Record of Processing Activities (RoPA)
Effective Date: May 20, 2026 Version: 1.0 Controller: VEREID, a product of AIARCO Pty Ltd, ABN [TBD: counsel review], NSW, Australia. Statutory basis: GDPR Art. 30(1) (controller record) and Art. 30(2) (processor record). Owner: DPO — privacy@vereid.com.
One row per processing purpose × data category × legal basis × retention × sub-processor route. Rows referencing live EU traffic are tagged 🇪🇺-GATED — they are written into the record but the processing is suppressed at edge until counsel sign-off (Hard Gate 6).
1. Controller — VEREID Social, AIARCO ID
VEREID is the controller for end-users of vereid.com (Social) and asc.aiarco.com/auth (AIARCO ID), and for its own B2B Customer / Subscriber account records.
| # | Purpose | Categories of data subjects | Categories of personal data | Legal basis | Recipients | Transfers outside AU/EU | Retention | Security |
|---|---|---|---|---|---|---|---|---|
| C1 | Operate signup + login | Social end-users; AIARCO ID end-users | Email, password hash, MFA factor metadata, IP, user-agent | Art. 6(1)(b) Contract | AWS (hosting), SendGrid (verification email), Twilio (SMS OTP) | US (Twilio, SendGrid) under SCC + AWS DPA Addendum | 90 days after account closure (then anonymised) | TLS1.3, Argon2id, MFA enforced for admin |
| C2 | Operate social-graph + content | Social end-users | Posts, comments, likes, follow graph, DMs, EXIF-stripped media | Art. 6(1)(b) Contract | AWS, Cloudflare (CDN) | US (Cloudflare edge) under SCC | Until user delete; 30-day soft-delete window | Per data-class CMK, audit log |
| C3 | Identity verification (Social posting gate, T4) | Social end-users opting to post | Document image, MRZ data, selfie, face template, OCR fields | Art. 6(1)(b) Contract + Art. 9(2)(a) explicit consent | AWS Rekognition, AWS Textract | None (region-locked) | Template ≤30d; doc image 7y; raw selfie ≤30d | PII-VAULT schema, KMS CMK pii-vault-and-audit |
| C4 | Sanctions screening at Customer onboarding | B2B Customer principals + UBOs | Name, DOB, residential country, document number | Art. 6(1)(c) AML legal obligation + Art. 6(1)(f) | Sanctions-list vendor [TBD] | US (vendor) under SCC | 7 years | Restricted IAM role; SOC2 vendor |
| C5 | Billing | B2B subscribers | Company legal name, billing address, VAT/ABN, Stripe customer ID, invoice history | Art. 6(1)(b) Contract + Art. 6(1)(c) tax law | Stripe (US — under the AIARCO ASC Stripe LIVE account) | US (Stripe) under SCC | 7 years (tax) | Stripe-tokenised PAN, no PAN in our systems |
| C6 | Security and audit logging | All | Privileged action records, admin IP, decryption events, KMS key usage | Art. 6(1)(c) + Art. 6(1)(f) | AWS S3 Object Lock | None | 7 years | S3 Object Lock WORM, separate KMS CMK |
| C7 | Transactional email (anti-phishing-coded) | All | Email, content of notification | Art. 6(1)(b) Contract | SendGrid | US under SCC | 18 months log; content not retained | DKIM/DMARC/SPF aligned |
| C8 | Marketing email (Social + B2B prospects) | Subscribers who opted in | Email, marketing prefs, engagement metrics | Art. 6(1)(a) Consent | SendGrid, PostHog | US under SCC; EU PostHog region for EEA subjects | Until opt-out + 12 months proof | Single opt-in + unsubscribe in every message |
| C9 | Product analytics | All consenting | Pseudonymous device ID, page views, feature events (no PII) | Art. 6(1)(a) Consent where required; Art. 6(1)(f) otherwise | PostHog | EU region for EEA; US otherwise | 13 months | IP truncation /24; no cookies pre-consent in EEA/UK |
| C10 | Error / crash monitoring | All | Stack trace, request ID (PII-redacted) | Art. 6(1)(f) Service security | Sentry | US under SCC | 90 days | PII redaction at SDK and server |
| C11 | DSR fulfilment (export/delete/rectify) | All requesters | All data tied to subject | Art. 6(1)(c) Art. 15/17/20 GDPR; APP 12/13 | AWS (signed S3 link) | None | Export bundle: signed link expires 7 days, deleted 30 days | Per-request KMS DEK; bundle hash audited |
| C12 | Cookie consent record | All | Consent string, IP truncated, timestamp, banner version hash | Art. 6(1)(c) + Art. 6(1)(a) | AWS | None | Lifetime of account + 7y legal-defence | consent_events append-only |
| C13 | Notifications (push, in-app, email) | Social end-users | Device push tokens, preferences | Art. 6(1)(b) Contract | Apple APNs, Google FCM | US under SCC | Until token revoked | Token rotation on logout |
| C14 | Jobs sub-product | Social end-users opting in | Job posts, applications, attached CVs | Art. 6(1)(b) Contract | AWS, employer Customer | None | Until user delete; 30-day soft-delete | Per-user KMS DEK for CV |
| C15 | Abuse and Trust&Safety | Reported users / reporters | Report metadata, reviewed content, moderator decision | Art. 6(1)(f) + Art. 6(1)(c) DSA/eSafety | AWS | None | 18 months reasoning; 7y outcome | Restricted role |
| C16 | Fraud prevention (account-takeover defence) | All | IP, device fingerprint hash, login velocity, geo | Art. 6(1)(f) | AWS, Cloudflare | None for content; metadata via Cloudflare US | 6 months | Bot mgmt at edge, anomaly model |
2. Processor — VEREID Auth, VEREID ID
VEREID is processor on behalf of B2B Customers. Each row describes the processing carried out on the Customer's instructions and documented in the DPA.
| # | Customer's purpose | Categories of data subjects | Categories of personal data | Sub-processors used | Transfers | Retention default | Customer override available? |
|---|---|---|---|---|---|---|---|
| P1 | Hosted login (OIDC/SAML) | Customer's end-users | Email, password hash, MFA secrets, session metadata | AWS, SendGrid, Twilio | US/AU/EU under SCC + AWS DPA | Lifecycle-of-relationship + 90d | Shorter retention only |
| P2 | Identity verification API at T1–T5 (/v1/verify) | Subject of verification | Document image, MRZ, face template, selfie, OCR fields | AWS, AWS Rekognition, AWS Textract | None (region-locked) | Template ≤30d; doc image 7y; raw selfie ≤30d | Shorter retention only (document image fixed by AML) |
| P3 | Sanctions screening add-on | Subject | Name, DOB, country | Sanctions vendor [TBD] | US under SCC | 7y screening record | Shorter retention only |
| P4 | Webhook delivery of verification result | Subject | Verification result event, HMAC signature | None | None | 7-day replay buffer | Off-switch |
| P5 | Tenant admin login | Customer staff | Email, MFA factor metadata, IP, audit | AWS, SendGrid, Twilio | US under SCC | 90d after admin offboard | Shorter retention |
| P6 | Audit log access for Customer | Customer staff (read-only) | Audit events scoped to tenant | AWS | None | 7y (Customer can export earlier) | n/a |
| P7 🇪🇺-GATED | EU verification flow | EU end-users | Same as P2 | Same as P2 but eu-central-1 region | None | Same | Same |
3. Sub-processor summary (see SUB_PROCESSORS.md for full)
- AWS (us-east-1; ap-southeast-2; eu-central-1 gated)
- Stripe (US, AIARCO ASC LIVE account)
- Twilio (US, SMS OTP)
- SendGrid (US, transactional email)
- Cloudflare (US/AU PoPs, WAF/CDN)
- AWS Rekognition + AWS Textract (region-pinned)
- PostHog (EU + US regions)
- Sentry (US)
- Sanctions vendor [TBD]
4. Data-subject categories — population estimates
| Category | Est. v1 size (12 mo) | Notes |
|---|---|---|
| Social end-users | 100,000 | Verification gate may reduce active commenters |
| AIARCO ID end-users | 200,000 | Capped at 50,000 / tenant, multiple tenants |
| VEREID Auth end-users | 1,000,000 | Across all B2B Customers |
| VEREID ID verified persons | 500,000 | Largely transient — no account on our side |
| B2B Customer staff | 5,000 |
5. Cross-border transfers — summary
| Origin | Destination | Mechanism | Volume tier |
|---|---|---|---|
| AU subjects | AU (ap-southeast-2) | None needed | Bulk |
| AU subjects (telemetry) | US (Cloudflare, Sentry) | APP 8 reasonable steps + SCC | Telemetry only |
| EU subjects (gated) | EU (eu-central-1) | None needed within EEA | Bulk |
| EU subjects (telemetry) | US (Cloudflare, Sentry) | SCC + Transfer Impact Assessment | Telemetry only |
| US subjects | US (us-east-1) | None needed | Bulk |
| UK subjects | EU/UK | UK IDTA | Bulk |
| All | Stripe US (billing only) | SCC + IDTA | B2B only |
6. Change history
| Date | Version | Change | Approver |
|---|---|---|---|
| 2026-05-20 | 1.0 | Initial publication | DPO |
[TBD: counsel review — confirm Art. 30 sufficiency; confirm 7y AML retention applies in each tenant geography; confirm UK IDTA wording; pick sanctions vendor.]
