GDPR Article 30 · Last reviewed: March 14, 2026
Controller / Processor: H33.ai, Inc. d/b/a Cachee
DPO Contact: privacy@h33.ai
Representative: H33.ai, Inc., Attn: Privacy Team
| Activity | Purpose | Legal Basis | Data Categories | Data Subjects | Recipients | Retention | Security Measures |
|---|---|---|---|---|---|---|---|
| Account Registration | Create and manage customer accounts | Contract | Name, email, phone, company, billing address | Customers | Auth1, AWS (RDS) | Account duration + 30 days | TLS 1.3, encrypted at rest (AES-256), httpOnly cookies |
| Authentication (Magic Link) | Verify identity via email link | Contract | Email address, magic link token, IP address | Customers | Auth1, AWS SES | Token: 30 min; events: 12 months | httpOnly cookies, token expiration, rate limiting |
| Authentication (OTP/SMS) | Verify phone number via one-time code | Contract | Phone number, OTP code, IP address | Customers | Auth1, Twilio, AWS SNS | OTP: 10 min; flow: 1 hour | Rate limiting (3/min), code expiration, encrypted storage |
| Payment Processing | Process subscriptions and invoicing | Contract | Email, billing address (card data: Stripe only) | Customers | Stripe | 7 years (tax/legal) | PCI-DSS (Stripe), card data never on Cachee infra |
| Cache Infrastructure | Provision and operate caching service | Contract | API keys, namespace, CDN slug, VPC/IAM/TLS config | Customers | AWS (RDS, ElastiCache, CloudFront) | Account duration | VPC isolation, KMS encryption, IAM least privilege |
| Biometric Processing | Encrypted identity verification for customer end-users | Contract | Encrypted biometric templates (FHE), match scores | Customer end-users | AWS (compute) | Per customer agreement | FHE (data never decrypted), PQC, ZKP, zero-knowledge proofs |
| Usage Analytics | Service improvement, performance monitoring | Legitimate Interest | API call logs, latency, error rates, IP, user agent | Customers, visitors | AWS (CloudWatch), internal | 24 months | Aggregation, no third-party analytics (no GA/Mixpanel) |
| Security Monitoring | Detect fraud, prevent abuse | Legitimate Interest | Auth events, login attempts, IP, session metadata | Customers | Internal, AWS | 12 months | Automated purge, encrypted storage |
| Support Chat | Provide live customer support | Chat messages, session metadata, user agent | Customers, visitors (opted in) | Chat101 | 12 months | Cookie consent required, TLS in transit | |
| Cookie Consent | Record and enforce cookie preferences | Legal Obligation | Consent choice, timestamp, IP, user agent | All visitors | AWS (RDS) | 3 years (audit trail) | Server-side recording, immutable log |
| Marketing Email | Send promotional communications | Email address, consent status | Customers (opted in) | AWS SES | Until unsubscribe | Double opt-in, unsubscribe link in every email | |
| Compliance (DSAR) | Respond to data subject access/deletion requests | Legal Obligation | Request metadata, customer ID, request type | Customers | Internal | 3 years | Authenticated endpoints, rate limiting, audit log |
All processing occurs within the United States. No routine transfers to countries outside the US. Where subprocessors operate globally (e.g., Stripe), Standard Contractual Clauses (SCCs) Module 2 apply.
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.3 on all endpoints |
| Encryption at rest | AES-256 (AWS KMS, region-locked keys) |
| Pseudonymization | FHE for biometric data (never decrypted during processing) |
| Access control | IAM least privilege, httpOnly session cookies, MFA available |
| Data isolation | VPC isolation per region, no cross-region traffic |
| Backup & recovery | Automated RDS snapshots, point-in-time recovery |
| Monitoring | CloudWatch alerts, anomaly detection, audit logging |
| Data retention | Automated daily purge of expired data (data-retention.js) |
| Breach response | 72-hour notification per DPA Section 6 |
This ROPA is reviewed quarterly or whenever a new processing activity is introduced. Next review: June 2026.
Document Owner: Data Protection Officer (privacy@h33.ai)
Approved by: Privacy Team, H33.ai, Inc.