GDPR Compliance Statement

Maelstrom AI's compliance with EU General Data Protection Regulation (GDPR)

Public

GDPR Compliance Statement

Executive Summary

Maelstrom AI’s zero knowledge architecture is designed to meet GDPR requirements through privacy by design, not just privacy by policy.

Maelstrom AI operates as both a data controller and processor for age verification services. Our zero knowledge cryptographic architecture is designed so that collecting most categories of personal data does not occur, providing strong compliance through technical controls rather than purely procedural ones.

Key Compliance Highlights

  • Article 25 (Privacy by Design). EXEMPLARY - Zero knowledge proofs are designed to prevent collection of most PII
  • Article 5(1)(c) (Data Minimisation). EXEMPLARY - Only IP addresses collected (90 days, hashed)
  • Article 5(1)(e) (Storage Limitation). Strong - Automated deletion (challenges: 5 min, IP logs: 90 days)
  • Article 32 (Security). Strong - technical and organisational measures
  • Article 5(1)(a) (Lawfulness). Compliant - Legal basis: legitimate interests (fraud prevention)

What PII Maelstrom AI Collects

Almost None:

  • IP addresses only (retained 90 days, hashed in logs, used exclusively for anti-abuse)

What PII Maelstrom AI Does NOT Collect

By architectural design, the Provii platform is not designed to collect:

  • Names, email addresses, physical addresses, phone numbers
  • Dates of birth (transmitted once during issuance for Pedersen commitment computation, processed ephemerally and immediately discarded. never stored or retained)
  • Identity documents, government IDs, biometric data
  • Financial information, browsing history, device identifiers

Evidence: /trust/compliance/evidence/privacy-controls/privacy-architecture-evidence.md (Lines 37-95)

Introduction

Scope

This compliance statement covers Maelstrom AI’s processing activities as:

  1. Data Controller: For operational IP logs collected for fraud prevention
  2. Data Processor: When providing age verification services to clients

Jurisdictions: Global operations with primary focus on EU/EEA under GDPR

Services Covered:

  • Provii Verifier API (age verification)
  • Provii Issuer API (credential issuance)
  • Provii Management API (administrative operations)
  • Provii Wallet Applications (mobile credential storage)

Primary Regulation: Regulation (EU) 2016/679 (General Data Protection Regulation)

Key Articles Addressed:

  • Article 5: Principles of processing
  • Articles 12-14: Transparency and information
  • Article 19: Notification regarding rectification or erasure
  • Article 25: Data protection by design and by default
  • Article 28: Processor requirements
  • Article 30: Records of processing activities
  • Articles 32-35: Security, breach notification, and DPIA
  • Article 37: Data protection officer assessment

Data Processing Overview

Legal Basis (Article 6(1)):

  • (f) Legitimate interests. IP address logging for fraud prevention and service security
  • (b) Contract performance. Challenge creation and proof verification for age verification services

Special Categories: None - Maelstrom AI does not process special category data as defined in Article 9

Automated Decision-Making: None - Age verification is deterministic cryptographic verification, not profiling

Article 5: Principles of Data Processing

Article 5(1)(a): Lawfulness, Fairness, and Transparency

GDPR Requirement: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Maelstrom AI’s Compliance

Lawfulness:

  • Legal basis clearly identified: legitimate interests (Article 6(1)(f)) for IP logging
  • IP address collection necessary and proportionate to fraud prevention purpose
  • No processing of special categories or children’s data requiring consent

Fairness:

  • Zero knowledge architecture = fairness by design
  • Users maintain control over personal data (DOB transmitted once during issuance for commitment computation, then discarded)
  • No hidden data collection or unexpected uses
  • Proofs reveal only binary age threshold (over/under), not actual age

Transparency:

  • Open source codebase (verifiable privacy claims)
  • Public ISMS documentation at maelstrom.au/trust
  • Clear privacy information in wallet applications
  • Published data retention policy

Evidence:

  • /trust/security/information-security-policy.mdx (Lines 97-109) - “Zero knowledge First” principle
  • /trust/compliance/evidence/privacy-controls/privacy-architecture-evidence.md (Lines 146-178) - Radical Transparency

Assessment: ✅ COMPLIANT

Article 5(1)(b): Purpose Limitation

GDPR Requirement: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Maelstrom AI’s Compliance

Specified Purposes:

  1. IP Address Logging: Anti-abuse protection, rate limiting, security incident investigation
  2. Challenge Records: Facilitate age verification transactions (5-minute lifetime)
  3. Credential Nullifiers: Prevent credential replay attacks (one-way hashes, not reversible)

No Secondary Uses:

  • No marketing or advertising
  • No cross-site tracking
  • No user profiling or analytics
  • No third-party data sharing
  • No identity resolution attempts

Unlinkability by Design:

  • Random challenge IDs (UUID v4) per verification
  • No persistent user identifiers across verifications
  • Nullifiers prevent replay without enabling tracking (different per verification context)

Evidence:

  • /trust/compliance/evidence/privacy-controls/privacy-architecture-evidence.md (Lines 99-138) - Purpose Limitation evidence
  • /trust/overview/trust-model.mdx - Unlinkability guarantees

Assessment: ✅ COMPLIANT

Article 5(1)(c): Data Minimization

GDPR Requirement: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Maelstrom AI’s Compliance

Minimal Data Collection

Minimal PII Collection:

  • IP addresses only (necessary for abuse prevention)
  • Challenge IDs (random UUIDs, not personal data)
  • Credential nullifiers (one-way hashes, not reversible to DOB)

Designed Not to Collect:

The zero knowledge architecture is designed so that collecting the following does not occur:

DESIGNED NOT TO COLLECT:
├─ Personal Identifiers
│  ❌ Full name, email, phone, address
│  ❌ Social security numbers

├─ Identity Documents
│  ❌ Passport, driver's license, government IDs
│  ❌ Document scans or photos

├─ Biometric Data
│  ❌ Facial recognition, fingerprints, iris scans

├─ Sensitive Attributes
│  ❌ Date of birth (transmitted once during issuance, processed ephemerally, never stored)
│  ❌ Actual age (only threshold revealed)
│  ❌ Birthplace, nationality, race, gender, religion

├─ Financial Data
│  ❌ Credit cards, bank accounts

├─ Behavioral Data
│  ❌ Browsing history, search queries, location

└─ Device Identifiers (No Tracking)
   ❌ Persistent device IDs, advertising IDs
   ❌ Cross-site tracking cookies
   ❌ Browser fingerprints

Technical Implementation:

  1. Ephemeral DOB Processing During Issuance:
  • User enters date of birth in wallet application
  • DOB is transmitted once to the issuer API for Pedersen commitment computation
  • DOB is processed ephemerally and immediately discarded. never stored, logged, or retained
  • Evidence. Issuer API computes Pedersen commitment server-side, DOB discarded after computation
  1. Zero knowledge Proofs:
  • Proofs reveal only “user is over 18” (binary yes/no)
  • By design, the proof is not constructed to reveal actual age or DOB
  • Evidence. Groth16 ZK-SNARK circuit constraints
  1. Unlinkability:
  • Random verification IDs prevent cross-site correlation
  • No persistent user accounts or profiles
  • Evidence. UUID v4 challenge generation

Evidence:

  • /trust/compliance/evidence/privacy-controls/privacy-architecture-evidence.md (Lines 33-95) - Data minimization implementation
  • /trust/security/information-security-policy.mdx (Lines 102-109) - Zero knowledge first principle

Assessment: ✅ EXEMPLARY COMPLIANCE

Article 5(1)(d): Accuracy

GDPR Requirement: Personal data shall be accurate and, where necessary, kept up to date.

Maelstrom AI’s Compliance

IP Addresses:

  • Collected directly from network layer (CF-Connecting-IP header)
  • Accurate by nature (network-provided)
  • No user-entered data requiring validation

No PII Stored = No Accuracy Concerns:

  • Zero knowledge architecture significantly reduces accuracy requirements for most GDPR purposes
  • User controls their own data in wallet (can update DOB, re-generate credentials)
  • No centralized database requiring rectification procedures

Evidence:

  • /trust/compliance/evidence/security-controls/api-security-evidence.md (Lines 399-410) - IP address extraction

Assessment: ✅ COMPLIANT (limited applicability due to minimal PII)

Article 5(1)(e): Storage Limitation

GDPR Requirement: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Maelstrom AI’s Compliance

Automated Deletion:

Data TypeRetention PeriodDeletion MethodEvidence Location
IP Addresses90 daysCloudflare Workers Logs shipped to Grafana Loki, 90-day Loki tenant retentionGrafana Cloud managed
Challenge State5 minutesKV TTL auto-deletionprovii-verifier/src/routes/challenge.rs (Lines 468-518)
Nonce Records5 minutesKV TTLprovii-verifier/src/routes/verify.rs (Lines 108-110)
Audit Logs90 days; critical security event logs are retained for up to 365 daysKV TTL, cleanup workerssecurity/data-retention.mdx (Line 26)

No Long-Term PII Storage:

  • Zero knowledge architecture = no personal data to retain
  • Wallet-based credentials under user control (no server-side storage)
  • User can delete wallet app to erase all local data

Technical Implementation:

  1. Challenge TTL-Based Expiration:
// Maximum 5-minute lifetime
const MAX_CHALLENGE_TTL: u64 = 300;  // 5 minutes

// Cloudflare KV automatic deletion
state.kv_store.set(&kv_key, cached_value, Some(bucket.as_str()))
    .expiration_ttl(ttl_secs)
    .await?;
  1. Sandbox Cleanup Cron:
# Daily cleanup at 3 AM UTC
[triggers]
crons = ["0 3 * * *"]

[vars]
RETENTION_DAYS_SESSIONS = "1"
RETENTION_DAYS_CHALLENGES = "1"
RETENTION_DAYS_AUDIT = "7"

Evidence:

  • /trust/compliance/evidence/privacy-controls/data-lifecycle-evidence.md (Lines 45-181) - Retention periods and implementation
  • /trust/security/data-retention.mdx (Lines 19-48) - Retention policy

Assessment: ✅ STRONG COMPLIANCE

Article 5(1)(f): Integrity and Confidentiality (Security)

GDPR Requirement: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Maelstrom AI’s Compliance

Technical Measures:

  1. Encryption in Transit:
  • TLS 1.3 for all external communications (TLS 1.2 minimum)
  • HSTS with preload (31,536,000 seconds)
  • Cloudflare Universal SSL with automatic certificate management
  • Evidence. All services implement HSTS headers
  1. Encryption at Rest:
  • Cloudflare KV: Encrypted at rest (Cloudflare managed)
  • Wallet credentials: Device-encrypted storage (iOS Keychain, Android Keystore)
  • Secrets: Cloudflare Workers Secrets (encrypted, access-controlled)
  1. Access Controls:
  • HMAC-SHA256 authentication for API access
  • JWT session tokens for administrative operations
  • API key authentication (Argon2id hashing)
  • Role-based access control (RBAC) with viewer/admin/super_admin roles
  • Evidence. /trust/compliance/evidence/security-controls/api-security-evidence.md (Lines 98-310)
  1. Cryptographic Integrity:
  • Groth16 ZK-SNARKs (128-bit security level)
  • RedJubjub signatures on credentials
  • Pedersen commitments (computationally binding, perfectly hiding)
  • Evidence. /trust/compliance/evidence/cryptography/crypto-implementation-evidence.md
  1. Pseudonymization:
  • IP addresses hashed (SHA-256) in logs
  • Challenge IDs are random UUIDs (no PII linkage)
  • Credential nullifiers (one-way hashes)
  1. Resilience:
  • Cloudflare edge distribution (300+ locations)
  • DDoS protection (Cloudflare managed)
  • Automatic failover via Cloudflare edge distribution
  • 99.9% uptime target
  1. Security Testing:
  • Automated dependency scanning (cargo audit, npm audit)
  • OWASP ASVS 5.0.0 Level 3 compliance (provii-verifier)
  • 25 fuzzing targets for cryptographic code
  • Property-based testing for security properties

Organisational Measures:

  1. Access Management:
  • Quarterly access reviews
  • Principle of least privilege
  • MFA required for administrative access
  • Evidence. /trust/security/access-control.mdx
  1. Security Awareness:
  • Annual security training for all team members
  • Secure coding practices
  • Incident reporting procedures
  • Evidence. /trust/security/security-awareness.mdx
  1. Vendor Management:
  • Cloudflare vendor assessment completed
  • Standard Contractual Clauses (SCCs) in place
  • Evidence. /trust/security/supplier-management.md

Evidence:

  • /trust/compliance/evidence/security-controls/api-security-evidence.md - security controls
  • /trust/security/information-security-policy.mdx - Security principles and objectives

Assessment: ✅ STRONG COMPLIANCE

Article 5(2): Accountability

GDPR Requirement: The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (accountability).

Maelstrom AI’s Compliance

Demonstration of Compliance:

  1. Public ISMS:
  • Complete Information Security Management System published
  • All policies and procedures publicly available
  • Evidence-based compliance documentation
  • Location. maelstrom.au/trust
  1. Audit Trails:
  • audit logging in provii-management
  • Security event logging in provii-verifier
  • 90-day retention for security investigations
  • Evidence. /trust/compliance/evidence/security-controls/api-security-evidence.md (Lines 476-510)
  1. Compliance Documentation:
  • This GDPR compliance statement
  • Privacy architecture evidence
  • Data lifecycle evidence
  • Security controls evidence
  • Unified control matrix mapping all regulatory requirements
  1. Policies and Procedures:
  • Information Security Policy
  • Data Retention & Disposal Policy
  • Incident Response Policy
  • Access Control Policy
  • Cryptography Policy
  • Evidence. /trust/security/ directory
  1. Internal Audits:
  • Annual internal security audits
  • Quarterly access reviews
  • Management review of ISMS effectiveness
  • Evidence. /trust/security/internal-audit.mdx

Evidence:

  • /trust - Complete public ISMS
  • /trust/compliance/requirements/unified-control-matrix.md - Control mapping

Assessment: ✅ STRONG COMPLIANCE

Article 25: Data Protection by Design and by Default

GDPR Requirement: The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.

Maelstrom AI’s Implementation

Privacy by Design (7 Foundational Principles)

1. Proactive not Reactive; Preventative not Remedial

Requirement: Anticipate and prevent privacy invasive events before they happen.

Maelstrom AI’s Implementation:

  • Architecture prevents PII collection rather than protecting it after collection
  • Zero knowledge proofs mathematically prevent revealing DOB
  • “If we don’t collect it, we can’t lose it”

Quote from Information Security Policy:

“Our architectural principle: If we don’t collect it, we can’t lose it.”

Evidence: Zero knowledge circuit constraints are designed to prevent DOB disclosure

2. Privacy as the Default Setting

Requirement: Ensure that personal data are automatically protected in any given IT system or business practice.

Maelstrom AI’s Implementation:

  • System reveals minimum information by default
  • Proofs reveal only binary age threshold (over/under), not actual age or DOB
  • No opt-in required for privacy - it’s automatic and non-configurable
  • Users cannot accidentally share more data than necessary

Evidence: Groth16 circuit public outputs limited to: cutoff_days (threshold), rp_hash, issuer_vk, cred_nullifier

3. Privacy Embedded into Design

Requirement: Privacy is an essential component of the core functionality being delivered.

Maelstrom AI’s Implementation:

  • Privacy built into cryptographic protocol, not added later
  • Groth16 zero knowledge proofs prevent information leakage by design
  • Pedersen commitments provide perfect hiding
  • RedJubjub signatures bind credentials without revealing contents

Code Evidence:

  • provii-crypto library enforces privacy at protocol level
  • 62,000 circuit constraints implement privacy properties
  • Location. provii-crypto/crypto-circuit-age/
4. Full Functionality. Positive-Sum, not Zero-Sum

Requirement: Accommodate all legitimate interests and objectives in a positive-sum ‘win-win’ manner.

Maelstrom AI’s Implementation:

  • Privacy doesn’t compromise functionality
  • Verifiers get cryptographic proof of age without seeing DOB
  • Users maintain privacy while proving eligibility
  • Win-win: User privacy + Verifier confidence + Regulatory compliance

Evidence: Zero knowledge proofs enable both privacy and verification

5. End-to-End Security. Full Lifecycle Protection

Requirement: Secure lifecycle management of information from start to finish.

Maelstrom AI’s Implementation:

Issuance:

  • DOB transmitted once to issuer API for Pedersen commitment computation, processed ephemerally and immediately discarded
  • Nullifiers prevent issuer from tracking subsequent verifications
  • Commitment protects DOB (perfectly hiding)

Storage:

  • Credentials encrypted in wallet (device-level encryption)
  • Private keys never leave device
  • User controls all credential operations

Verification:

  • Zero knowledge proofs prevent verifier tracking
  • Random challenge IDs (no persistent identifiers)
  • Nullifiers prevent replay without enabling tracking

Deletion:

  • Auto-expiry of server-side records (5 min challenges, 90 day IP logs)
  • User can delete wallet to erase all local data
  • Cryptographic erasure via zeroize crate

Evidence:

  • /trust/compliance/evidence/privacy-controls/data-lifecycle-evidence.md - Complete lifecycle
  • Zeroize implementation: provii-verifier/src/routes/verify.rs (Line 13)
6. Visibility and Transparency. Keep it Open

Requirement: Assure all stakeholders that business practices and technologies are operating according to stated promises and objectives.

Maelstrom AI’s Implementation:

  • Complete transparency through open source
  • Public ISMS (all policies, procedures, controls)
  • Published architecture documentation
  • Verifiable privacy claims (anyone can audit the code)

Evidence:

  • Open source repositories on GitHub
  • /trust - Public ISMS
  • /trust/security/information-security-policy.mdx (Lines 111-121) - Radical Transparency principle
7. Respect for User Privacy. Keep it User-Centric

Requirement: Keep the interests of the individual uppermost by offering strong privacy defaults, appropriate notice, and empowering user-friendly options.

Maelstrom AI’s Implementation:

  • User controls all credential operations
  • Wallet-based credential storage (user possession)
  • User initiates proof generation (explicit consent)
  • No central database of credentials
  • User can delete wallet to erase all data

Evidence: Wallet SDK architecture puts user in full control

Privacy by Default

GDPR Article 25(2): “…by default, only personal data which are necessary for each specific purpose of the processing are processed.”

Maelstrom AI’s Implementation:

Default State: ZERO PII collection

  • User cannot accidentally share more data
  • System architecturally limited to minimal disclosure
  • Cryptographic enforcement (not policy-based)

No Configuration Required:

  • Privacy is not optional or configurable
  • Users don’t need to “opt-in” to privacy
  • Default is maximum privacy

Progressive Disclosure:

  • Minimal information revealed at each step
  • Issuance: DOB transmitted once for server-side Pedersen commitment computation, then immediately discarded
  • Verification: Only binary threshold result (not age or DOB)

Evidence:

  • /trust/compliance/evidence/privacy-controls/privacy-architecture-evidence.md (Lines 258-310) - Privacy by Design implementation

Assessment: ✅ EXEMPLARY COMPLIANCE - This is Maelstrom AI’s primary architectural differentiator

Articles 12-14: Transparency and Information

Article 12: Transparent Information, Communication and Modalities

GDPR Requirement: The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

Maelstrom AI’s Compliance

Information Provision:

  1. Privacy Policy: Published on maelstrom.au/trust
  2. Clear Language: Technical documentation written for non-technical audiences
  3. Easily Accessible: Public website, no registration required
  4. In-App Information: Wallet displays privacy information

Key Information Provided:

  • What data is collected (IP addresses only)
  • What data is NOT collected (names, DOB, etc.)
  • How long data is retained (90 days for IP, 5 min for challenges)
  • User rights (access, deletion, objection)

Evidence:

  • /trust/security/data-retention.mdx - Published retention policy
  • /trust/security/information-security-policy.mdx - Public security policy

Assessment: ✅ COMPLIANT

Article 13: Information to Be Provided (Direct Collection)

GDPR Requirement: Where personal data are collected from the data subject, the controller shall provide the data subject with specified information.

Required Information & Maelstrom AI’s Provision

Requirement (Article 13)Maelstrom AI’s Provision
Identity of controllerMaelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust (trading as Provii)
Contact detailssecurity@maelstrom.au
Purposes of processingAge verification, abuse prevention
Legal basisLegitimate interests (Article 6(1)(f))
Legitimate interestsFraud prevention, service security
RecipientsNone (no third-party sharing)
Storage period90 days (IP logs), 5 minutes (challenges)
Right to accessAvailable (minimal data to access)
Right to rectificationN/A (no stored PII to rectify)
Right to erasureAutomatic (auto-deletion after retention period)
Right to restrict processingAvailable (can request IP log deletion)
Right to data portabilityLimited applicability (IP logs not portable)
Right to objectAvailable (may limit service functionality)
Automated decision-makingNone

Evidence:

  • /trust/compliance/evidence/privacy-controls/privacy-architecture-evidence.md (Lines 183-216) - Privacy notices
  • /trust/security/information-security-policy.mdx - Published controller information

Assessment: ✅ COMPLIANT

Article 14: Information to Be Provided (Indirect Collection)

GDPR Requirement: Where personal data have not been obtained from the data subject, the controller shall provide the data subject with specified information.

Maelstrom AI’s Compliance

Status: NOT APPLICABLE - Maelstrom AI does not collect personal data indirectly

Rationale:

  • IP addresses collected directly from network request
  • No data obtained from third parties
  • No data scraping or indirect collection
  • No data brokers or external sources

Assessment: ✅ N/A

Article 28: Processor Requirements

GDPR Requirement: Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures.

Maelstrom AI as Processor

When Maelstrom AI provides age verification services to clients, Maelstrom AI acts as a data processor on behalf of the client (data controller).

Data Processing Agreements (DPAs)

Current Status: ✅ Addressed

Requirement: Written contract between controller and processor (Article 28(3))

Implementation: Standard and enterprise DPA templates have been drafted (dpa-standard.md and dpa-enterprise.md) and are pending legal review. Templates cover:

  1. Subject matter and duration of processing
  2. Nature and purpose of processing
  3. Type of personal data (minimal: IP addresses, challenge IDs)
  4. Categories of data subjects (age verification users)
  5. Obligations and rights of controller
  6. Processor obligations (see below)

Processor Obligations (Article 28(3))

Maelstrom AI’s Compliance as Processor:

ObligationCompliance StatusEvidence
(a) Process only on instructions✅ ImplementedVerifier policies define allowed origins
(b) Confidentiality commitments✅ ImplementedAll team members bound by confidentiality
(c) Security measures✅ ImplementedISO 27001 aligned controls
(d) Sub-processor management✅ ImplementedCloudflare (documented, SCCs in place)
(e) Assist with data subject rights✅ ImplementedMinimal data = easy compliance
(f) Assist with compliance✅ ImplementedThis documentation, public ISMS
(g) Delete/return data✅ ImplementedAutomatic deletion, no long-term storage
(h) Make information available✅ ImplementedPublic ISMS, audit trails

Sub-Processors:

Sub-ProcessorServicePersonal Data ProcessedLegal Mechanism
CloudflareInfrastructure (Workers, KV, Analytics)IP addresses (hashed), challenge IDsStandard Contractual Clauses
GitHubCode hosting, CI/CDNone (no personal data in repos)GitHub DPA

Evidence:

  • /trust/security/supplier-management.md - Cloudflare vendor assessment
  • /trust/compliance/evidence/vendors/third-party-evidence.md - Third-party processing

Gaps:

  • DPA templates need creation (MEDIUM PRIORITY)
  • Sub-processor notification procedures not documented

Assessment: 🔄 PARTIAL COMPLIANCE - Technical compliance strong, contractual documentation gap

Article 30: Records of Processing Activities

GDPR Requirement: Each controller and processor shall maintain a record of processing activities under its responsibility (ROPA).

Current Status

Formal ROPA: ✅ Created

See Records of Processing Activities for the consolidated ROPA covering all processing activities, legal bases, retention periods, and international transfers.

Processing Activity 1: IP Address Logging

ElementInformation
NameIP Address Logging for Fraud Prevention
ControllerMaelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust (trading as Provii)
PurposesFraud prevention, abuse detection, rate limiting, security incident investigation
Categories of data subjectsAge verification service users
Categories of personal dataIP addresses
Categories of recipientsNone (internal use only)
Transfers to third countriesCloudflare edge network (global), Standard Contractual Clauses
Time limits for erasure90 days (automatic expiry)
Security measuresHashing (SHA-256), encryption at rest, access controls, TLS encryption

Processing Activity 2: Challenge Creation

ElementInformation
NameAge Verification Challenge Creation
ControllerClient (Relying Party)
ProcessorMaelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust (trading as Provii)
PurposesFacilitate age verification transactions
Categories of data subjectsAge verification users
Categories of personal dataRandom challenge IDs (UUID v4, not personal data), IP addresses (ancillary)
Categories of recipientsUser’s wallet application
Transfers to third countriesCloudflare edge network, Standard Contractual Clauses
Time limits for erasure5 minutes (automatic expiry)
Security measuresTLS encryption, HMAC authentication, TTL-based deletion, access controls

Processing Activity 3: Proof Verification

ElementInformation
NameZero knowledge Proof Verification
ControllerClient (Relying Party)
ProcessorMaelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust (trading as Provii)
PurposesVerify age threshold proofs
Categories of data subjectsAge verification users
Categories of personal dataCredential nullifiers (one-way hashes, not reversible), IP addresses (ancillary)
Categories of recipientsClient (verification result only)
Transfers to third countriesCloudflare edge network, Standard Contractual Clauses
Time limits for erasureImmediate (no retention of verification events)
Security measuresCryptographic verification, nullifier checks, TLS encryption, access controls

Recommendation: Create consolidated ROPA document incorporating above structure

Priority: MEDIUM (required for demonstrating Article 30 compliance)

Evidence:

  • /trust/compliance/evidence/privacy-controls/data-lifecycle-evidence.md - Processing activities documented
  • /trust/security/data-retention.mdx - Retention periods

Assessment: 🔄 PARTIAL COMPLIANCE - Information exists but not consolidated into formal ROPA

Articles 32-34: Security and Breach Notification

Article 32: Security of Processing

GDPR Requirement: The controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

Security Measures Implemented

Article 32(1)(a): Pseudonymisation and encryption

Implemented:

  • IP addresses hashed (SHA-256) in logs
  • TLS 1.3 encryption in transit
  • Cloudflare KV encryption at rest
  • Zero knowledge proofs (cryptographic privacy)
  • Credential commitments (Pedersen - perfectly hiding)

Article 32(1)(b): Ongoing confidentiality, integrity, availability and resilience

Implemented:

  • Cloudflare edge distribution (300+ locations)
  • DDoS protection (Cloudflare managed)
  • 99.9% uptime target
  • Automatic failover (Cloudflare edge distribution)
  • Rate limiting (multi-layered: per-IP, per-client, global)

Article 32(1)(c): Ability to restore availability and access

Implemented:

  • Business continuity plan
  • Automated backups (KV to R2 storage)
  • Incident response procedures
  • Disaster recovery procedures

Evidence: /trust/security/business-continuity.mdx

Article 32(1)(d): Testing and evaluation

Implemented:

  • Automated security testing (cargo audit, npm audit, Dependabot)
  • OWASP ASVS 5.0.0 Level 3 compliance
  • 25 fuzzing targets for cryptographic code
  • Property-based testing
  • Internal security audits
  • Planned: Annual external penetration testing

Evidence:

  • /trust/compliance/evidence/security-controls/api-security-evidence.md - security evidence
  • provii-verifier/COMPLIANCE_STATUS.md - ASVS 5.0.0 compliance

Assessment: ✅ STRONG COMPLIANCE

Article 33: Notification to Supervisory Authority

GDPR Requirement: In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.

Maelstrom AI’s Preparedness

Breach Impact Assessment:

  • Likelihood. LOW (minimal PII held)
  • Impact. LOW (IP addresses only, 90-day retention)
  • Risk to Rights and Freedoms. LOW

Breach Notification Procedures:

  1. Detection (Target: < 15 minutes for critical incidents):
  • Automated monitoring (Grafana Loki alerts on Cloudflare Workers Logs)
  • Security event logging
  • Audit log review
  1. Assessment (Target: < 1 hour):
  • Determine if breach involves personal data
  • Assess likelihood of risk to data subjects
  • Classify severity (P0-P3)
  1. Notification (Target: < 72 hours if required):
  • Contact supervisory authority (if breach meets threshold)
  • Provide: nature of breach, categories and number of data subjects, likely consequences, measures taken
  • Document decision (notify or not notify)

Supervisory Authority:

  • Primary: Irish Data Protection Commission (Cloudflare EU presence)
  • Maelstrom AI location: Australia (coordination with Australian Information Commissioner)

Breach Scenarios:

ScenarioLikelihoodImpactNotification Required?
IP log database leakLOWLOWLikely YES (>72 hours if large scale)
Challenge ID exposureVERY LOWVERY LOWLikely NO (not PII)
Signing key compromiseLOWHIGHYES (affects credential integrity)
Cloudflare outageMEDIUMNONENO (availability only, no data breach)

Evidence:

  • /trust/security/incident-response.mdx - Incident response procedures
  • /trust/security/incident-response.mdx (Lines 46-108) - Severity classification

Assessment: ✅ PREPARED - Low breach risk due to minimal PII, procedures in place

Article 34: Communication to Data Subject

GDPR Requirement: When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

Maelstrom AI’s Position

High Risk Assessment:

  • IP address breach unlikely to be “high risk” to rights and freedoms
  • IP addresses have limited identifiability
  • No sensitive personal data processed
  • Short retention period (90 days)

Breach Communication Procedures:

If High Risk Threshold Met:

  1. Direct communication to affected data subjects (where identifiable)
  2. Public notice on status page
  3. Clear language describing breach and recommended actions
  4. Contact information for inquiries

If High Risk Threshold NOT Met:

  • No individual notification required
  • Documentation of decision
  • Notification to supervisory authority (if Article 33 threshold met)

Communication Channels:

  • Email (if available - typically not collected)
  • Status page announcement (status.provii.app)
  • In-app notification (wallet applications)
  • Website notice

Evidence:

  • /trust/security/incident-response.mdx (Lines 468-504) - Communication guidelines

Assessment: ✅ PREPARED - Low likelihood due to minimal PII, procedures in place if needed

Article 35: Data Protection Impact Assessment (DPIA)

GDPR Requirement: Where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

Assessment of DPIA Requirement

Mandatory DPIA Criteria (Article 35(3)):

CriterionApplicability to Maelstrom AIAssessment
(a) Systematic and extensive evaluation/profiling with legal effectsNo profiling, no legal effects. age verification is deterministic cryptographic verificationNOT MET
(b) Large-scale processing of special category data (Art 9) or criminal convictions (Art 10)DOB is not special category data under Art 9; processing is ephemeral and not large-scale currentlyNOT MET
(c) Systematic monitoring of publicly accessible area on large scaleNo monitoring of public spacesNOT MET

Additional Risk Factors Considered:

  • Maelstrom AI processes DOB transiently during issuance (personal data, even if ephemeral)
  • Processing indirectly involves children’s data (age verification for under-18s)
  • However: DOB is processed ephemerally and immediately discarded; no profiling; no systematic monitoring of individuals

Conclusion: Mandatory DPIA criteria under Article 35(3) are not met. However, a formal DPIA has been conducted as good practice given the nature of age verification processing and the transient handling of date of birth data.

DPIA Status: Conducted February 2026

Full Assessment: See Data Protection Impact Assessment for the complete DPIA document covering processing description, necessity and proportionality analysis, risk assessment, and mitigation measures.

Evidence:

  • /trust/security/dpia.md - Formal DPIA document

Assessment: ✅ COMPLIANT - DPIA conducted as good practice; risks adequately identified and mitigated

Data Subject Rights (Articles 15-22)

Article 15: Right of Access

GDPR Requirement: The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed.

Maelstrom AI’s Compliance

Easy to Comply: Minimal data held = simplified access requests

Information Provided:

  1. Confirmation of processing (yes/no)
  2. Categories of data: IP addresses only
  3. Purposes: Fraud prevention, abuse detection
  4. Retention period: 90 days
  5. Recipients: None (internal use only)
  6. Rights: Deletion, objection

Response Process:

  1. Receive access request (security@maelstrom.au)
  2. Verify requester identity
  3. Search IP logs for requester’s IP address (if known)
  4. Provide response within 30 days (GDPR requirement: 1 month)

Typical Response:

“We have confirmed that your IP address [redacted] was logged on [dates] for fraud prevention purposes. This data will be automatically deleted after 90 days. We do not process any other personal data about you. You have the right to request deletion or object to this processing.”

Evidence:

  • /trust/compliance/evidence/privacy-controls/privacy-architecture-evidence.md (Lines 220-254) - User rights implementation

Assessment: ✅ COMPLIANT - Simplified by minimal data collection

Article 16: Right to Rectification

GDPR Requirement: The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data.

Maelstrom AI’s Compliance

Status: LARGELY NOT APPLICABLE

Rationale:

  • IP addresses are network-provided (inherently accurate)
  • No user-entered data requiring rectification
  • Zero knowledge architecture = no stored PII to rectify

User-Held Data:

  • Users can update DOB in wallet application
  • Wallet regenerates credentials locally
  • No server-side rectification needed

Assessment: ✅ COMPLIANT (limited applicability)

Article 17: Right to Erasure (“Right to be Forgotten”)

GDPR Requirement: The data subject shall have the right to obtain from the controller the erasure of personal data without undue delay.

Maelstrom AI’s Compliance

Automatic Erasure:

  • IP addresses: Auto-deleted after 90 days
  • Challenge records: Auto-deleted after 5 minutes
  • No long-term PII storage = nothing to delete

Expedited Deletion:

  • Data subjects can request immediate deletion of IP logs
  • Response time: Within 30 days (typically much faster)
  • Process: Hashed IP entries are bulk-purged from Grafana Loki at the 90-day retention boundary; mid-window erasure of an individual hashed-IP entry is not supported by the platform

Wallet Data:

  • User controls all wallet data (locally stored)
  • User can delete wallet app to erase all credentials
  • No server-side credential storage

Exceptions (Article 17(3)):

  • Processing necessary for compliance with legal obligation
  • Processing necessary for establishment, exercise or defence of legal claims
  • (Typically not applicable to IP logs after 90-day retention)

Evidence:

  • /trust/compliance/evidence/privacy-controls/data-lifecycle-evidence.md (Lines 184-267) - Automated deletion
  • /trust/security/data-retention.mdx (Lines 144-153) - Deletion request procedures

Assessment: ✅ STRONG COMPLIANCE - Automatic deletion exceeds minimum requirements

Article 18: Right to Restriction of Processing

GDPR Requirement: The data subject shall have the right to obtain from the controller restriction of processing.

Maelstrom AI’s Compliance

Limited Applicability:

  • Minimal processing occurs (IP logging only)
  • Short retention period (90 days)
  • No long-term processing to restrict

If Requested:

  • Can mark IP address for “do not log” (may impact service functionality)
  • Alternative: Delete IP logs immediately (Right to Erasure)
  • Document restriction in audit logs

Assessment: ✅ COMPLIANT (limited applicability)

Article 19: Notification Obligation Regarding Rectification or Erasure

GDPR Requirement: The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Articles 16, 17(1) and 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

Maelstrom AI’s Compliance

Minimal Data Sharing Architecture:

  • Maelstrom AI’s only sub-processor is Cloudflare (infrastructure provider)
  • IP addresses (hashed) and audit logs auto-expire after 90 days via automated TTL mechanisms
  • No personal data disclosed to other recipients beyond Cloudflare

Upon Erasure or Restriction Request:

  • Cloudflare notified per Data Processing Addendum terms if applicable
  • Automated data expiration means most data is already deleted before any request is received
  • No further recipients to notify (no third-party data sharing)

Implementation:

  1. Data subject submits erasure/restriction request to privacy@maelstrom.au
  2. Maelstrom AI processes request, confirms hashed-IP retention status in Grafana Loki, and applies any in-tenant deletion supported by the Loki tenant configuration; entries otherwise expire at the 90-day retention boundary
  3. Cloudflare and Grafana Cloud notified per their respective DPA terms where applicable
  4. Data subject informed of actions taken and any recipients notified

Evidence:

  • /trust/security/supplier-management.md - Cloudflare sub-processor documentation
  • /trust/security/data-retention.mdx - Automated expiration mechanisms

Assessment: ✅ COMPLIANT - Addressed through automated data expiration and minimal sharing architecture

Article 20: Right to Data Portability

GDPR Requirement: The data subject shall have the right to receive the personal data concerning him or her in a structured, commonly used and machine-readable format.

Maelstrom AI’s Compliance

Limited Applicability:

  • IP addresses not typically considered “portable” data
  • Short-lived operational data (not user-provided)
  • Minimal value in portability

If Requested:

  • Can provide IP logs in JSON format
  • Structured data (timestamp, IP address, endpoint)
  • Machine-readable format

Wallet Data (User-Controlled):

  • Credentials stored in standard JSON format
  • Users can export credentials from wallet
  • No vendor lock-in (cryptographic credentials are portable)

Evidence:

  • /trust/compliance/evidence/privacy-controls/privacy-architecture-evidence.md (Lines 237-241) - Portability

Assessment: ✅ COMPLIANT (limited applicability, user-controlled wallet data fully portable)

Article 21: Right to Object

GDPR Requirement: The data subject shall have the right to object to processing of personal data.

Maelstrom AI’s Compliance

Right to Object to IP Logging:

  • Data subjects can object to IP address logging
  • Legal basis: Legitimate interests (Article 6(1)(f))
  • Balancing test: Security interest vs. privacy impact

Consequences of Objection:

  • IP logging may be disabled for specific user (if identifiable)
  • Service functionality may be limited (rate limiting, abuse prevention)
  • Alternative: Use VPN or Tor to prevent IP logging (supported by architecture)

No Objection Needed for:

  • Zero knowledge proof verification (no personal data processing)
  • Credential issuance (DOB processed ephemerally for server-side Pedersen commitment, immediately discarded)

Evidence:

  • Legal basis for IP logging: Legitimate interests (fraud prevention)
  • Minimal and proportionate processing

Assessment: ✅ COMPLIANT - Right to object available, consequences clearly communicated

Article 22: Automated Decision-Making

GDPR Requirement: The data subject shall have the right not to be subject to a decision based solely on automated processing which produces legal effects or similarly significantly affects them.

Maelstrom AI’s Compliance

Status: NOT APPLICABLE

Rationale:

  • Age verification is deterministic cryptographic verification (mathematical, not decision-making)
  • No profiling or behavioural analysis
  • No legal effects (access control only, not legal judgments)
  • No significant effects (similar to checking ID at a door)

What IS Automated:

  • Cryptographic proof verification (mathematical validity check)
  • Challenge generation (random, not personalized)
  • Replay detection (security, not profiling)

What IS NOT Automated Decision-Making:

  • No credit decisions
  • No employment decisions
  • No legal judgments
  • No profiling
  • No predictive analytics

Evidence:

  • /trust/compliance/evidence/privacy-controls/privacy-architecture-evidence.md (Lines 456-481) - Automated decision-making analysis

Assessment: ✅ N/A - Article 22 not applicable to Maelstrom AI’s processing activities

Cross-Border Data Transfers (Chapter V)

Transfer Mechanisms

Cloudflare Edge Network

Scope: Global distribution (300+ locations worldwide)

Personal Data Transferred:

  • IP addresses (hashed)
  • Challenge IDs (not personal data)
  • Credential nullifiers (one-way hashes)

Legal Mechanism: Standard Contractual Clauses (SCCs)

  • Cloudflare provides SCCs compliant with Schrems II
  • Adequate level of protection ensured
  • Supplementary measures: Encryption, pseudonymization

Adequacy Decisions:

  • Some Cloudflare regions in “adequate” jurisdictions (EU/EEA, UK)
  • Others covered by SCCs

Impact: LOW - Minimal personal data, short retention, strong encryption

Australian Privacy Act Compliance

Cross-Border Disclosure (APP 8):

  • Not applicable: No personal information disclosed to overseas recipients
  • Zero knowledge architecture = no PII transferred

Evidence:

  • /trust/compliance/evidence/privacy-controls/privacy-architecture-evidence.md (Lines 420-452) - Cross-border transfers
  • /trust/security/supplier-management.md - Cloudflare vendor assessment

Assessment: ✅ COMPLIANT - SCCs in place, minimal data transfer, adequacy for some regions

Compliance Summary

Control Matrix

ArticleRequirementStatusKey EvidencePriority Gaps
5(1)(a)Lawfulness, Fairness, Transparency✅ COMPLIANTZero knowledge architecture, public ISMSNone
5(1)(b)Purpose Limitation✅ COMPLIANTDocumented purposes, unlinkabilityNone
5(1)(c)Data Minimization✅ EXEMPLARYZero-PII architectureNone
5(1)(d)Accuracy✅ COMPLIANTNetwork-provided IP addressesNone
5(1)(e)Storage Limitation✅ STRONG90-day IP logs, 5-min challengesNone
5(1)(f)Integrity & Confidentiality✅ STRONGsecurity controlsNone
5(2)Accountability✅ STRONGPublic ISMS, audit trailsNone
12-14Transparency✅ COMPLIANTPublic documentationNone
15Right of Access✅ COMPLIANTMinimal data = easy complianceNone
16Right to Rectification✅ N/ANo stored PII to rectifyNone
17Right to Erasure✅ STRONGAutomatic deletionNone
18Right to Restriction✅ COMPLIANTLimited applicabilityNone
19Notification (Rectification/Erasure)✅ COMPLIANTAutomated expiration, minimal sharingNone
20Right to Portability✅ COMPLIANTUser-controlled wallet dataNone
21Right to Object✅ COMPLIANTObjection mechanism availableNone
22Automated Decision-Making✅ N/ANot applicableNone
25Privacy by Design & Default✅ EXEMPLARYZero knowledge architectureNone
28Processor Requirements🔄 PARTIALTechnical compliance strongDPA templates
30Records of Processing (ROPA)🔄 PARTIALData documentedFormal ROPA
32Security of Processing✅ STRONGISO 27001 aligned controlsNone
33Breach Notification (Authority)✅ PREPAREDProcedures documentedNone
34Breach Notification (Subjects)✅ PREPAREDProcedures documentedNone
35Data Protection Impact Assessment✅ COMPLIANTDPIA conducted Feb 2026None
37Data Protection Officer✅ COMPLIANTDPO not required; privacy contact designatedNone
44-50Cross-Border Transfers✅ COMPLIANTSCCs with CloudflareNone

Overall Compliance Status

Rating: ✅ STRONG COMPLIANCE with 2 Medium Priority Gaps

Strengths:

  1. Privacy by Design (Article 25): EXEMPLARY - Zero knowledge architecture provides superior privacy
  2. Data Minimization (Article 5(1)(c)): EXEMPLARY - Architecturally designed to prevent collection of unnecessary PII
  3. Storage Limitation (Article 5(1)(e)): Strong automated deletion
  4. Security (Article 32): technical and organisational measures
  5. Transparency (Articles 12-14): Public ISMS, open source code

Gaps:

  1. Medium Priority: DPA templates for enterprise clients (Article 28)
  2. Medium Priority: Formal ROPA document (Article 30)

Gaps and Remediation

Critical Gaps

None identified

High Priority Gaps

None identified

Medium Priority Gaps

1. Data Processing Agreements (DPAs) - Article 28

Gap: No standard DPA templates for enterprise clients

Impact: MEDIUM - Required for B2B clients, not blocking for current operations

Remediation:

  1. Create standard DPA template including:
  • Subject matter and duration
  • Nature and purpose of processing
  • Type of personal data (IP addresses, challenge IDs)
  • Obligations and rights
  • Standard Contractual Clauses (for international transfers)
  1. Legal review of DPA template
  2. Make available to enterprise clients

Timeline: Q1 2026 Effort: Low-Medium (legal template creation) Owner: Legal/Compliance

2. Formal Records of Processing Activities (ROPA) - Article 30

Gap: Processing activities documented across ISMS but not consolidated into formal ROPA

Impact: MEDIUM - Required for demonstrating Article 30 compliance

Remediation:

  1. Create ROPA document based on structure in this statement
  2. Include all processing activities:
  • IP address logging
  • Challenge creation
  • Proof verification
  • Credential issuance (as processor)
  1. Review and update annually
  2. Make available for supervisory authority inspection

Timeline: Q1 2026 Effort: Low (consolidation of existing documentation) Owner: Privacy Officer

Low Priority Gaps

3. Enhanced Data Subject Rights Portal

Gap: Manual process for data subject requests

Impact: LOW - Current manual process adequate for low request volume

Enhancement:

  1. Automated data subject request portal
  2. Self-service access requests
  3. Automated erasure requests
  4. Response tracking

Timeline: Q3 2026 (not urgent) Effort: Medium Owner: Engineering Team

Privacy Architecture: Compliance Implications

Traditional Age Verification vs. Provii

Traditional Systems:

❌ Collect: Full name, DOB, ID document, address, photo
❌ Store: PII in central database
❌ Risk: Data breach exposes all user PII
❌ Compliance: Heavy GDPR obligations (data subject rights, breach notification, etc.)
❌ Trust: Must trust verifier with sensitive data

Provii’s Zero knowledge Approach:

✅ Collect: Nothing (IP addresses only for abuse prevention)
✅ Store: No PII (prevented by design)
✅ Risk: Breach reveals no PII (none to breach)
✅ Compliance: Minimal obligations (no PII processing)
✅ Trust: Cryptographic enforcement, not policy promise

Business Value of Privacy Architecture

  1. Reduced Compliance Burden:
  • No data subject access requests (no data to access)
  • No complex breach notification (no PII to breach)
  • No data retention schedules for PII (none collected)
  • Simplified DPIA requirements
  1. Lower Risk Profile:
  • No honeypot of PII for attackers
  • Reduced exposure to regulatory fines for PII mishandling
  • Reduced reputational exposure from PII leaks
  1. User Trust:
  • Mathematical proof of privacy (not policy)
  • No “trust us” required
  • Open source verification
  • Verifiable privacy claims
  1. Architectural Differentiation:
  • Zero knowledge approach to age verification
  • Privacy-first in age verification market
  • Regulatory advantage (privacy by design)
  • Architecture designed to align with evolving privacy regulations
  1. Global Scalability:
  • No cross-border transfer concerns (no PII)
  • Minimal legal complexity for international expansion
  • No data localization requirements
  • Single architecture for all jurisdictions

Conclusion

Maelstrom AI’s zero knowledge architecture is designed to meet GDPR requirements through architectural controls rather than purely procedural ones, and in many areas exceeds the minimum obligations.

Key Compliance Achievements

  1. Privacy by Design (Article 25): Core architectural principle, not afterthought
  2. Data Minimization (Article 5(1)(c)): Cryptographically enforced, not policy-based
  3. Storage Limitation (Article 5(1)(e)): Automatic deletion, no manual intervention
  4. Security (Article 32): Defence-in-depth with ISO 27001 aligned controls
  5. Transparency (Articles 12-14): Public ISMS, open source code, verifiable claims
  6. DPIA (Article 35): Proactive assessment conducted despite not meeting mandatory threshold
  7. DPO Assessment (Article 37): Documented assessment with annual reassessment commitment

Compliance Philosophy

“Can’t be evil” vs. “Won’t be evil”:

  • Traditional systems promise “we won’t misuse your data” (policy-based)
  • Maelstrom AI’s architecture is designed so “we can’t collect your data” (architecture-based)
  • Cryptographic enforcement > procedural controls

Next Steps

Q1 2026:

  1. Create DPA templates for enterprise clients
  2. Consolidate ROPA document
  3. Legal review of compliance documentation

Q2 2026: 4. Enhanced data subject rights portal (optional) 5. Annual GDPR compliance review 6. Update this statement based on regulatory changes

Article 37: Data Protection Officer Assessment

GDPR Requirement: The controller and the processor shall designate a data protection officer where: (a) processing is carried out by a public authority or body; (b) core activities require regular and systematic monitoring of data subjects on a large scale; or (c) core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.

Assessment for Maelstrom AI

CriterionApplicabilityRationale
(a) Public authority or bodyN/AMaelstrom AI is a private enterprise (Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust)
(b) Core activities require large-scale regular/systematic monitoringNOT METCore activity is age verification infrastructure provision, not monitoring of individuals. No tracking, profiling, or behavioural observation is performed.
(c) Core activities involve large-scale processing of special category dataNOT METDOB is not special category data under Article 9. Processing is ephemeral and not at “large scale” currently. No health, biometric, genetic, political, religious, or criminal data is processed.

Conclusion

Formal DPO appointment is not currently required under Article 37. None of the three mandatory designation criteria are met.

Privacy Contact Designated: privacy@maelstrom.au

A designated privacy contact handles all data protection enquiries, data subject requests, and supervisory authority correspondence. This arrangement is proportionate to Maelstrom AI’s current processing scale and minimal personal data footprint.

Reassessment Trigger: This assessment will be revisited if:

  • Processing scale increases significantly (e.g., millions of daily active users)
  • Processing activities change to include systematic monitoring or special category data
  • Regulatory guidance changes the interpretation of DPO designation thresholds

Next Review: Annually (during annual management review or as part of annual GDPR compliance review)

Evidence:

  • /trust/security/management-review.md - Management review process

Assessment: ✅ COMPLIANT - DPO not required; privacy contact designated; annual reassessment scheduled

Contact Information

Privacy Contact: privacy@maelstrom.au Controller: Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust (trading as Provii) Supervisory Authority: Irish Data Protection Commission (Cloudflare EU presence)

Document Information

FieldValue
Version1.2
Effective Date2026-02-13
Last Updated2026-02-13
OwnerPrivacy Officer
Approved ByISMS Owner
Review FrequencyAnnually
Next ReviewQ2 2027
ClassificationPublic
Document Location/trust/compliance/standards/gdpr/gdpr-compliance-statement.md

Acknowledgment: This GDPR compliance statement demonstrates Maelstrom AI’s commitment to privacy-by-design and regulatory compliance. Our zero knowledge architecture is designed to provide strong data protection through technical controls, supporting our goal of privacy-first age verification.