GDPR Article 35 · Conducted: March 14, 2026 · Next review: September 2026
Processing Activity: Cachee caching, identity verification, and biometric authentication platform
Controller: H33.ai, Inc. d/b/a Cachee
DPO: privacy@h33.ai
Assessment Author: Privacy Team, H33.ai, Inc.
This DPIA is required under GDPR Article 35(3) because the processing involves:
Cachee provides a caching and identity verification platform. Customers (data controllers) use the Service to process their end-users' data, including encrypted biometric templates. Cachee acts as a data processor.
Customers integrate Cachee via API for caching and identity verification. End-users interact with Customer applications, not directly with Cachee. Cachee never decrypts biometric data — all processing occurs under Fully Homomorphic Encryption (FHE).
| Principle | Assessment |
|---|---|
| Lawful basis | Contract performance (Art 6(1)(b)) — processing is necessary to deliver the Service. Biometric processing relies on customer-obtained explicit consent (Art 9(2)(a)). |
| Data minimization | Only data strictly necessary for authentication is collected. Biometric data is encrypted via FHE and never decrypted by Cachee. No unnecessary analytics (no GA/Mixpanel). Chat101 requires cookie consent. |
| Purpose limitation | Customer Data processed solely to provide the Service. Not used for marketing, profiling, or secondary purposes. |
| Storage limitation | Specific retention periods enforced per data type (see ROPA). Automated daily purge of expired data. |
| Data subject rights | Self-service: export (Art 15/20), rectification (Art 16), erasure (Art 17), restriction (Art 18), objection (Art 21). All accessible from portal Settings. |
| Risk | Likelihood | Severity | Residual Risk | Mitigation |
|---|---|---|---|---|
| Unauthorized access to biometric data | Very Low | High | LOW | FHE — data is never decrypted during processing. Even a full database breach yields only ciphertext. Post-quantum encryption (Kyber + Dilithium) protects against future threats. |
| Unauthorized access to account data | Low | Medium | LOW | httpOnly cookies (no JS access to tokens), MFA support, rate-limited auth, session expiration, VPC isolation. |
| Data breach via subprocessor | Low | Medium | LOW | Contractual DPA with all subprocessors, 72-hour breach notification, card data never on Cachee infra (Stripe-only). |
| Excessive data retention | Low | Low | LOW | Automated daily purge (data-retention.js), OTP auto-expire (10 min), session auto-expire. |
| Cross-border transfer without safeguards | Very Low | Medium | LOW | All processing in US-East-1. SCCs Module 2 for any global subprocessors. No routine international transfers. |
| Biometric match error (false positive/negative) | Medium | Medium | MEDIUM | Customers responsible for human review (Art 22). Cachee provides match scores, not final decisions. Documentation requires customers to implement override mechanisms. |
| Insufficient consent for Chat101 | Very Low | Low | LOW | Granular cookie consent banner with per-category toggles. Chat101 only loads after explicit consent. Consent recorded server-side for audit. |
| Failure to respond to DSAR within 30 days | Low | Medium | LOW | Self-service endpoints for export, deletion, and rectification provide instant response. Restrict/object requests trigger DPO notification with SES. |
The DPO was consulted during this assessment and concurs with the risk ratings and mitigations described above. No prior consultation with a supervisory authority is required under Article 36, as all identified risks are mitigated to an acceptable level.
The processing activities are necessary and proportionate to the legitimate purpose of providing the Service. The primary risk (biometric data exposure) is effectively mitigated to LOW through FHE — the data is never decrypted during processing, rendering even a full breach non-disclosive.
All other risks are mitigated to LOW through a combination of technical (encryption, VPC isolation, automated retention) and organizational (DPA, DPO, training, incident response) measures.
The one MEDIUM residual risk (biometric match errors) is inherent to the technology and is mitigated by requiring Customers to implement human review mechanisms as documented in our DPA and Privacy Policy.
Next Review: September 2026 or when processing activities change materially.
Document Owner: Data Protection Officer (privacy@h33.ai)