Skip to content
Legal

Record of Processing Activities

RoPA per GDPR Art. 30.

Record of Processing Activities (RoPA)

Effective Date: May 20, 2026 Version: 1.0 Controller: VEREID, a product of AIARCO Pty Ltd, ABN [TBD: counsel review], NSW, Australia. Statutory basis: GDPR Art. 30(1) (controller record) and Art. 30(2) (processor record). Owner: DPO — privacy@vereid.com.

One row per processing purpose × data category × legal basis × retention × sub-processor route. Rows referencing live EU traffic are tagged 🇪🇺-GATED — they are written into the record but the processing is suppressed at edge until counsel sign-off (Hard Gate 6).


1. Controller — VEREID Social, AIARCO ID

VEREID is the controller for end-users of vereid.com (Social) and asc.aiarco.com/auth (AIARCO ID), and for its own B2B Customer / Subscriber account records.

#PurposeCategories of data subjectsCategories of personal dataLegal basisRecipientsTransfers outside AU/EURetentionSecurity
C1Operate signup + loginSocial end-users; AIARCO ID end-usersEmail, password hash, MFA factor metadata, IP, user-agentArt. 6(1)(b) ContractAWS (hosting), SendGrid (verification email), Twilio (SMS OTP)US (Twilio, SendGrid) under SCC + AWS DPA Addendum90 days after account closure (then anonymised)TLS1.3, Argon2id, MFA enforced for admin
C2Operate social-graph + contentSocial end-usersPosts, comments, likes, follow graph, DMs, EXIF-stripped mediaArt. 6(1)(b) ContractAWS, Cloudflare (CDN)US (Cloudflare edge) under SCCUntil user delete; 30-day soft-delete windowPer data-class CMK, audit log
C3Identity verification (Social posting gate, T4)Social end-users opting to postDocument image, MRZ data, selfie, face template, OCR fieldsArt. 6(1)(b) Contract + Art. 9(2)(a) explicit consentAWS Rekognition, AWS TextractNone (region-locked)Template ≤30d; doc image 7y; raw selfie ≤30dPII-VAULT schema, KMS CMK pii-vault-and-audit
C4Sanctions screening at Customer onboardingB2B Customer principals + UBOsName, DOB, residential country, document numberArt. 6(1)(c) AML legal obligation + Art. 6(1)(f)Sanctions-list vendor [TBD]US (vendor) under SCC7 yearsRestricted IAM role; SOC2 vendor
C5BillingB2B subscribersCompany legal name, billing address, VAT/ABN, Stripe customer ID, invoice historyArt. 6(1)(b) Contract + Art. 6(1)(c) tax lawStripe (US — under the AIARCO ASC Stripe LIVE account)US (Stripe) under SCC7 years (tax)Stripe-tokenised PAN, no PAN in our systems
C6Security and audit loggingAllPrivileged action records, admin IP, decryption events, KMS key usageArt. 6(1)(c) + Art. 6(1)(f)AWS S3 Object LockNone7 yearsS3 Object Lock WORM, separate KMS CMK
C7Transactional email (anti-phishing-coded)AllEmail, content of notificationArt. 6(1)(b) ContractSendGridUS under SCC18 months log; content not retainedDKIM/DMARC/SPF aligned
C8Marketing email (Social + B2B prospects)Subscribers who opted inEmail, marketing prefs, engagement metricsArt. 6(1)(a) ConsentSendGrid, PostHogUS under SCC; EU PostHog region for EEA subjectsUntil opt-out + 12 months proofSingle opt-in + unsubscribe in every message
C9Product analyticsAll consentingPseudonymous device ID, page views, feature events (no PII)Art. 6(1)(a) Consent where required; Art. 6(1)(f) otherwisePostHogEU region for EEA; US otherwise13 monthsIP truncation /24; no cookies pre-consent in EEA/UK
C10Error / crash monitoringAllStack trace, request ID (PII-redacted)Art. 6(1)(f) Service securitySentryUS under SCC90 daysPII redaction at SDK and server
C11DSR fulfilment (export/delete/rectify)All requestersAll data tied to subjectArt. 6(1)(c) Art. 15/17/20 GDPR; APP 12/13AWS (signed S3 link)NoneExport bundle: signed link expires 7 days, deleted 30 daysPer-request KMS DEK; bundle hash audited
C12Cookie consent recordAllConsent string, IP truncated, timestamp, banner version hashArt. 6(1)(c) + Art. 6(1)(a)AWSNoneLifetime of account + 7y legal-defenceconsent_events append-only
C13Notifications (push, in-app, email)Social end-usersDevice push tokens, preferencesArt. 6(1)(b) ContractApple APNs, Google FCMUS under SCCUntil token revokedToken rotation on logout
C14Jobs sub-productSocial end-users opting inJob posts, applications, attached CVsArt. 6(1)(b) ContractAWS, employer CustomerNoneUntil user delete; 30-day soft-deletePer-user KMS DEK for CV
C15Abuse and Trust&SafetyReported users / reportersReport metadata, reviewed content, moderator decisionArt. 6(1)(f) + Art. 6(1)(c) DSA/eSafetyAWSNone18 months reasoning; 7y outcomeRestricted role
C16Fraud prevention (account-takeover defence)AllIP, device fingerprint hash, login velocity, geoArt. 6(1)(f)AWS, CloudflareNone for content; metadata via Cloudflare US6 monthsBot mgmt at edge, anomaly model

2. Processor — VEREID Auth, VEREID ID

VEREID is processor on behalf of B2B Customers. Each row describes the processing carried out on the Customer's instructions and documented in the DPA.

#Customer's purposeCategories of data subjectsCategories of personal dataSub-processors usedTransfersRetention defaultCustomer override available?
P1Hosted login (OIDC/SAML)Customer's end-usersEmail, password hash, MFA secrets, session metadataAWS, SendGrid, TwilioUS/AU/EU under SCC + AWS DPALifecycle-of-relationship + 90dShorter retention only
P2Identity verification API at T1–T5 (/v1/verify)Subject of verificationDocument image, MRZ, face template, selfie, OCR fieldsAWS, AWS Rekognition, AWS TextractNone (region-locked)Template ≤30d; doc image 7y; raw selfie ≤30dShorter retention only (document image fixed by AML)
P3Sanctions screening add-onSubjectName, DOB, countrySanctions vendor [TBD]US under SCC7y screening recordShorter retention only
P4Webhook delivery of verification resultSubjectVerification result event, HMAC signatureNoneNone7-day replay bufferOff-switch
P5Tenant admin loginCustomer staffEmail, MFA factor metadata, IP, auditAWS, SendGrid, TwilioUS under SCC90d after admin offboardShorter retention
P6Audit log access for CustomerCustomer staff (read-only)Audit events scoped to tenantAWSNone7y (Customer can export earlier)n/a
P7 🇪🇺-GATEDEU verification flowEU end-usersSame as P2Same as P2 but eu-central-1 regionNoneSameSame

3. Sub-processor summary (see SUB_PROCESSORS.md for full)

  • AWS (us-east-1; ap-southeast-2; eu-central-1 gated)
  • Stripe (US, AIARCO ASC LIVE account)
  • Twilio (US, SMS OTP)
  • SendGrid (US, transactional email)
  • Cloudflare (US/AU PoPs, WAF/CDN)
  • AWS Rekognition + AWS Textract (region-pinned)
  • PostHog (EU + US regions)
  • Sentry (US)
  • Sanctions vendor [TBD]

4. Data-subject categories — population estimates

CategoryEst. v1 size (12 mo)Notes
Social end-users100,000Verification gate may reduce active commenters
AIARCO ID end-users200,000Capped at 50,000 / tenant, multiple tenants
VEREID Auth end-users1,000,000Across all B2B Customers
VEREID ID verified persons500,000Largely transient — no account on our side
B2B Customer staff5,000

5. Cross-border transfers — summary

OriginDestinationMechanismVolume tier
AU subjectsAU (ap-southeast-2)None neededBulk
AU subjects (telemetry)US (Cloudflare, Sentry)APP 8 reasonable steps + SCCTelemetry only
EU subjects (gated)EU (eu-central-1)None needed within EEABulk
EU subjects (telemetry)US (Cloudflare, Sentry)SCC + Transfer Impact AssessmentTelemetry only
US subjectsUS (us-east-1)None neededBulk
UK subjectsEU/UKUK IDTABulk
AllStripe US (billing only)SCC + IDTAB2B only

6. Change history

DateVersionChangeApprover
2026-05-201.0Initial publicationDPO

[TBD: counsel review — confirm Art. 30 sufficiency; confirm 7y AML retention applies in each tenant geography; confirm UK IDTA wording; pick sanctions vendor.]