Note: DRAFT for Enterprise / Business tier subscribers requiring GDPR Article 28 / APPI compliance. Source: docs/legal/DPA.md.
Parties
Controller: The Customer (商家). Processor: SmartRich Inc. (Kizuki).
Sub-Processors
Cloudflare (Workers/D1/KV/R2), Anthropic / Google / OpenAI (LLM inference, no-train default), Stripe (payments), Sentry (errors), Apify (scraping, EU-native).
Personal Data Categories
Hashed author handles (SHA-256), public post text, author-detected locale, source URL, merchant team email + Telegram chat IDs. Not processed: card numbers, passwords, biometrics, special category data.
Technical & Organizational Measures
Multi-tenant DB isolation, HS256 JWT cookies (HttpOnly+Secure+SameSite=Lax), HMAC SHA-256 webhook signing, Cloudflare-encrypted secrets vault, audit log immutable, daily D1 → R2 backup, 4-tier staff RBAC + WebAuthn 2FA + 5-min impersonation auto-end.
International Transfers
EEA → non-EEA via Standard Contractual Clauses + sub-processor DPAs. Japan adequacy decision applies for JP-hosted data.
Full DPA in docs/legal/DPA.md. Signed copy on request: privacy@kizuki.smartrich.ai.