new features, processors)
Annually. review and update (next: 2026-05-15)
Ad-hoc. Review upon regulatory changes or incidents

Change Management:

Document version control (Git repository)
Approval required for material changes (ISMS Owner + Privacy Officer)
Communication to relevant stakeholders

8.2 Compliance Evidence

Documentation References:

Privacy policy: Privacy Policy (pending publication. see Planned Work Register (maintained internally; available to auditors and enterprise customers on request) P-005)
Data retention policy: /trust/security/data-retention.mdx
Incident response plan: /trust/security/business-continuity.mdx
Vendor management: /trust/security/supplier-management.md
Security controls: /trust/compliance/evidence/security-controls/

Audit Trail:

This ROPA document version controlled in Git
Changes tracked with timestamps and authors
Annual audit for ISO 27001/27701 compliance

8.3 Training and Awareness

Privacy Training:

ISMS Owner (sole operator): Annual GDPR and privacy awareness training, privacy by design, incident response and breach notification. Professional certifications maintained (CISSP, Security+, PenTest+, SecurityX).
Contractors (when engaged): Data protection awareness and handling procedures as part of onboarding

Training Records: Maintained for 3 years (compliance evidence)

Section 9: Exemptions and Special Considerations

9.1 Small Business Exemptions

Not Applicable: Maelstrom AI does not claim small business exemptions under GDPR.

Reasoning:

Global operations (not limited to single jurisdiction)
Cross-border data transfers (international processing)
Voluntary compliance with full GDPR requirements
Aligned to ISO 27701 (self-assessed; full compliance demonstrated)

9.2 Research and Archiving Exemptions

Not Applicable: Maelstrom AI does not process personal data for:

Scientific or historical research
Statistical purposes
Archiving in the public interest

All processing is operational (age verification services).

9.3 Australian Privacy Act Considerations

Dual Compliance: Maelstrom AI complies with both GDPR and Australian Privacy Act 1988

Key Differences:

Notification of Eligible Data Breaches (NDB Scheme):
Trigger: Likely serious harm (vs. GDPR’s “risk to rights and freedoms”)
Timeline: As soon as practicable (vs. GDPR’s 72 hours)
Regulator: Australian Information Commissioner (OAIC)

Cross-Border Disclosure: Australian Privacy Principles (APP 8)

Same SCCs used for GDPR compliance satisfy APP 8 requirements
Cloudflare DPA covers Australian data exports

Evidence: Australian Privacy Principles compliance mapping in unified control matrix

Declaration: The generation of sandbox attestations from fixture IDs by the docs gateway (docs.provii.app/api/credentials/issuer and the verifier-credential mint route) is not a processing activity within the meaning of GDPR Article 4(2) because the inputs are not personal data.

Rationale:

Inputs contain no personal data. The credential generators accept only references to fixture IDs (fix-1 through fix-11), which are 11 named synthetic test users. Each fixture’s dob_days is computed fresh per request; the underlying fixtures are not derived from any real person.
Real DOB strings are schema-rejected before processing begins. The /v1/register-test-issuer-client endpoint and adjacent credential mint routes enforce a schema that rejects ISO 8601 dates, parseable date strings, and out-of-range integer dob_days values. Rejected requests return HTTP 400 and are logged as suspicious; the rejected payload body is not persisted. Schema rejection occurs before the gateway begins building the attestation.
Outputs are ephemeral. The signed DobAttestation payload is returned to the caller and not retained server-side. No KV write, no audit log entry containing attestation contents, no persistence layer captures the signed output.
No data subject is identifiable from the inputs or outputs. Fixture IDs are not personal data under Article 4(1) because they do not relate to an identified or identifiable natural person. The cryptographic Ed25519 signature applied to the fixture-derived attestation does not introduce personal data; it carries only the synthetic fixture’s dob_days, the synthetic fixture’s nullifier seed, and the binding to session_id and client_id.
The session binding is covered separately. The session_id and client_id bound into the attestation are pseudonymous developer-session identifiers covered under Activity 2.7 (Docs Gateway Session State). Attestation generation is not separately a processing activity in respect of these identifiers; their processing is fully accounted for under Activity 2.7.

Effect: Synthetic attestation generation is excluded from the Article 30 processing activity record. If the schema-rejection boundary is ever weakened to admit real DOB inputs, this declaration is invalidated and a new processing activity must be added to the ROPA before any such change ships.

Evidence: Schema validation in the /v1/register-test-issuer-client handler; fixture definitions in src/docs/fixtures.ts; AttestationSigner implementation at src/docs/attestation-signer.ts; Docs Sandbox DPIA Section 3; Children’s Code Standard 2 DPIA Section 3.

Section 10: Document Control

10.1 Version History

Version	Date	Author	Changes
1.0	2025-11-08	Privacy Officer	Initial ROPA creation (GAP-M006 remediation)
1.1	2026-04-13	Privacy Officer	Added Activity 2.6 (Cloudflare bot protection cookies on docs origin) and Activity 2.7 (docs gateway session state). Added Section 9.4 declaring synthetic attestation generation is not a processing activity under GDPR Art. 4(2).
1.2	2026-04-14	Privacy Officer	Added Activity 2.8 (transactional email delivery via Resend, administrator plane) and Activity 2.9 (administrator authentication via Logto). Added Resend and Silverhand/Logto to the Section 3.1 sub-processor register. Extended the Section 4 transfer inventory and SCC register accordingly.
1.3	2026-06-06	Privacy Officer	Added Grafana Labs (Grafana Cloud) to Section 3.1 sub-processor register (purpose: log aggregation; data: salted-hash IP + audit metadata; processing governed by Grafana Labs’ standard published DPA incorporated by reference into the Grafana Cloud terms, including SCCs for the US transfer; no bespoke DPA required). Marked Activity 2.4 (Website Analytics) as Proposed, not active (analytics are disabled by design). Bounded credential-commitment retention to operational lifetime of credential / issuer key-rotation cycle with Article 6(1)(f) legal basis (replaces prior indefinite statement). Appended critical-security-event 365-day tier to Activity 2.1 security event logging note. Added pre-launch status banner.

10.2 Approval

Reviewed By:

Privacy Officer: Tim O’Connor - 2025-11-08
Privacy Officer: Tim O’Connor - 2026-04-13 (v1.1)
Privacy Officer: Tim O’Connor - 2026-04-14 (v1.2)
Privacy Officer: Tim O’Connor - 2026-06-06 (v1.3)

Approved By:

ISMS Owner: Tim O’Connor - 2025-11-08
ISMS Owner: Tim O’Connor - 2026-04-13 (v1.1)
ISMS Owner: Tim O’Connor - 2026-04-14 (v1.2)
ISMS Owner: Tim O’Connor - 2026-06-06 (v1.3)

Next Review: 2026-11-21 (or upon material changes)

10.3 Distribution

Internal Access:

Privacy Officer (read-write. sole operator)

External Access:

Available to supervisory authorities upon request
Available to auditors during certification audits

Classification: Public

Section 11: Appendices

Appendix A: Glossary

Controller. Entity that determines purposes and means of processing (Maelstrom AI for operational data)
Processor. Entity that processes data on behalf of controller (Cloudflare, GitHub)
Sub-Processor. Processor engaged by another processor (none currently)
Data Subject. Individual whose personal data is processed
Personal Data. Any information relating to an identified or identifiable natural person
Processing. Any operation performed on personal data (collection, storage, deletion, etc.)
DPIA. Data Protection Impact Assessment
DSAR. Data Subject Access Request
SCC. Standard Contractual Clauses
TIA. Transfer Impact Assessment

Appendix B: Contact Information

Privacy Inquiries: privacy@maelstrom.au

Data Subject Requests: privacy@maelstrom.au

Security Incidents: security@maelstrom.au

General Contact: support@provii.app

Appendix C: Supervisory Authority

Primary Authority (Australian Operations):

Name. Office of the Australian Information Commissioner (OAIC)
Website. https://www.oaic.gov.au
Complaints. https://www.oaic.gov.au/privacy/privacy-complaints

EU Authority:

Not yet applicable. no EU establishment or EU representative appointed. Will be determined if/when an EU representative is designated under GDPR Article 27.

Internal Policies:

Information Security Policy: /trust/security/information-security-policy.mdx
Data Retention Policy: /trust/security/data-retention.mdx
Business Continuity Plan: /trust/security/business-continuity.mdx
Supplier Management Policy: /trust/security/supplier-management.md

Compliance Documentation:

GDPR Compliance Statement: /trust/compliance/standards/gdpr/gdpr-compliance-statement.md
ISO 27701 Compliance: /trust/compliance/standards/iso27701/iso27701-compliance.md
Privacy Architecture Evidence: /trust/compliance/evidence/privacy-controls/privacy-architecture-evidence.md
Unified Control Matrix: /trust/compliance/requirements/unified-control-matrix.md

Gap Analysis:

Gap Analysis

END OF RECORDS OF PROCESSING ACTIVITIES (ROPA)

Document Control: This ROPA is maintained in version control at /trust/compliance/evidence/privacy-controls/ropa-records-of-processing.mdx

Compliance Status: GDPR Article 30 compliant | ISO 27701:2019 aligned

Last Updated: 2026-06-06 Next Review: 2026-11-21