ISO 27701 Annex B: PII Processor Controls

Compliance Mapping for Provii Age Verification Platform

Overview

ISO 27701:2019 Annex B defines 19 controls applicable to organisations acting as PII processors. This document maps each Annex B control to Maelstrom AI’s implementation as a processor of age verification requests on behalf of relying parties (verifiers).

Maelstrom AI’s Dual Role

Maelstrom AI occupies two distinct roles under ISO 27701:

PII Controller (covered in ISO 27701 Annex A):

• IP addresses collected for abuse prevention (SHA-256 hashed, retained 90 days)
• Audit logs of verification events (challenge creation, proof verification, retained 90 days)
• Maelstrom AI determines the purposes and means of processing for these data categories

PII Processor (covered in this document):

• When a relying party (verifier) integrates Provii’s age verification API, the verifier is the PII controller for the verification interaction
• Maelstrom AI acts as the processor, executing verification requests according to the verifier’s instructions
• The verifier determines when to invoke verification and what age threshold to require; Maelstrom AI processes the request accordingly
• Processing is strictly limited to executing the cryptographic verification and returning a binary result

Data Processed in Processor Role

When acting as a processor, Maelstrom AI handles the following data on behalf of the controller (verifier):

Critically, no date of birth is transmitted during verification. The ZKP proves “user >= age threshold” without revealing the underlying DOB.

Processor Relationship

Controller: The relying party (verifier) who integrates Provii’s verification API Processor: Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust (trading as Provii) Sub-processor: Cloudflare, Inc. (infrastructure, CDN, Workers runtime, KV storage)

The processing relationship is governed by Maelstrom AI’s standard Data Processing Agreement.

Annex B Control Mapping

B.8.1 General

B.8.1.1 Documented Agreement with PII Controller

ISO 27701 Requirement: The processor shall have a documented agreement with each PII controller, specifying the nature and purpose of processing, the types of PII processed, and the obligations of both parties.

Applicability: Applicable

Maelstrom AI Implementation:

Maelstrom AI provides a standard Data Processing Agreement (DPA) to all relying parties who integrate the verification API. The DPA template is maintained at /legal/dpa-standard and covers:

• Subject matter and duration of processing (age verification for the life of the service agreement)
• Nature and purpose of processing (cryptographic age threshold verification)
• Types of personal data processed (IP addresses, verification challenges, audit entries; no DOB during verification)
• Categories of data subjects (end users of the verifier’s service)
• Obligations and rights of the controller
• Maelstrom AI’s obligations as processor (security measures, sub-processor management, breach notification, data deletion)
• International transfer safeguards (Standard Contractual Clauses with Cloudflare)

The DPA also documents the technical and organisational measures Maelstrom AI implements to protect data during processing, including ephemeral data handling, cryptographic controls, and the 90-day maximum retention period.

Evidence:

• Standard DPA template: /legal/dpa-standard
• Supplier management documentation: supplier-management.md
• ISO 27701 compliance statement: ISO 27701 Compliance

Assessment: ✅ Implemented

B.8.2 Conditions for Collection and Processing

B.8.2.1 Customer Agreement

ISO 27701 Requirement: The processor shall ensure that it processes PII only on documented instructions from the controller, unless required by law.

Applicability: Applicable

Maelstrom AI Implementation:

Maelstrom AI processes verification requests strictly according to the controller’s instructions as embodied in:

1. API integration parameters: The verifier (controller) specifies the age threshold, callback URL, and verification context when initiating a request. Maelstrom AI executes exactly the requested verification and nothing more.
2. DPA terms: The standard DPA documents the permitted processing purposes and prohibits Maelstrom AI from processing PII for any purpose other than fulfilling the verification request.
3. Technical enforcement: The provii-verifier is architecturally constrained to accept a verification challenge, validate a ZKP against the specified threshold, and return a binary result. There is no capability to perform additional processing beyond what the API contract permits.

If a law enforcement request requires disclosure, Maelstrom AI will notify the controller (verifier) unless legally prohibited from doing so, per the DPA.

Evidence:

• Verifier API source code (provii-verifier repository)
• Standard DPA, Section 3 (Processing Instructions)
• API documentation defining permitted request parameters

Assessment: ✅ Implemented

B.8.2.2 Organisation’s Purposes

ISO 27701 Requirement: The processor shall not process PII for its own purposes beyond what is necessary for the processing on behalf of the controller, unless the controller has given prior agreement.

Applicability: Applicable

Maelstrom AI Implementation:

Maelstrom AI does not use any data received during processor-role verification for its own commercial purposes. The only processing beyond the immediate verification request is:

1. IP address hashing: SHA-256 hashing for rate limiting and abuse prevention. This is documented in the DPA as a legitimate security measure and is a standard contractual term agreed to by all controllers.
2. Audit logging: Timestamped event records (challenge created, proof verified, result returned) retained for 90 days for operational integrity. This is documented and agreed in the DPA.

Both activities are necessary for the secure and reliable operation of the processing service and are explicitly documented in the DPA. No data is used for analytics, product development, model training, or any purpose not disclosed to the controller.

Evidence:

• Standard DPA, Section 2 (Processing Details)
• Rate limiting implementation in provii-verifier and shared-rate-limit
• Data retention policy: data-retention.mdx

Assessment: ✅ Implemented

B.8.2.3 Marketing and Advertising Use

ISO 27701 Requirement: The processor shall not use PII processed under the agreement for marketing or advertising without the express consent of the PII controller.

Applicability: Applicable (confirmed not applicable in practice)

Maelstrom AI Implementation:

Maelstrom AI does not use any PII for marketing or advertising purposes. This prohibition is reflected in both the DPA and the system architecture:

• No marketing databases exist
• No email campaigns are sent using processor data
• No advertising profiles are created
• No data is shared with advertising networks
• No cookies are set (the platform uses localStorage for theme preference only)
• The DPA explicitly prohibits marketing use of processed data

This prohibition is structural rather than merely policy-based: the system architecture does not include any marketing infrastructure, CRM, or advertising integration.

Evidence:

• Standard DPA, Section 4 (Use Restrictions)
• Absence of marketing infrastructure in all service repositories
• No cookie deployment (verified across all Workers)

Assessment: ✅ Implemented

B.8.2.4 Infringing Instruction

ISO 27701 Requirement: The processor shall inform the controller if, in its opinion, a processing instruction from the controller infringes applicable data protection legislation.

Applicability: Applicable

Maelstrom AI Implementation:

The standard DPA includes a clause requiring Maelstrom AI to notify the controller if a processing instruction is believed to infringe applicable data protection law. In practice, the technical architecture constrains the scope of possible instructions:

1. Fixed API contract: Controllers cannot issue arbitrary processing instructions. The API accepts a verification request with defined parameters (age threshold, challenge token) and returns a binary result. There is no mechanism for a controller to instruct Maelstrom AI to perform processing that would fall outside lawful boundaries.
2. Threshold validation: The provii-verifier validates that requested age thresholds are within configured bounds, preventing controllers from requesting verification of ages that would be unreasonable or potentially unlawful.
3. Escalation path: If a controller’s integration pattern or request volume suggests potentially unlawful processing (e.g., using verification data for profiling), the DPA requires Maelstrom AI to raise the concern with the controller in writing.

Evidence:

• Standard DPA, Section 3.4 (Infringing Instructions)
• Verifier API input validation logic
• Incident response procedures: incident-response.mdx

Assessment: ✅ Implemented

B.8.2.5 Customer Obligations

ISO 27701 Requirement: The processor shall provide the controller with appropriate information to enable the controller to demonstrate compliance with its obligations under applicable data protection legislation.

Applicability: Applicable

Maelstrom AI Implementation:

Maelstrom AI assists controllers in meeting their compliance obligations through:

1. Transparency documentation: This ISMS documentation is publicly accessible, providing controllers with detailed evidence of Maelstrom AI’s security and privacy controls.
2. DPA provisions: The standard DPA details all processing activities, retention periods, sub-processors, and international transfers, enabling controllers to include Maelstrom AI in their Records of Processing Activities (ROPA).
3. Audit rights: The DPA grants controllers the right to audit Maelstrom AI’s processing activities (subject to reasonable notice and confidentiality obligations).
4. Technical documentation: API documentation, privacy architecture evidence, and data flow documentation are available to controllers for their own compliance assessments.
5. Sub-processor transparency: The sole sub-processor (Cloudflare) is disclosed, with details of the safeguards in place.
6. Incident notification: The DPA commits Maelstrom AI to notifying controllers of data breaches within 72 hours, enabling controllers to meet their own notification obligations.

Evidence:

• Standard DPA, Section 7 (Controller Assistance)
• ISMS documentation suite (publicly available)
• Privacy architecture evidence: privacy-architecture-evidence.md
• Data lifecycle evidence: data-lifecycle-evidence.md

Assessment: ✅ Implemented

B.8.2.6 Records Related to Processing PII

ISO 27701 Requirement: The processor shall maintain records of processing activities carried out on behalf of each controller, including the categories of processing, international transfers, and technical and organisational measures.

Applicability: Applicable

Maelstrom AI Implementation:

Maelstrom AI maintains processing records through multiple mechanisms:

1. Audit logs: All verification events are logged with timestamps, controller identification (API key association), and processing outcomes. Logs are retained for 90 days in Cloudflare KV.
2. DPA register: Each controller relationship is documented through a signed DPA, recording the categories of data processed, the purpose, and the agreed terms.
3. Processing inventory: The ISMS data lifecycle documentation describes all categories of processing carried out on behalf of controllers.
4. International transfer records: Cloudflare’s infrastructure locations and the applicable Standard Contractual Clauses are documented in the supplier management records.
5. Technical measures documentation: Security controls are documented in the ISMS, including cryptographic specifications, access controls, and infrastructure security.

Evidence:

• Audit logging implementation in provii-verifier
• Data lifecycle evidence: data-lifecycle-evidence.md
• Supplier management: supplier-management.md
• Unified control matrix: unified-control-matrix.md

Assessment: ✅ Implemented

B.8.3 Obligations to PII Principals

B.8.3.1 Obligations to PII Principals

ISO 27701 Requirement: The processor shall provide the controller with the means to fulfil its obligations to PII principals (data subjects), including facilitating the exercise of data subject rights (access, rectification, erasure, portability, objection).

Applicability: Applicable

Maelstrom AI Implementation:

Maelstrom AI’s zero-knowledge architecture substantially simplifies data subject rights obligations:

1. Right of access: During verification, no DOB or identity data is transmitted or stored. The only data attributable to a specific verification is the hashed IP address (which is pseudonymised via one-way SHA-256 hashing, making re-identification impractical). If a controller receives an access request that relates to Maelstrom AI’s processing, Maelstrom AI can confirm that no identifiable PII is held.

2. Right to rectification: Not applicable in practice. Verification results are binary (pass/fail) and ephemeral. There is no stored personal data to rectify.

3. Right to erasure: Audit logs (including hashed IP addresses) are automatically purged after 90 days. Verification challenges expire after 5 minutes. If a controller requests early deletion on behalf of a data subject, the pseudonymised nature of stored data (hashed IPs) means specific records cannot be isolated for deletion. However, the automatic purge is designed to ensure no data persists beyond the retention period.

4. Right to data portability: No identifiable personal data is stored, so there is nothing to port.

5. Right to object: Processing is strictly transactional (one verification request, one response). There is no ongoing processing to object to. If a data subject does not wish to undergo verification, they simply do not initiate the process.

The DPA documents these limitations and the technical reasons for them, enabling controllers to respond accurately to data subject requests.

Evidence:

• Standard DPA, Section 6 (Data Subject Rights Assistance)
• Data retention policy: data-retention.mdx
• Privacy architecture evidence: privacy-architecture-evidence.md

Assessment: ✅ Implemented

B.8.4 Privacy by Design and Privacy by Default

B.8.4.1 Temporary Files

ISO 27701 Requirement: The processor shall ensure that temporary files and documents created during PII processing are disposed of within a specified, documented period.

Applicability: Applicable

Maelstrom AI Implementation:

Maelstrom AI’s processing architecture is designed around ephemeral data handling with strict time-bounded disposal:

1. Verification challenges: Stored in Cloudflare KV with a TTL of 300 seconds (5 minutes). After expiry, the KV entry is automatically purged by Cloudflare’s infrastructure. No manual deletion is required.
2. ZKP proof data: Processed entirely in memory within the Cloudflare Worker execution context. Proofs are not written to any persistent storage. When the Worker invocation completes, the memory is released.
3. Intermediate computation state: All cryptographic computations (pairing checks, field arithmetic) occur in Worker memory and are not persisted. Rust’s ownership model and the Workers runtime ensure memory is freed upon function return.
4. HTTP request/response bodies: Handled in-memory by the Workers runtime. No temporary files are written to disc.

The Cloudflare Workers runtime does not provide filesystem access, which means temporary files in the traditional sense cannot be created. All processing occurs in memory with automatic disposal on completion.

Evidence:

• Cloudflare KV TTL configuration in provii-verifier
• Workers runtime architecture (no filesystem access)
• Data lifecycle evidence: data-lifecycle-evidence.md

Assessment: ✅ Implemented

B.8.4.2 Return, Transfer or Disposal of PII

ISO 27701 Requirement: The processor shall provide the ability to return, transfer, or dispose of PII in a secure manner and within an agreed timeframe, and shall ensure that any copies are destroyed.

Applicability: Applicable

Maelstrom AI Implementation:

1. Automatic disposal: Data with PII characteristics is automatically purged via Cloudflare KV TTLs (audit logs including hashed IP addresses after 90 days). No manual intervention is required.
2. Verification data: Challenges expire at 5 minutes. Proof data is never persisted. Verification results are returned to the controller and not retained by Maelstrom AI.
3. On contract termination: The DPA specifies that upon termination, Maelstrom AI will:

• Cease processing immediately
• Confirm that no identifiable PII is retained (hashed IPs cannot be reversed)
• Provide written confirmation of data disposal
• Allow the 90-day automatic purge to complete for any remaining audit logs

4. No data return obligation: Since Maelstrom AI does not store identifiable PII (DOB is never stored; IPs are irreversibly hashed), there is no meaningful data to return to the controller. This is documented in the DPA.
5. Sub-processor disposal: Cloudflare KV entries are purged according to TTL. No additional Cloudflare-held copies exist beyond the KV storage layer.

Evidence:

• Standard DPA, Section 10 (Termination and Data Disposal)
• Cloudflare KV TTL configuration
• Data retention policy: data-retention.mdx

Assessment: ✅ Implemented

B.8.4.3 PII Transmission Controls

ISO 27701 Requirement: The processor shall encrypt PII transmitted over public networks and ensure the security of PII during transmission.

Applicability: Applicable

Maelstrom AI Implementation:

All data transmission involving PII is protected by multiple layers of encryption:

1. Transport encryption: All API endpoints (provii-verifier including hosted mode, provii-issuer, provii-management) are served exclusively over HTTPS (TLS 1.2 minimum, TLS 1.3 preferred). Cloudflare enforces HTTPS at the edge with HSTS headers.
2. No plaintext channels: HTTP requests are redirected to HTTPS. No API endpoint accepts unencrypted connections.
3. Internal transmission: Communication between Cloudflare Workers and KV storage occurs within Cloudflare’s internal network. KV data is encrypted at rest by Cloudflare.
4. ZKP transmission: The zero knowledge proof itself is transmitted over HTTPS. Even if intercepted, the proof reveals no PII (by mathematical construction of the Groth16 proof system).
5. Verification results: Binary pass/fail results are returned to the controller over HTTPS.
6. Issuance flow: During credential issuance (where DOB is transmitted once for Pedersen commitment computation), the transmission occurs over HTTPS. The DOB is processed ephemerally and immediately discarded after commitment computation.

Evidence:

• Cloudflare TLS configuration (enforced at edge)
• HSTS headers in all Worker responses
• Cryptographic architecture documentation
• Privacy architecture evidence: privacy-architecture-evidence.md

Assessment: ✅ Implemented

B.8.5 PII Sharing, Transfer and Disclosure

B.8.5.1 Basis for PII Transfer Between Jurisdictions

ISO 27701 Requirement: The processor shall inform the controller in a timely manner of the basis for PII transfers between jurisdictions, including any changes to the basis.

Applicability: Applicable

Maelstrom AI Implementation:

Maelstrom AI’s infrastructure operates on Cloudflare’s global edge network. The basis for international transfers is documented and communicated to controllers:

1. Transfer mechanism: Standard Contractual Clauses (SCCs) between Maelstrom AI and Cloudflare govern international data transfers. The Cloudflare DPA incorporates EU Commission-approved SCCs.
2. Cloudflare Data Privacy Framework: Cloudflare participates in the EU-US Data Privacy Framework, providing an additional adequacy basis for transfers to the United States.
3. Controller notification: The DPA discloses the international transfer arrangements. Any material change to the transfer basis (e.g., invalidation of SCCs or the Data Privacy Framework) would be notified to controllers per the DPA terms.
4. Maelstrom AI’s jurisdiction: Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust is based in Australia (PO Box 169, St Arnaud VIC 3478).
5. Minimal transfer risk: The data transferred internationally consists of hashed IP addresses and verification event logs. No DOB, name, email, or other directly identifying information crosses borders.

Evidence:

• Cloudflare DPA with SCCs
• Supplier management: supplier-management.md
• Standard DPA, Section 8 (International Transfers)

Assessment: ✅ Implemented

B.8.5.2 Countries and International Organisations to Which PII Can Be Transferred

ISO 27701 Requirement: The processor shall specify and document the countries and international organisations to which PII can potentially be transferred.

Applicability: Applicable

Maelstrom AI Implementation:

The following jurisdictions are involved in PII processing:

Restrictions:

• No transfers to jurisdictions without adequate safeguards (SCCs or adequacy decisions)
• No transfers to China, Russia, or other high-risk jurisdictions
• No data sharing with third parties beyond Cloudflare

This information is documented in the DPA and the supplier management records. Controllers are notified of any changes to the list of jurisdictions.

Evidence:

• Cloudflare Sub-Processor List
• Supplier management: supplier-management.md
• Standard DPA, Section 8 (International Transfers)

Assessment: ✅ Implemented

B.8.5.3 Records of PII Disclosure to Third Parties

ISO 27701 Requirement: The processor shall maintain records of PII disclosures to third parties, including what PII was disclosed, to whom, when, and the lawful basis.

Applicability: Applicable

Maelstrom AI Implementation:

Maelstrom AI’s disclosure profile is minimal by design:

1. Routine disclosures: The only routine disclosure is the verification result (binary pass/fail) returned to the controller (verifier) who initiated the request. This is the core purpose of processing and is documented in the DPA.
2. Sub-processor disclosure: Cloudflare processes data as a sub-processor. The categories of data accessible to Cloudflare (encrypted HTTP traffic, KV storage entries) are documented in the Cloudflare DPA and Maelstrom AI’s supplier management records.
3. No other third-party disclosures: Maelstrom AI does not disclose PII to any party other than the requesting controller and the disclosed sub-processor (Cloudflare). No advertising networks, analytics providers, or other third parties receive data.
4. Law enforcement disclosures: No law enforcement disclosures have been made to date. If a legally binding disclosure request is received, it would be handled per B.8.5.5 below and logged in the incident response system.

Evidence:

• Audit logs (verification events with controller identification)
• Supplier management: supplier-management.md
• Incident response procedures: incident-response.mdx

Assessment: ✅ Implemented

B.8.5.4 Notification of PII Disclosure Requests

ISO 27701 Requirement: The processor shall notify the controller of any request for disclosure of PII from a government authority or other third party, unless legally prohibited.

Applicability: Applicable

Maelstrom AI Implementation:

The standard DPA includes a notification obligation:

1. Government requests: If Maelstrom AI receives a legally binding request for PII disclosure (e.g., a court order, subpoena, or regulatory demand), the DPA requires Maelstrom AI to:

• Notify the affected controller promptly, unless legally prohibited
• Provide the controller with a copy of the request where permitted
• Disclose only the minimum data required by law
• Challenge overbroad requests where reasonable

2. Practical considerations: Given that Maelstrom AI holds only hashed IP addresses and time-limited audit logs, the utility of any disclosure request is limited. Hashed IP addresses cannot be reversed to identify individuals. Audit logs contain no PII beyond pseudonymised identifiers.

3. No requests received to date: As of the date of this document, Maelstrom AI has not received any government or third-party disclosure requests.

Evidence:

• Standard DPA, Section 5 (Government Access)
• Incident response procedures: incident-response.mdx

Assessment: ✅ Implemented

B.8.5.5 Legally Binding PII Disclosures

ISO 27701 Requirement: The processor shall document the legal basis and procedures for any legally binding disclosures of PII.

Applicability: Applicable

Maelstrom AI Implementation:

Maelstrom AI’s incident response procedures include a process for handling legally binding disclosure requests:

1. Receiving the request: Any disclosure demand is logged in the incident response system and escalated to the ISMS Owner.
2. Legal assessment: The request is reviewed for legal validity, scope, and applicable jurisdiction. External legal counsel is engaged where appropriate.
3. Controller notification: The affected controller is notified per the DPA, unless a gag order prohibits notification.
4. Minimum disclosure: Only the data specifically required by the legal instrument is disclosed. Given the minimal data Maelstrom AI holds (hashed IPs, audit logs), the scope of any disclosure would be extremely limited.
5. Record keeping: All legally binding disclosures are documented, including the legal basis, the data disclosed, the recipient, and the date.

Evidence:

• Incident response procedures: incident-response.mdx
• Standard DPA, Section 5 (Government Access)
• Communication procedure: communication-procedure.md

Assessment: ✅ Implemented

B.8.5.6 Disclosure of Sub-Contractors Used to Process PII

ISO 27701 Requirement: The processor shall disclose to the controller any use of sub-contractors (sub-processors) to process PII, before engaging them.

Applicability: Applicable

Maelstrom AI Implementation:

Maelstrom AI currently uses one sub-processor:

Disclosure and change notification:

1. Pre-engagement disclosure: Cloudflare is disclosed as a sub-processor in the standard DPA before any controller signs the agreement.
2. Change notification: The DPA requires Maelstrom AI to notify controllers at least 30 days before engaging any new sub-processor, providing the controller the opportunity to object.
3. Controller objection rights: If a controller objects to a new sub-processor, the DPA provides for discussion and, if no resolution is reached, termination of the affected processing.
4. Sub-processor register: The current sub-processor list is maintained in the supplier management documentation and referenced in the DPA.

Evidence:

• Standard DPA, Section 9 (Sub-Processors)
• Supplier management: supplier-management.md
• Cloudflare DPA and SCCs

Assessment: ✅ Implemented

B.8.5.7 Engagement of a Sub-Contractor to Process PII

ISO 27701 Requirement: The processor shall ensure that contracts with sub-processors include equivalent data protection obligations to those in the processor’s contract with the controller.

Applicability: Applicable

Maelstrom AI Implementation:

The engagement of Cloudflare as a sub-processor is governed by contractual obligations equivalent to those in Maelstrom AI’s DPA with controllers:

1. Cloudflare DPA: Maelstrom AI’s agreement with Cloudflare includes a DPA that imposes data protection obligations on Cloudflare, including:

• Processing only on Maelstrom AI’s instructions
• Confidentiality obligations
• Security measures (SOC 2 Type II, ISO 27001)
• Breach notification obligations
• Data deletion upon termination
• Audit rights

2. Flow-down provisions: The obligations in the Cloudflare DPA are at least as protective as those Maelstrom AI accepts in its DPA with controllers. This includes international transfer safeguards (SCCs), sub-processor management, and data subject rights assistance.

3. Due diligence: Cloudflare’s security posture is assessed as part of supplier management, considering certifications (ISO 27001, SOC 2 Type II), security practices, and data protection commitments.

Evidence:

• Cloudflare DPA and Terms of Service
• Supplier management: supplier-management.md
• Vendor due diligence records

Assessment: ✅ Implemented

B.8.5.8 Change of Sub-Contractor to Process PII

ISO 27701 Requirement: The processor shall inform the controller of any intended changes concerning the addition or replacement of sub-processors, giving the controller the opportunity to object.

Applicability: Applicable

Maelstrom AI Implementation:

The standard DPA includes sub-processor change management provisions:

1. Advance notification: Controllers receive at least 30 days’ written notice before any sub-processor change (addition, replacement, or removal).
2. Objection mechanism: Controllers may object to a proposed sub-processor change within the notification period. The DPA provides for good-faith discussion to resolve objections.
3. Termination right: If an objection cannot be resolved, the controller may terminate the affected processing (and the DPA, if the sub-processor change is material).
4. Current status: Since Maelstrom AI’s inception, Cloudflare has been the sole sub-processor. No sub-processor changes have occurred.
5. Future changes: Any future sub-processor engagement would follow the same notification and objection process. The supplier management procedures require security assessment, DPA execution, and controller notification before any new sub-processor begins processing.

Evidence:

• Standard DPA, Section 9 (Sub-Processors)
• Supplier management procedures: supplier-management.md
• Change management policy: change-management.mdx

Assessment: ✅ Implemented

Summary

Control Implementation Overview

Implementation Statistics

Key Strengths

1. Minimal data processing: Provii’s zero knowledge architecture means the processor role involves processing that is inherently privacy-preserving. No DOB is transmitted during verification.
2. Ephemeral by design: Verification challenges expire in 5 minutes, proof data is never persisted, and all retained data is purged within 90 days.
3. Single sub-processor: Only Cloudflare is engaged as a sub-processor, simplifying oversight and controller notification.
4. Structural constraints: Many controls are enforced by the technical architecture rather than relying solely on policy. The Workers runtime, KV TTLs, and API contract prevent processing beyond the agreed scope.

Recommendations

1. Transfer Impact Assessment: Complete a formal Transfer Impact Assessment (TIA) for Cloudflare US transfers under Schrems II requirements, documenting supplementary measures.
2. DPA finalisation: The standard DPA is currently in draft (Version 1.0 Draft). Finalise with external legal review before onboarding production controllers.
3. Controller register: Establish a formal register of all controllers with active DPAs, including the date of execution, processing scope, and notification preferences for sub-processor changes.

Related Documents

• ISO 27701 Compliance Statement (Clauses & Annex A)
• Data Processing Agreement (Standard)
• Data Protection Impact Assessment
• Data Retention Policy
• Supplier Management
• Privacy Architecture Evidence
• Incident Response

Document Control