Standard Contractual Clauses Addendum

For International Data Transfers from the EEA/EU to Third Countries

EU Commission Implementing Decision 2021/914 Module 2: Controller-to-Processor Transfers

Preamble

This Standard Contractual Clauses Addendum (“SCC Addendum”) forms part of the Data Processing Agreement between:

Data Exporter (Controller): [Data Exporter to complete] Data Importer (Processor): Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust, trading as Provii

Purpose: This SCC Addendum implements the Standard Contractual Clauses approved by the European Commission for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 (GDPR).

Effective Date: [Data Exporter to complete]

Legal Basis: EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

Incorporation of Standard Contractual Clauses

The Standard Contractual Clauses set out in the Annex to EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“SCCs”) are hereby incorporated by reference in their entirety and form an integral part of this Addendum.

The full text of the SCCs is available in the Official Journal of the European Union (OJ L 199, 7.6.2021, p. 31-61) and at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

Module Applied: Module 2 (Controller to Processor)

Selected Options and Specifications

The following options have been selected within the SCCs:

Clause	Option	Selection
Clause 7 (Docking Clause)	Optional	Not used. Additional parties must execute separate SCCs.
Clause 9(a) (Sub-Processor Authorisation)	Option 1 (specific) or Option 2 (general)	Option 2: General written authorisation. Data exporter authorises the sub-processors listed in Annex III. Data importer shall provide at least 30 days’ advance notice of changes.
Clause 11(a) (Redress. independent dispute resolution)	Optional	Not used. Data subjects may lodge complaints with the competent supervisory authority (Annex I.C) or bring proceedings before the competent courts.
Clause 13 (Supervision)	Identify competent supervisory authority	As identified in Annex I.C (determined by data exporter’s establishment).
Clause 17 (Governing Law)	EU/EEA Member State law	Ireland (default). May be varied by written agreement to another EU/EEA Member State law where the data exporter is established. Must allow for third-party beneficiary rights.
Clause 18 (Choice of Forum)	EU/EEA courts	Courts of the Member State specified in Clause 17.

Note: Clause 17 defaults to Irish law. Where a data exporter is established in a different EU/EEA Member State, parties may agree in writing to substitute that Member State’s law, provided it permits third-party beneficiary rights for data subjects. The Clause 9(a) notice period is set at 30 days; data exporters with shorter contractual expectations should raise this at onboarding.

Annex I: List of Parties and Transfer Details

A. List of Parties

Data Exporter(s):

Detail	Information
Name	[Data Exporter to complete]
Address	[Data Exporter to complete]
Contact Person	[Data Exporter to complete]
Email	[Data Exporter to complete]
Role	Controller
Activities relevant to transfer	Operating online services requiring age verification for end users
Signature and date	__________________________

Data Importer(s):

Detail	Information
Name	Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust (trading as Provii)
Address	PO Box 169, St Arnaud VIC 3478, Australia
Contact Person	ISMS Owner
Email	privacy@maelstrom.au
Role	Processor
Activities relevant to transfer	Providing zero knowledge age verification services; processing verification requests and minimal operational data (hashed IP addresses)
Signature and date	__________________________

B. Description of Transfer

Categories of Data Subjects:

End users of data exporter’s services requesting age verification
Individuals of any age (including minors) seeking to verify age eligibility
Global user base accessing data exporter’s online services

Categories of Personal Data Transferred:

Category	Data Elements	Volume
Network Identifiers	IP addresses (hashed with SHA-256 in logs)	Per verification request
Technical Metadata	User-Agent strings, HTTP headers, timestamps	Per verification request
Session Identifiers	Challenge IDs (random UUIDs), PKCE verifiers	Per verification session
Cryptographic Data	Credential nullifiers (one-way hashes), zero knowledge proof data	Per verification request

IMPORTANT - Data NOT Transferred:

❌ Names, email addresses, physical addresses, phone numbers
❌ Dates of birth (transmitted once during credential issuance to compute a Pedersen commitment, then immediately discarded. never stored or logged; not transmitted during verification)
❌ Identity documents or government IDs
❌ Biometric data
❌ Financial information
❌ Behavioural data or cross-site tracking identifiers
❌ Any other personally identifiable information (PII)

Sensitive Data (if applicable): NONE - Maelstrom AI does not process special categories of personal data as defined in GDPR Article 9.

Frequency of Transfer:

Continuous / on-demand (per verification request initiated by end users)
Estimated volume: Variable (dependent on data exporter’s subscription tier). The platform default is 500 verification requests per hour per data exporter (approximately 360,000 per month). Higher volumes available on enterprise tiers.

Nature of Processing:

Collection of IP addresses (automatically upon verification request)
Cryptographic verification of zero knowledge proofs
Anti-fraud processing (rate limiting, replay prevention)
Security monitoring and incident detection
Storage of hashed IP addresses (90-day retention)

Purpose(s) of Transfer:

Enable age verification for data exporter’s end users without collecting PII
Prevent fraudulent verification attempts
Ensure service security and reliability
Comply with data exporter’s legal obligations (age-appropriate content access)

Retention Period:

IP addresses (hashed): 90 days (automatic deletion via TTL)
Challenge session state: 5 minutes (automatic expiry via Workers KV TTL)
Challenge audit log entries: 90 days (security event logs); critical security event logs are retained for up to 365 days
Technical metadata (anonymised): 90 days
Credential nullifiers: Checked against ban list only (retained for the operational lifetime of the issuer key; reviewed at key rotation; legal basis: legitimate interest in fraud prevention)

Sub-Processors:

See Annex III for authorised sub-processors

C. Competent Supervisory Authority

Supervisory Authority:

[Data Exporter to complete. Select the applicable option below based on the data exporter’s establishment.]

Option 1 - If Data Exporter is in Ireland:

Name. Data Protection Commission (DPC)
Address. 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Website. https://dataprotection.ie
Email. info@dataprotection.ie

Option 2 - If Data Exporter is in UK:

Name. Information Commissioner’s Office (ICO)
Address. Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom
Website. https://ico.org.uk
Phone. 0303 123 1113

Option 3 - If Data Exporter is in Germany:

Name. Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI)
Address. Graurheindorfer Str. 153, 53117 Bonn, Germany
Website. https://www.bfdi.bund.de

Option 4 - If Data Exporter is in France:

Name. Commission Nationale de l’Informatique et des Libertés (CNIL)
Address. 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
Website. https://www.cnil.fr

Option 5 - Other EU/EEA Member State:

[Data Exporter to complete. Specify supervisory authority based on data exporter’s location or establishment.]
See EDPB list: https://edpb.europa.eu/about-edpb/board/members_en

Annex II: Technical and Organisational Measures (TOMs)

This Annex describes the technical and organisational measures implemented by the data importer to protect personal data transferred under the Clauses.

Reference: For details, see Data Processing Agreement Section 5 (Security Measures).

A. Technical Measures

1. Encryption

(a) Encryption in Transit:

TLS 1.3 (minimum version) for all data transmission
Perfect Forward Secrecy (PFS) enabled
HSTS (HTTP Strict Transport Security) enforced
No unencrypted HTTP communication permitted

(b) Encryption at Rest:

AES-256 encryption for all data stored in Cloudflare Workers KV, Durable Objects, and R2
AES-256 encryption for backups
Encrypted secrets management (Cloudflare Workers Secrets)

Zero knowledge proofs: Groth16 ZK-SNARKs (128-bit security level)
Elliptic curve: BLS12-381
Hash functions: SHA-256 (for IP hashing, one-way and irreversible)

2. Pseudonymization and Data Minimization

(a) IP Address Pseudonymization:

IP addresses hashed with SHA-256 before storage in audit logs
Hashing is one-way and irreversible (cannot derive original IP from hash)
Reduces identifiability and privacy risk

(b) Minimal Data Collection:

Zero knowledge architecture is designed to avoid collection of PII
Only minimal operational data collected (IP addresses, session IDs)
No persistent user identifiers across verification sessions
Random UUIDs for session identifiers (version 4, cryptographically random)

One-way cryptographic hashes derived from credentials
Prevent credential replay attacks
Cannot be reversed to reveal date of birth or identity

3. Access Controls

(a) Authentication:

Multi-factor authentication (MFA) required for all administrative access to production systems
API key authentication using HMAC-SHA256 for programmatic access
Password policy: Argon2id hashing with salt, minimum 12 characters, complexity requirements
API key rotation policy: Every 90 days (recommended)

(b) Authorisation:

Role-based access control (RBAC) with granular permissions
Roles: viewer (read-only), admin (configuration), super_admin (full access)
Principle of least privilege enforced
Just-in-time (JIT) access provisioning for privileged operations (enterprise customers)

Quarterly access reviews (documentation available to data exporter upon request)
Immediate access revocation upon personnel termination
Access logging for audit trails

4. Network Security

(a) DDoS Protection:

Cloudflare DDoS protection (300+ Tbps mitigation capacity)
Automatic attack detection and mitigation
Rate limiting per-IP, per-API-key, and global

(b) Web Application Firewall (WAF):

OWASP Top 10 protection
Custom security rules for Provii APIs
Automatic blocking of malicious requests

Automated anomaly detection (unusual traffic patterns, authentication failures)
Security event logging with real time alerts for critical events
24/7 security monitoring (via Cloudflare and internal systems)

5. Monitoring and Logging

(a) Security Event Logging:

logging of all security-relevant events
Retention: 90 days (audit logs and IP address logs); critical security event logs are retained for up to 365 days
Log formats: Structured JSON for machine readability
Append-only, tamper-evident logging

(b) Audit Trails:

All administrative actions logged (who, what, when, where)
API access logging (request/response metadata, no PII in logs)
Access to logs is restricted and logged (meta-logging)

Real-time alerts for critical security events (breach attempts, rate limit violations, authentication failures)
Notification via email, Slack, or PagerDuty (enterprise customers)

6. Vulnerability Management

(a) Automated Scanning:

Daily dependency vulnerability scans (cargo audit for Rust, npm audit for JavaScript)
GitHub Dependabot alerts for vulnerable dependencies
Automated security advisories monitoring

(b) Penetration Testing:

Annual third-party penetration testing (target: Q2 2026 onwards)
Responsible disclosure programme (security@maelstrom.au)
Findings remediated within defined SLAs (Critical: 48 hours, High: 7 days, Medium: 30 days)

Critical vulnerabilities patched within 48 hours
High severity vulnerabilities patched within 7 days
Regular updates to dependencies and infrastructure

B. Organisational Measures

1. Access Management

(a) Personnel Vetting:

Background checks for personnel with access to production systems
Confidentiality and non-disclosure agreements (NDAs) signed by all employees and contractors
Annual security awareness training (mandatory for all staff)
Privacy training for personnel handling data subject requests

(b) Access Provisioning:

Formal access request and approval process
Manager approval required for production access
Access granted based on job role and need-to-know
Regular access reviews (quarterly) to revoke unnecessary access

Immediate revocation of all access upon personnel termination or role change
Return of all company devices and credentials
Exit interview and reminder of confidentiality obligations

2. Privacy by Design and Default

(a) Architectural Principles:

Zero knowledge first: Avoid collecting PII wherever architecturally possible
Data minimization: Collect only data strictly necessary for service provision
Privacy as default: Maximum privacy settings without user configuration

(b) Privacy Impact Assessment:

Architecture reviews for new features (privacy assessment integrated)
Data Protection Impact Assessment (DPIA) for material processing changes
Privacy considerations documented in feature design documents

Security requirements defined at design phase
Threat modeling for new features
Security code review before production deployment
Automated security testing (SAST, DAST, dependency scanning)

3. Vendor and Sub-Processor Management

(a) Vendor Selection:

Security assessment for all critical vendors and sub-processors
Evaluation of certifications (ISO 27001, SOC 2 Type II)
Review of Data Processing Agreements and security commitments

(b) Ongoing Monitoring:

Annual vendor security reviews
Monitoring of vendor security advisories and incident notifications
Continuous assessment of sub-processor compliance (Cloudflare status monitoring)

Data Processing Agreements with all sub-processors meeting GDPR Article 28(3) requirements
Standard Contractual Clauses for international transfers
Breach notification obligations (within 24 hours to data importer)
Audit rights

4. Incident Response and Business Continuity

(a) Incident Response:

On-call incident response capability (for critical services)
Documented incident response playbooks for common scenarios
24-hour breach detection target (enhanced monitoring reduces typical detection time)
Breach notification to data exporter targeted within 4 hours (enterprise) or 24 hours (standard); best-effort, no contractual SLA at this tier

(b) Post-Incident Review:

Root cause analysis for all incidents
Lessons learned documentation
Remediation actions to prevent recurrence
Quarterly incident response drills and tabletop exercises

Daily automated backups (encrypted, stored in geographically separate locations)
Disaster recovery plan with defined RTO (4 hours) and RPO (24 hours)
Annual disaster recovery testing
Redundant infrastructure across multiple availability zones

5. Compliance and Governance

(a) Policies and Procedures:

Information Security Policy (ISO 27001:2022 aligned)
Data Retention Policy (documented retention periods and deletion procedures)
Incident Response Policy
Access Control Policy
Cryptography Policy
Acceptable Use Policy

(b) Certifications (Planned):

ISO 27001:2022 - Information Security Management System (certification planned when commercially justified)
ISO 27701:2019 - Privacy Information Management System (certification planned when commercially justified)
OWASP ASVS 5.0.0 Level 3 (provii-verifier aligned; no formal certification)

Maintained in accordance with GDPR Article 30(2)
Available to supervisory authorities and data exporter upon request
Reviewed and updated quarterly or upon material changes

(d) Management Review:

Quarterly ISMS management review
Review of security metrics, incidents, audit findings
Assessment of effectiveness of security measures
Continuous improvement initiatives

C. Physical and Environmental Security

Note: Maelstrom AI operates on cloud infrastructure (Cloudflare) and does not maintain physical data centres. Physical security is the responsibility of Cloudflare.

Cloudflare Physical Security (Sub-Processor):

ISO 27001 certified data centres
24/7 security personnel and surveillance
Biometric access controls and multi-factor authentication
Environmental controls (fire suppression, climate control, power redundancy)
Physical security audits (SOC 2 Type II coverage)

Maelstrom AI Office Security (Administrative):

Secure office facilities with access controls
Device encryption for all laptops and workstations (full-disk encryption)
Clean desk policy (no sensitive information left unattended)
Secure disposal of paper documents (shredding)
No personal data stored on local devices (cloud-based systems only)

D. Data Retention and Deletion

1. Retention Periods

Data Category	Retention Period	Deletion Method
IP addresses (hashed)	90 days	Automatic expiry (Cloudflare Workers Logs in Grafana Loki, 90-day Loki tenant retention)
Challenge session state (active)	5 minutes	Automatic expiry (Workers KV TTL)
Challenge audit log entries	90 days (standard); critical security event logs retained for up to 365 days	Automatic deletion via retention policy
Technical metadata (anonymised)	90 days	Automated deletion via retention policy
Credential nullifiers	Retained for the operational lifetime of the issuer key; reviewed at key rotation (legal basis: legitimate interest in fraud prevention)	Reviewed and purged at issuer key rotation
Backups	90 days	Automated purging, encrypted deletion

2. Deletion Procedures

(a) Automated Deletion:

Time-To-Live (TTL) mechanisms enforce automatic expiry
Grafana Loki tenant retention purges hashed-IP entries (shipped via Cloudflare Workers Logs) after 90 days (no manual intervention)
Workers KV and Durable Objects automatically delete expired data
Backups automatically purged after 90-day retention period

(b) Manual Deletion (upon data subject request or contract termination):

Deletion from active systems targeted within 2-5 Business Days (best-effort; no contractual SLA)
Cryptographic erasure (delete encryption keys for encrypted data)
Overwriting of storage media (for non-encrypted data, if applicable)
Deletion certificate provided to data exporter

Deletion logs maintained (who deleted what, when)
Attestation of deletion provided to data exporter
Audit capability to verify deletion completion

E. Sub-Processor Security (Cloudflare)

Cloudflare Security Measures:

Certifications. ISO 27001:2013, SOC 2 Type II, PCI DSS Level 1, C5 (Germany)
Encryption. AES-256 at rest, TLS 1.3 in transit
Access Controls. MFA, RBAC, least privilege
Network Security. DDoS protection, WAF, intrusion detection
Monitoring. 24/7 SOC, automated threat detection
Incident Response. 24/7 incident response team, breach notification within 24 hours
Compliance. GDPR-compliant DPA, EU-US Data Privacy Framework participant

Cloudflare Data Processing Addendum:

Available at: https://www.cloudflare.com/cloudflare-customer-dpa/
Incorporates Standard Contractual Clauses (Module 2: Controller-to-Processor)
Provides security commitments and data protection obligations

F. Measures to Ensure Data Minimization

(a) Architectural Design:

Zero knowledge proofs enable age verification without revealing date of birth
Credentials processed locally in user’s wallet application (client-side)
Server-side processing limited to cryptographic proof verification (no PII)

(b) Data Collection Review:

Quarterly review of data collection practices
Assessment of whether each data element is still necessary
Elimination of unnecessary data collection

Pseudonymization (IP hashing)
Zero knowledge cryptography (data never collected in plaintext)
Unlinkability (random session IDs prevent cross-site tracking)

G. Measures to Ensure Data Quality

(a) Accuracy:

IP addresses collected directly from network requests (automatically accurate)
Timestamps generated by system clocks (NTP-synchronized)
Cryptographic data verified mathematically (cannot be inaccurate without detection)

(b) Data Subject Control:

Users update their date of birth in wallet application (under their control)
No centralized PII database requiring accuracy maintenance

H. Accountability and Transparency

(a) Documentation:

This Annex II documents all security measures
security policies maintained in ISMS
Records of Processing Activities (ROPA) available to supervisory authorities

(b) Reporting:

Annual compliance reports to data exporter (enterprise customers)
Quarterly security summaries available upon request
Transparency report (annual) disclosing government access requests (if any)

Annual third-party penetration testing
ISO 27001/27701 certification audits (aligned with ISO 27001:2022 and ISO 27701:2019, certification planned when commercially justified)
Internal security audits (quarterly)
Data exporter audit rights (see DPA Section 9)

Annex III: List of Sub-Processors

Authorised Sub-Processors

The data importer has the data exporter’s general authorisation to engage the following sub-processors:

Sub-Processor 1: Cloudflare, Inc.

Detail	Information
Name	Cloudflare, Inc.
Registered Address	101 Townsend St, San Francisco, CA 94107, United States
Contact	privacyquestions@cloudflare.com
Website	https://www.cloudflare.com
Processing Location(s)	United States (primary), European Union (Ireland, Germany, France, Netherlands, etc.), United Kingdom, Asia-Pacific (Singapore, Japan, Australia), and other Cloudflare edge locations globally (300+ locations)
Nature of Processing	Cloud infrastructure and serverless computing platform; DDoS protection; content delivery network; Web Application Firewall
Categories of Data	IP addresses, HTTP request metadata (User-Agent, headers), cryptographic proof data (zero knowledge proofs - not PII), session identifiers (UUIDs), audit logs
Duration	For the duration of the data importer’s contract with Cloudflare and the provision of Services to the data exporter
Transfer Mechanism	Standard Contractual Clauses (EU Commission Decision 2021/914, Module 2: Controller-to-Processor)
Data Processing Agreement	Cloudflare Data Processing Addendum: https://www.cloudflare.com/cloudflare-customer-dpa/
Security Certifications	ISO 27001:2013, SOC 2 Type II, PCI DSS Level 1 Service Provider, C5 (Cloud Computing Compliance Controls Catalogue - Germany)
EU-US Data Privacy Framework	Cloudflare is certified under the EU-US Data Privacy Framework (verify at: https://www.dataprivacyframework.gov/)
Additional Safeguards	AES-256 encryption at rest, TLS 1.3 in transit, pseudonymization (IP hashing), 90-day data retention, 24/7 SOC monitoring, DDoS protection

Services Provided by Cloudflare:

Cloudflare Workers. Serverless compute platform (runs data importer’s age verification API code)
Cloudflare Workers KV. Key-value storage (stores hashed IP logs, challenge records, audit logs)
Cloudflare Durable Objects. Stateful compute (manages active verification sessions)
Cloudflare R2. Object storage (backups)
Cloudflare Workers Logs. Structured console.log JSON shipment to Grafana Loki (server-side, aggregated only) for operational telemetry
Cloudflare DDoS Protection. Network security and traffic filtering
Cloudflare WAF. Web Application Firewall (OWASP Top 10 protection)

Data Residency: Cloudflare processes data at edge locations globally. Maelstrom AI does not currently offer region-restricted processing.

Sub-Processor 2: Grafana Labs Inc.

Detail	Information
Name	Grafana Labs Inc.
Registered Address	3 Park Avenue, 29th Floor, New York, NY 10016, USA
Contact	privacy@grafana.com
Website	https://grafana.com
Processing Location(s)	United States (primary). Grafana Cloud regions are selectable at tenant provisioning; Maelstrom AI’s tenant is provisioned on US infrastructure.
Nature of Processing	Log aggregation (Grafana Loki) and distributed trace collection (Grafana Tempo) for operational observability of all six production Workers.
Categories of Data	HMAC-SHA-256 hashed IP addresses (keyed by an internal HMAC secret), pseudonymous session identifiers, request metadata (method, path, status code, latency), trace spans. No raw IP addresses. No dates of birth, names, wallet credentials, or attestation payloads.
Duration	For the duration of the data importer’s contract with Grafana Labs and the provision of Services to the data exporter.
Transfer Mechanism	EU Standard Contractual Clauses (EU Commission Decision 2021/914, Module 2: Controller-to-Processor). SCCs are the sole transfer mechanism relied upon; if Grafana Labs holds EU-US Data Privacy Framework certification, that certification provides an additional layer of assurance, but Maelstrom AI’s transfer instrument is the SCCs regardless of DPF status.
Competent Supervisory Authority	As identified in Annex I.C (determined by data exporter’s establishment). The same supervisory authority applicable to the Cloudflare transfer applies to this transfer.
Data Processing Agreement	Grafana Labs Data Processing Agreement, accepted via the Grafana Cloud portal.
Security Certifications	SOC 2 Type II, ISO 27001. Data encrypted in transit (TLS 1.3) and at rest.
Legal Basis	Legitimate interest (service reliability and incident response).
Retention	90 days (Grafana Cloud Loki and Tempo tenant retention). Automatic deletion; no manual intervention required.
Additional Safeguards	HMAC-SHA-256 hashing of IP addresses performed by the Provii Worker before any log or trace emission; no plaintext IP addresses reach Grafana infrastructure.

Services Provided by Grafana Labs:

Grafana Loki. Log aggregation receiving structured JSON log lines shipped via Cloudflare Workers Logs from provii-verifier, provii-issuer, provii-management, provii-credit-management, admin-portal, and provii-status.
Grafana Tempo. Distributed trace collection receiving trace spans from the same six Workers.

Future Sub-Processors

Notification Process:

Data importer shall provide data exporter with at least 30 days’ advance notice of any intended addition or replacement of sub-processors (60 days for enterprise customers)
Notice provided via email to designated contact and update to public sub-processor list at https://provii.app/legal/sub-processors
Data exporter may object on reasonable grounds relating to data protection within 14 days of notice (30 days for enterprise)
If objection cannot be resolved, data exporter may terminate affected Services or the entire contract

Current Sub-Processor List (Always Up-to-Date):

Public list maintained at: https://provii.app/legal/sub-processors
Data exporter may subscribe to email notifications of changes via Provii admin dashboard

Annex IV: Transfer Impact Assessment Summary (Optional)

Status: Completed by data importer (Maelstrom AI) on 2026-02-13

Purpose: Assess whether the law or practice of the country of destination (United States, via Cloudflare) impinges on the effectiveness of the Standard Contractual Clauses.

A. Assessment Methodology

(a) Legal Analysis: Review of US surveillance laws (FISA Section 702, Executive Order 12333, CLOUD Act) and their applicability to Maelstrom AI’s data processing

(b) Practical Assessment: Evaluation of actual risk based on:

Nature and volume of data transferred
Likelihood of government access requests
Cloudflare’s legal and technical safeguards
Provii’s zero knowledge architecture

B. Key Findings

1. Nature of Data Transferred

Risk Factor	Assessment	Risk Level
Minimal Personal Data	Only hashed IP addresses and cryptographic proofs (not PII)	LOW
No Surveillance Interest	Age verification data has no national security, intelligence, or law enforcement value	LOW
Pseudonymization	IP addresses hashed with SHA-256 (irreversible)	LOW
Short Retention	90-day maximum retention minimises exposure window	LOW
No Special Categories	No GDPR Article 9 special category data (health, biometric, etc.)	LOW

2. Legal Surface (United States)

(a) FISA Section 702:

Targets non-US persons’ communications for foreign intelligence purposes
Applicability to Maelstrom AI. LOW - Age verification data unlikely to be targeted for foreign intelligence surveillance
Cloudflare Safeguards. Legal challenges to overbroad requests, transparency reporting

(b) Executive Order 12333:

Authorizes foreign intelligence collection outside US
Applicability to Maelstrom AI. LOW - Data processed within US infrastructure, not targeted extraterritorially
Cloudflare Safeguards. Encryption in transit reduces interception risk

Allows US law enforcement to compel disclosure of data regardless of storage location
Applicability to Maelstrom AI. LOW - Age verification data unlikely to be subject of criminal investigations
Safeguards. Data importer will challenge overbroad requests, notify data exporter

3. Practical Risk Assessment

Factor	Assessment	Mitigation
Government Access Requests	ZERO requests received to date (as of 2026-02-13)	Immediate notification to data exporter if received
Likelihood of Future Requests	VERY LOW - age verification data has no intelligence or law enforcement value	Challenge any requests as overbroad
Cloudflare’s Track Record	Strong legal advocacy, transparency reporting, minimal government access	Benefit from Cloudflare’s scale and resources
Data Sensitivity	LOW - hashed IP addresses only, no PII	Pseudonymization reduces identifiability

4. Cloudflare-Specific Safeguards

(a) Legal Protections:

Cloudflare has history of challenging government requests in court
Transparency reports published annually (disclosing number of requests)
Legal team with expertise in data protection and government access issues

(b) Technical Protections:

Encryption at rest (AES-256) and in transit (TLS 1.3)
Access controls limit Cloudflare personnel access to customer data
Audit logging of all access to customer data

ISO 27001 and SOC 2 Type II certified
Data Processing Addendum with strong contractual safeguards
EU-US Data Privacy Framework certified (additional legal protection)

C. Supplementary Measures Implemented

Beyond Standard Contractual Clauses, the following supplementary measures reduce risk:

1. Technical Measures

(a) Pseudonymization:

IP addresses hashed with SHA-256 before storage (one-way, irreversible)
Reduces identifiability and sensitivity of data
Even if accessed by government, hashed IP provides limited information

(b) Encryption:

TLS 1.3 in transit (protects against network interception)
AES-256 at rest (protects against unauthorized access to storage)
Encryption keys controlled by data importer (Cloudflare cannot decrypt without keys)

Zero knowledge architecture is designed to avoid collection of PII
Only minimal operational data transferred (IP addresses)
No dates of birth, names, or identity documents ever transmitted

(d) Short Retention:

90-day maximum retention for IP addresses (automatic deletion)
Minimizes window of exposure to government access
Most data auto-deleted before any access request could be processed

2. Organisational Measures

(a) Notification Obligations:

Data importer will notify data exporter within 24 hours of any government access request (unless legally prohibited)
Data importer will document all efforts to challenge or seek waiver of prohibition on notification

(b) Legal Challenge:

Data importer will challenge government requests that appear overbroad or lack legal basis
Data importer will exhaust reasonable legal avenues to prevent disclosure

If disclosure required, data importer will provide minimum data necessary to comply
Data importer will seek to redirect request to data exporter (Controller is responsible for data)

(d) Transparency Reporting:

Annual transparency report disclosing number of government requests (if any)
Builds trust and demonstrates commitment to transparency

3. Contractual Measures

(a) Standard Contractual Clauses:

Provides contractual safeguards for data transfer
Gives data subjects and supervisory authorities enforcement rights

(b) Cloudflare DPA:

Cloudflare bound by Data Processing Addendum incorporating SCCs
Contractual obligation to notify data importer of government requests (where permitted by law)

Cloudflare certified under DPF (additional legal safeguard)
DPF provides redress mechanism for EU data subjects

D. Conclusion

Overall Risk Level: LOW

Rationale:

Minimal and pseudonymized personal data transferred (hashed IP addresses only)
Zero knowledge architecture prevents transfer of sensitive PII (no dates of birth, names, etc.)
Age verification data has no national security, intelligence, or law enforcement value (unlikely to be targeted)
Short retention period (90 days) minimises exposure window
Strong supplementary measures (pseudonymization, encryption, short retention)
Cloudflare’s legal and technical safeguards
Zero government access requests received to date

Assessment: The Standard Contractual Clauses, combined with supplementary technical and organisational measures, provide adequate safeguards for the transfer of personal data from the EEA to the United States via Cloudflare infrastructure. The risk of government access is assessed as low, and even if access were to occur, the limited and pseudonymized nature of the data minimizes harm to data subjects.

Monitoring: The data importer shall continuously monitor legal and factual developments in the United States and update this assessment if circumstances change (e.g., new surveillance laws, government access requests received, changes to Cloudflare’s safeguards).

Review Date: This assessment shall be reviewed annually or upon material changes to legal surface or processing activities.

Signature

BY SIGNING BELOW, the Parties confirm that they have read and understood the Standard Contractual Clauses and agree to be bound by them.

Data Exporter (Controller):

Signature: ________________________________

Name: ________________________________

Title: ________________________________

Date: ________________________________

Data Importer (Processor): Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust (trading as Provii)

Signature: ________________________________

Name: ________________________________

Title: Chief Technology Officer

Date: ________________________________

Document Information

Document Title: Standard Contractual Clauses Addendum Version: 1.0 Status: Active Template Date: 2026-02-13 Classification: Legal Template Owner: ISMS Owner

Legal Basis: EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021

Module: Module 2 (Controller-to-Processor transfers)

Purpose: Enable lawful transfer of personal data from EEA/EU to third countries (specifically United States via Cloudflare) in compliance with GDPR Chapter V.

Integration: This SCC Addendum is incorporated by reference into the Data Processing Agreement as Annex A. In case of conflict between the DPA and the SCCs, the SCCs prevail with respect to international data transfers.

DISCLAIMER: This is a draft template requiring review by qualified legal counsel before use. The Standard Contractual Clauses are based on EU Commission Decision 2021/914. Modifications to the core Clauses (Section I-IV) are not permitted except as explicitly allowed. Parties should consult with legal counsel to ensure correct completion of Annexes and compliance with GDPR requirements.

Gap Closure: This document addresses GAP-M007 (Medium severity, High business impact) - “No DPA templates exist for B2B customers” by providing the required Standard Contractual Clauses for international data transfers.

Compliance Mapping:

GDPR Article 46 (Transfers subject to appropriate safeguards) ✓
GDPR Chapter V (Transfers of personal data to third countries) ✓
EU Commission Decision 2021/914 (Standard Contractual Clauses) ✓
Schrems II decision (CJEU Case C-311/18) - Transfer Impact Assessment included ✓

END OF DOCUMENT