# Records of Processing Activities (GDPR Art. 30) > Required of every controller and processor (with limited SME exemption). > Auditors / supervisory authorities can request this on demand. Keep the > live version in the company's privacy folder; this committed copy is the > baseline that mirrors the architecture in code. **Controller:** {COMPANY_LEGAL_NAME}, {COMPANY_REGISTERED_ADDRESS_BANGLADESH} **DPO:** {DPO or "not appointed — below threshold"} **Last reviewed:** 2026-04-29 --- ## Processing activity 1 — Account & authentication | Field | Value | |---|---| | Purpose | Authenticate factory users; enforce role-based access | | Categories of data subjects | Factory administrators, factory users, buyers, recyclers, platform admins, authorities | | Categories of personal data | Email, full name, phone, role, salted password hash (scrypt), encrypted TOTP secret (AES-GCM), session metadata, IP, user-agent, last login timestamp | | Categories of recipients | Internal: platform admins. External: Cloudflare (data processor) | | Transfers outside EU | None for stored data (WEUR). Edge processing transient — see Cloudflare DPA | | Retention | Account active + 6 months after deletion; audit log 1y (configurable) | | Security measures | scrypt N=2¹⁶, AES-GCM at rest, TLS 1.3 in transit, REVOKE_KV session blacklist, atomic counter on login fail, lockout after 5 fails, 2FA optional | ## Processing activity 2 — DPP product data | Field | Value | |---|---| | Purpose | Generate and serve EU-compliant Digital Product Passports per ESPR 2024/1781 | | Categories of data subjects | Factory employees named as conformity declarants (limited PII); product end-users (none — DPPs describe products, not consumers) | | Categories of personal data | Manufacturer's contact name in conformity declaration; declared_by signer name | | Categories of recipients | Public (redacted view via QR); authenticated buyers/recyclers (full data); customs/market-surveillance (full data with audit) | | Transfers outside EU | Public DPP URL accessible globally (no personal data leaves redacted scope); BD recyclers query under Art. 49(1)(b) | | Retention | At least 10 years from last update — ESPR Art. 9(7) | | Security measures | Server-side ESPR validation gate at publish, immutable versioned versions, SHA-256 integrity hash exposed, redactPublicFields on public reads | ## Processing activity 3 — Audit log | Field | Value | |---|---| | Purpose | Detect abuse, support incident investigation, ESPR Art. 14 traceability | | Categories of data subjects | All authenticated users + authority API consumers | | Categories of personal data | User ID, IP, user-agent, action, resource, sanitized diff (passwords/tokens/secrets redacted) | | Categories of recipients | Platform admins; supervisory authorities on lawful request | | Transfers outside EU | None (WEUR D1) | | Retention | 1 year by default; admin-configurable via /api/admin/audit/sweep?days= | | Legal basis | Art. 6(1)(c) legal obligation + Art. 6(1)(f) legitimate interest | ## Processing activity 4 — Billing | Field | Value | |---|---| | Purpose | Subscription billing, invoicing, dispute handling | | Categories of data subjects | Factory account holders | | Categories of personal data | Stripe customer ID, subscription state, bKash transaction ID; **no full card numbers** | | Categories of recipients | Stripe Payments Europe Ltd. (Ireland); bKash Ltd. (Bangladesh — BD residents only) | | Transfers outside EU | Stripe handles via own SCCs/DPA; bKash relevant only to BD residents | | Retention | Subscription active + 7 years (tax / accounting requirement) | | Legal basis | Art. 6(1)(b) contract + 6(1)(c) tax law | ## Processing activity 5 — File attachments (R2) | Field | Value | |---|---| | Purpose | Store certificates, product images, PDFs uploaded to a DPP | | Categories of data subjects | Whoever appears in the certificate (factory contact, third-party auditor) | | Categories of personal data | Names/signatures on certificates; product images (not personal unless human depicted) | | Categories of recipients | Authenticated factory members; authorities on request | | Transfers outside EU | None (R2 WEUR); CDN caching transient | | Retention | Linked to DPP retention (10y for published) | | Security measures | MIME magic-byte sniff, 10MB cap, SVG rejected, Content-Disposition: attachment, sandbox CSP, SHA-256 integrity stored | ## Processing activity 6 — Communications (Telegram alerts, email) | Field | Value | |---|---| | Purpose | Internal ops alerts (Telegram); transactional email (verification, billing) | | Categories of data subjects | Internal team (Telegram); end users (email) | | Categories of personal data | Email addresses, factory names in alert text | | Categories of recipients | Telegram FZ-LLC; Resend Inc. (EU instance) | | Transfers outside EU | Telegram global infrastructure — used only for our team's status messages, no customer PII; Resend EU instance keeps customer email in WEUR | | Retention | Telegram: 90 days message history; Resend: 30 days log | --- ## Sub-processor register | Sub-processor | Service | Region | DPA signed | Last verified | |---|---|---|---|---| | Cloudflare, Inc. | Workers, D1, R2, KV | WEUR | ✅ {DATE} | {DATE} | | Stripe Payments Europe Ltd. | Card processing | Ireland | ✅ {DATE} | {DATE} | | bKash Ltd. | Local payments | Bangladesh | {DPA STATUS} | {DATE} | | Resend, Inc. | Email | EU (Frankfurt) | ✅ {DATE} | {DATE} | | Functional Software, Inc. (Sentry) | Error tracking | EU (Frankfurt) | ✅ {DATE} | {DATE} | | Telegram FZ-LLC | Internal ops alerts | Global | n/a — no customer PII | {DATE} |