DPIA. Children’s Code Standard 2 (Docs Sandbox)
Assessment Overview
| Field | Detail |
|---|---|
| Assessment Date | April 2026 |
| Assessor | ISMS Owner |
| Scope | Docs interactive sandbox surface. gateway endpoints, credential generators, API explorer, styler iframe at preview.docs-sandbox.provii.app |
| Controller | Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust (trading as Provii) |
| Legal Entity | ABN 61 633 823 792 |
| Regulatory framework | UK Age Appropriate Design Code (Children’s Code), Standard 2. Data Protection Impact Assessments |
| ICO reference | Age appropriate design: a code of practice for online services |
| Companion documents | Children’s Code Compliance Matrix, Docs Sandbox DPIA, Production DPIA |
1. Purpose of this DPIA
ICO Standard 2 requires services likely to be accessed by children to undertake a DPIA “specifically in respect of the child safety and data protection risks that might arise” from their processing. The Children’s Code Compliance Matrix concludes that the Code does not directly apply to Provii (an age verification service that excludes children from the relying party content it gates), but the docs interactive sandbox is a separate surface with a separate audience and a separate risk posture. This DPIA assesses whether the docs sandbox creates any child-impact risk and documents the controls that hold that risk to negligible.
The conclusion of this DPIA is that the docs sandbox is not likely to be accessed by children in the ICO sense, accepts only fixture IDs (never raw DOB strings) as inputs that resemble children’s data, rejects any real DOB string at the schema boundary, and operates a zero-retention SLA for any DOB-shaped payload. The DPIA is documented because publishing it is itself a Standard 2 compliance signal.
2. Description of the Processing
Nature
The docs interactive sandbox is the developer onboarding surface attached to docs.provii.app. It exposes:
- A gateway under
docs.provii.app/api/*that issues a strictly-necessary__Host-docs_sessioncookie and brokers calls to the sandbox issuer and verifier APIs. - Credential generators that mint sandbox-scoped issuer client IDs into the
SANDBOX_DOCS_ISSUERSallowlist. - An in-page API explorer (Scalar) that lets developers exercise sandbox endpoints with bearer tokens scoped to the sandbox.
- A styler iframe at
preview.docs-sandbox.provii.appthat renders interactive sandbox widgets.
The audience is external developers evaluating or integrating Provii. The surface is publicly reachable, so children could in theory navigate to it. The processing posture for any child-derived data is described in Section 3.
Scope
| Aspect | Detail |
|---|---|
| Intended users | External developers integrating the Provii API |
| Geography | Global, served via Cloudflare’s edge network |
| Volume | Low. Documentation-tier traffic, not production verification traffic |
| Likely-to-be-accessed-by-children assessment | See Section 4 |
Data Categories
| Category | Source | Retention | Child-impact relevance |
|---|---|---|---|
__Host-docs_session cookie | Issued by gateway | 15-min sliding TTL, 4-hour hard cap | Pseudonymous session state. Not child-specific. |
__cf_bm, cf_clearance | Cloudflare bot protection | Cloudflare-managed (30 min default) | Pseudonymous bot scoring. Not child-specific. |
| Hashed IP (HMAC-SHA-256) | Gateway audit log | 90 days; critical security event logs are retained for up to 365 days | Pseudonymous; not joined to identity. |
Fixture IDs (fix-1 … fix-11) | Synthesised by gateway | Per-request | Synthetic, not personal data. Never derived from real children. |
| Real DOB strings | Rejected at schema boundary | Zero | Schema-rejected; rejection logged as suspicious; payload never written to disk or log. |
3. Posture on Child Data. Explicit Statements
The docs sandbox operates the following explicit posture for any input that could relate to a child:
-
The sandbox accepts fixture IDs only. Endpoints that take age-shaped input accept references to one of 11 named synthetic test users (
fix-1throughfix-11) and nothing else. Each fixture’sdob_daysis computed fresh per request to guard against time drift; the underlying fixtures are not derived from real persons. -
The sandbox rejects any real DOB string. The
/v1/register-test-issuer-clientendpoint enforces a schema that rejects:
- ISO 8601 dates (
YYYY-MM-DD) - Free-text date strings parseable as a date
- Integer
dob_daysvalues outside the synthetic fixture range Rejected requests return HTTP 400 and are logged as suspicious to the audit retention queue. The rejected payload body is not persisted in the rejection log; only the fact of the rejection, the requesting session ID, and the schema violation code are retained.
-
Zero retention for fixture-input data. Fixture lookups are stateless: the gateway recomputes the synthetic
dob_days, builds the attestation, signs it, returns it, and forgets it. No fixture-input lookup is recorded against a session. -
Sandbox attestations cannot reach production. Sandbox attestations are signed by a disjoint Ed25519 key used exclusively for the docs sandbox, and production middleware rejects
docs-sbx-*andmwallet-sbx-*prefixes across body, path, query, and authorisation header. A sandbox attestation built around a fixture ID has no path into a production verification. -
No child-targeted features. The docs site contains no games, video content, social features, avatars, profiles, content recommendations, or other features designed to attract or retain a child audience.
4. ICO “Likely to Be Accessed by Children” Assessment
The Code applies if a service is “likely to be accessed by children”. The ICO methodology considers the nature of the service, marketing, content, age signals, and prevalence of child users. Applied to the docs sandbox:
| Factor | Assessment |
|---|---|
| Subject matter | Developer documentation for a privacy-preserving age verification API. Technical and procedural in nature. |
| Marketing | Aimed exclusively at developers, integrators, and procurement audiences. No child-oriented marketing. |
| Content style | Code samples, OpenAPI definitions, integration walkthroughs. No content designed to appeal to children. |
| Features | API explorer, credential mint, styler iframe. No social features, no avatars, no in-page chat. |
| Account model | No personal account creation; sandbox sessions are pseudonymous and session-scoped. |
| Age signals | None collected. The sandbox accepts only fixture IDs. |
| Evidence of child use | None observed. Cloudflare analytics for the docs origin do not surface child-typical engagement signals. |
Conclusion: The docs sandbox is not likely to be accessed by children in the ICO sense. This DPIA is conducted nonetheless because Maelstrom AI publishes Standard-by-Standard compliance treatment for the Children’s Code and Standard 2 expects a documented, reviewable assessment.
5. Five Age-Band Analysis
The Children’s Code defines five age bands. The analysis below reflects the docs sandbox specifically, not the production verification flow (which is covered in the production DPIA).
5.1 Under-5 (Pre-literate)
| Aspect | Assessment |
|---|---|
| Likelihood of accessing the docs sandbox | Negligible. The surface is technical developer documentation; pre-literate children are not the audience. |
| Risk if accessed | Effectively zero. The sandbox issues a session cookie but cannot accept real DOB inputs. No content is consumed in a way that would create harm. |
| Specific risks under the Code | None identified. |
| Controls | Schema rejection of real DOB inputs; no content attractive to under-5s. |
5.2 5-9 (Early literacy)
| Aspect | Assessment |
|---|---|
| Likelihood of accessing the docs sandbox | Very low. Age range may have basic browsing capability but the documentation is technical and uninteresting to this band. |
| Risk if accessed | Very low. Same posture as under-5: cookie issued, no PII collected, fixture-only inputs. |
| Specific risks under the Code | The “high privacy by default” Standard (Standard 7) is satisfied because the only cookie issued is the strictly-necessary session cookie. No tracking, no profiling, no behavioural advertising. |
| Controls | Cookie policy disclosure; strictly-necessary cookie only on first interaction; no profiling. |
5.3 10-12 (Core primary)
| Aspect | Assessment |
|---|---|
| Likelihood of accessing the docs sandbox | Low. A child in this band might encounter the docs site through a school or family context but the technical content is unlikely to retain them. |
| Risk if accessed | Low. The credential mint endpoints are gated behind Cloudflare managed challenge, which enforces a human-interaction signal but not an age signal. A child in this band could in principle click through and receive a sandbox docs-sbx-* issuer ID that has no real-world consequence. |
| Specific risks under the Code | The Code’s heightened protections for under-13s (GDPR Art. 8 consent age in some member states) do not bite because the gateway does not collect personal data from the user beyond the session cookie and the hashed IP. No consent-based processing occurs. |
| Controls | Schema rejection of real DOB; sandbox issuer IDs cannot reach production; per-IP rate limits prevent material credit consumption. |
5.4 13-15 (Transition years)
| Aspect | Assessment |
|---|---|
| Likelihood of accessing the docs sandbox | Low to moderate. Some children in this band have technical interests and may explore developer documentation. |
| Risk if accessed | Low. The session cookie and hashed IP are the only data points retained. No profiling, no recommendation, no nudging towards harmful behaviour. |
| Specific risks under the Code | ”Detrimental use” (Standard 5), “nudge techniques” (Standard 13), and “profiling” (Standard 12) are all not applicable: the sandbox neither tracks nor profiles users, and the in-page API explorer presents technical content without nudges. |
| Controls | No behavioural analytics; no recommendation engine; clear and concise developer privacy notice in plain language. |
5.5 16-17 (Approaching adulthood)
| Aspect | Assessment |
|---|---|
| Likelihood of accessing the docs sandbox | Moderate among technical 16-17 year olds (early-career developers, students). |
| Risk if accessed | Low. Equivalent to the adult developer experience. The sandbox is built around adult-developer assumptions but contains nothing harmful to a 16-17 year old. |
| Specific risks under the Code | No specific risks identified. The Code expects services to recognise that 16-17 year olds approach adulthood and may exercise data subject rights themselves; the developer privacy notice is structured to be readable by this band without parental intermediation. |
| Controls | Plain-language developer privacy notice; clear cookie disclosure; data subject access via privacy@maelstrom.au. |
6. Standard 2 Walkthrough. ICO Requirements
Standard 2 enumerates several specific expectations for a child-focused DPIA. Each is treated below.
6.1 “Address risks specific to children”
The risk treatment of the docs sandbox addresses children specifically by:
- Refusing real DOB inputs at the schema boundary, which removes the principal child-PII vector before any processing can occur.
- Operating a zero-retention SLA on fixture-input data, so even a child experimenting with the credential generator cannot create a data trail.
- Excluding child-attractor features (games, social, avatars, recommendation) from the docs surface entirely.
6.2 “Take into account differing ages, capacities, and developmental needs”
The five-band analysis in Section 5 addresses this requirement directly. The developer privacy notice is written in plain language readable by the 13-15 and 16-17 bands without parental support.
6.3 “Ensure that processing is proportionate to the risks to children”
Processing is minimal. The session cookie is strictly necessary for the developer-requested service; the hashed IP is required for abuse investigation under legitimate interest; no other personal data is retained. There is no processing that exceeds what is required to deliver the developer onboarding service.
6.4 “Consider the rights of the child”
Children retain their full data subject rights even if they access the docs sandbox. The developer privacy notice will discuss rights of access, erasure, and objection, in plain language, with privacy@maelstrom.au as the contact point. Because the only retained data tied to a developer is a hashed IP and a session record, any erasure request can be honoured by KV-sweeping the requesting session and IP-hash bucket.
6.5 “Document the assessment and keep it under review”
This document is published under the Children’s Code section of the ISMS at /trust/standards/childrens-code/dpia-children. It is reviewed annually, on material change to the docs sandbox surface, and on regulatory change. The next scheduled review is April 2027.
6.6 “Consult those affected”
Children are not the intended audience and are not expected to be a material part of the actual audience. As such, formal consultation with child users is not proportionate. The developer privacy notice will invite feedback through privacy@maelstrom.au, and the ICO is the supervisory authority of last resort for any concerns raised about UK child-impact.
7. Risk Treatment Summary (Child-Focused)
| Child-impact risk | Likelihood | Impact | Inherent | Mitigation | Residual |
|---|---|---|---|---|---|
| A child submits a real DOB to the credential generator in error | Possible (3) | Low (2) | 6 | Schema rejection at gateway boundary; rejection logged without payload body; ephemeral processing of the rejected request | Low (2) |
| A child receives a sandbox credential and attempts to use it on a production relying party | Unlikely (2) | Low (2) | 4 | Production middleware rejects docs-sbx-* prefixes; the credential has no real-world entitlement | Low (1) |
| A child’s IP appears in the audit log | Likely (4) | Low (1) | 4 | HMAC-SHA-256 hash at ingest with a gateway-managed PII hash key; 90-day retention ceiling; not joined to identity | Low (2) |
| A child is profiled or nudged by the docs surface | Rare (1) | Medium (3) | 3 | No profiling, no recommendation engine, no behavioural analytics, no advertising. Architectural property, not a policy. | Low (1) |
| A child exercises data subject rights without parental intermediation | Likely (4) | Low (1) | 4 | Developer privacy notice written in plain language; privacy@maelstrom.au accepts requests from any individual | Low (1) |
No risk in this register exceeds Low residual after mitigation.
8. Conclusion
The docs interactive sandbox is not likely to be accessed by children in the ICO sense, but Maelstrom AI publishes a child-focused DPIA under Children’s Code Standard 2 because this is the discipline the Code expects of any organisation operating an internet-facing surface with even tangential potential for child interaction. The sandbox accepts fixture IDs only, rejects any real DOB string, retains zero fixture-input data, and contains no features designed to attract children. Sandbox-scoped credentials cannot reach production. Hashed IP retention sits under the existing 90-day audit ceiling.
Determination: The docs sandbox satisfies Children’s Code Standard 2 expectations. No additional child-specific controls are required at this time.
Reassessment Triggers:
- Material change to the gateway surface (new endpoints, new cookies, new credential prefixes)
- Introduction of any feature that could attract a child audience (avatars, social, games)
- Any incident touching the schema-rejection boundary for DOB inputs
- ICO guidance update affecting the Standard 2 methodology
- Cross-reference to the production Children’s Code Compliance Matrix on its next review cycle
Document Information
| Field | Value |
|---|---|
| Version | 1.0 |
| Owner | ISMS Owner |
| Date | 2026-04-13 |
| Next Review | 2027-04-13 |
| Classification | Public |
| Related Documents | Children’s Code Compliance Matrix, Docs Sandbox DPIA, Production DPIA, Risk Register, Records of Processing Activities |