§3 Scope of processing
| Categories of data subjects | Customer's employees, contractors, applicants (where AI inventory references them) |
| Types of personal data | Names, emails, employment-roles, AI-system access-permissions; NO special categories (Article 9) |
| Purposes of processing | Generation of compliance evidence (Annex IV documentation, Article 4 register, Module 2 deliverables) |
| Duration | Length of contract + 7 years (audit-trail) |
§4 Sub-processors
See /trust/sub-processors. 30-day notice + 14-day objection window.
§7 Security measures (Article 32)
- Encryption at rest (LUKS volumes, Supabase native)
- Encryption in transit (TLS 1.3)
- Access control (RBAC + MFA)
- Audit log (Ed25519-signed)
- Backup (30-day rolling, encrypted)
- Incident detection (Trivy + UFW + fail2ban + 24/7 alerting)
- Penetration testing (post-Day-180 milestone)
§9 Assistance to Customer
- Article 32 security measures (technical + organisational)
- Article 33 personal-data-breach notification (72h SLA)
- Article 35 DPIA (Customer-side; PowerQuant provides technical input)
- Article 36 prior consultation (where applicable)
§10 International transfers (SCCs)
For US-hosted sub-processors, Standard Contractual Clauses Module 2 (controller-to-processor) attached as Annex 1 of executed DPA.
§11 Return or deletion of data
On contract termination, within 30 days:
- Customer-data deleted from active systems
- Backups purged within 60 days (30-day rolling + 30-day SLA)
- Audit-log identifying tags redacted; cryptographic chain preserved per Article 17(3)(b) GDPR — legal obligation for audit-trail integrity
§12 Audit rights
- 30 days' notice
- Once per year unless triggered by suspected breach
- During business hours
- Customer-paid
- Subject to mutual NDA
Annexes (forthcoming specialiseret IT-/AI-advokatfirma review)
- Annex 1: SCCs Module 2 full text (EU 2021/914)
- Annex 2: Technical and Organisational Measures (TOMs) cross-walk to ISO 27002
- Annex 3: Live sub-processor list — see /trust/sub-processors