Sign in →
Privacy & GDPR2 min read

Compliance Registers

Auditor-facing reference binder: RoPA (Article 30), DPIA (Article 35), subprocessor inventory (Article 28), data residency (Article 13(1)(f)), retention policies, and DPA signatures.

Updated 2026-06-15Suggest edits
Docs Privacy & GDPR Compliance Registers

This is the auditor-facing reference binder. Each section below answers a specific Article 30 / 35 / 28 / 13 evidence request. Bookmark this URL — the operator console mirrors the same content at Aforo Product UI → Governance → Compliance Library for tenant-private editing.

How to use this page#

You are…What you're looking forWhere on this page
A supervisory authority auditorRecords of Processing (Article 30(1) — Controller / 30(2) — Processor)RoPA section below
An enterprise customer's DPOSubprocessor list + cross-border transfer mechanismsSubprocessors + Cross-border sections
Aforo's internal DPOFiled DPIAs + residual risk acceptanceDPIA section
A retention policy auditorHow long Aforo keeps each data categoryRetention policy section
Legal counsel verifying DPA executionClick-through signature audit trailDPA signature section

Records of Processing Activities (Article 30)#

Article 30 requires every controller and processor (with ≥ 250 employees, or processing of special categories, or processing that is not occasional) to maintain a written record of processing activities. Aforo maintains 7 documented activities on behalf of itself as Controller and 7 on behalf of customers as Processor.

The 9 mandatory fields per activity (Art. 30(1))

  • Name + contact details of the controller (and DPO, where applicable)
  • Purposes of the processing
  • Categories of data subjects + personal data
  • Categories of recipients
  • Cross-border transfers + the transfer mechanism
  • Envisaged time limits for erasure (retention)
  • General description of the technical + organisational security measures

Aforo\'s documented processing activities

ActivityLawful basis (Art. 6)Data subjectsRetention
Customer account managementContract (b)End-customers + operatorsActive + 30 days
Usage event metering + ratingContract (b)End-customers (as their consumers)13 months raw, aggregates indefinite
Billing + invoicingContract (b) + Legal obligation (c)End-customers7 years (IRS) / 10 years (EU VAT)
Operator audit logLegal obligation (c) + Legitimate interest (f)Operators7 years
Support ticket handlingLegitimate interest (f) — improving serviceEnd-customers + operators24 months from resolution
Security telemetryLegitimate interest (f) — preventing breachAll13 months
Marketing email distributionConsent (a)Operators (subscribed)Until consent withdrawn
INFO
Full per-activity detail (each of the 9 Article 30(1) fields, including security measures, data categories, and envisaged retention) is rendered in the operator console\'s RoPA tab. The data above is the public summary suitable for sharing with prospective customers. Sign a DPA to receive the full register.

Data Protection Impact Assessments (Article 35)#

Article 35 requires a DPIA when processing is "likely to result in a high risk to the rights and freedoms of natural persons" — particularly for systematic monitoring, large-scale special-category data, or automated decision-making. Aforo has filed 3 DPIAs to date covering the platform\'s highest-risk processing patterns.

DPIATriggering processingRisk score (1-10)Residual riskStatus
AI Agent Tool Invocation LoggingStoring full prompts + completions + tool calls in storefront_ai_usage7 (HIGH)3 (after mitigations)PROCEED_WITH_MONITORING
Cross-Tenant Analytics AggregationAggregating usage stats across tenants for platform-wide benchmarks5 (MEDIUM)2PROCEED
Embedded Payment StorageHolding tokenized PANs + last-4 for recurring billing across 4 gateways6 (HIGH)2PROCEED

The 7 Article 35(7) elements captured per DPIA

  • Systematic description of envisaged processing + purposes
  • Assessment of necessity + proportionality vs purposes
  • Assessment of risks to data subjects (likelihood × impact matrix)
  • Measures envisaged to address risks (mitigations)
  • DPO consultation outcome
  • Residual risk after mitigations
  • Decision: PROCEED / PROCEED_WITH_MONITORING / BLOCK + reviewer + sign-off date
WARNING
When you file a DPIA on your side. If your tenant launches new high-risk processing built on top of Aforo — e.g., automated entitlement decisions, biometric customer verification — you own that DPIA. Aforo\'s 3 DPIAs above cover platform-level processing only. Coordinate with your own DPO and your supervisory authority for tenant-specific DPIAs.

Subprocessor inventory (Article 28)#

Article 28(2) requires the processor (Aforo) to obtain prior authorisation from the controller (you) before engaging any subprocessor. Aforo discloses every active subprocessor below with the specific data flows, regions, and DPA references. Aforo notifies customers 30 days before adding a new subprocessor — you have a right to object during that window per the DPA.

SubprocessorCategoryData flowsRegion(s)DPA / Privacy link
Amazon Web Services (AWS)Infrastructure (hosting)All customer data (encrypted at rest + in transit)us-east-1, eu-west-1, ap-south-1aws.amazon.com/service-terms/
StripePayment processorCustomer payment methods (tokenized), invoice amountsUS (with EU + UK SCCs)stripe.com/legal/dpa
RazorpayPayment processor (India)Customer payment methods (tokenized), invoice amountsIndiarazorpay.com/privacy/
PayPalPayment processorCustomer payment methods (tokenized), invoice amountsUS (with EU + UK SCCs)paypal.com/dpa/
AWS SESEmail deliveryCustomer email addresses, transactional content (invoices, password resets)us-east-1aws.amazon.com/dpa/
AnthropicAI inference (Claude)Operator-authored prompts only — NO end-customer PII forwardedUSanthropic.com/dpa
ClickHouse Inc.Analytics databaseUsage metadata only — NO customer PII or billing amountsus-east-1, eu-west-1clickhouse.com/legal/data-processing-agreement
AvalaraTax engineCustomer billing address (for jurisdiction lookup) — NO product detailUS (with EU + UK SCCs)avalara.com/legal/

30-day change-notification commitment

Article 28(2) gives the Controller a right to object to new or replacement subprocessors. Aforo operationalizes this with:

  • 30-day notice before any new subprocessor goes live.
  • Email subscription at /trust-center on every tenant\'s storefront portal — DPO can subscribe for automated notification.
  • Termination right if the operator objects and Aforo cannot accommodate alternative arrangements.

Data residency (Article 13(1)(f))#

Article 13(1)(f) requires controllers to inform data subjects of any international data transfers. Aforo discloses the following region map and transfer mechanisms.

RegionPrimary locationReplica (DR)In-scope tenants
US Eastus-east-1 (Virginia)us-west-2 (Oregon)Default — North America customers
EU Westeu-west-1 (Ireland)eu-central-1 (Frankfurt)EU/EEA + UK customers
APAC Southap-south-1 (Mumbai)ap-southeast-1 (Singapore)India + APAC customers
INFO
Data sovereignty for India. Indian-tenant data is stored exclusively in ap-south-1 (Mumbai) with DR in ap-southeast-1 (Singapore). This satisfies the DPDP Act 2023 + RBI data localization requirements for financial operators.

Cross-border transfer mechanisms#

Article 44-49 governs international transfers. Aforo uses the following mechanisms by transfer corridor:

Transfer corridorMechanismReference
EU/EEA → US (Aforo + subprocessors)EU-US Data Privacy Framework (DPF) + Standard Contractual Clauses (SCCs) — module 2 (Controller-to-Processor)aforo.ai/dpf-certification
UK → USUK Addendum to EU SCCs + UK Extension to DPFaforo.ai/dpa-uk-addendum
EU/EEA → India (for India-tenant DR replica)EU SCCs (Module 2) + supplementary technical measures (encryption at rest + in transit)aforo.ai/dpa-india-addendum
India → US (for AI inference via Anthropic)No end-customer PII transferred — only operator prompts. Operator consent at signup.See PII Framework — Anthropic data flow
US ↔ Aforo-internal regionsSingle legal entity (Aforo Inc.) — intra-group transfer agreementInternal — not a third-country transfer

Supplementary technical measures (Schrems II)

  • Encryption at rest — AES-256-GCM (AWS KMS-managed keys) on every PostgreSQL + ClickHouse + S3 bucket.
  • Encryption in transit — TLS 1.3 minimum across all inter-service and external traffic.
  • Pseudonymisation — customer identifiers are opaque UUIDs; analytics rollups do not re-identify.
  • Access logging — every PII read by privileged role is in the pii.* audit trail.
  • Transparency reports — Aforo publishes annual transparency reports detailing any government requests received.

Retention policy#

Article 5(1)(e) requires data to be kept "for no longer than necessary." Aforo\'s default retention by data category:

Data categoryActive retentionPost-deletion retentionJustification
Account profile (name, email, contact info)Lifetime of subscription30 days grace + then erasedContract performance
Payment methods (tokenized)Lifetime of subscriptionErased on deletionContract performance — token re-use
Invoice recordsLifetime of subscription7 years (IRS) / 10 years (EU VAT) — anonymizedTax law (legal obligation, Art. 6(c))
Usage events (raw)13 monthsAuto-purged after 13 monthsOperational + dispute resolution window
Usage events (aggregates)IndefiniteAggregates do not constitute personal data (anonymized)Internal analytics
Audit log (operator actions)7 yearsErased after 7 yearsSOC 2 + financial audit requirement
Audit log (pii.*)13 monthsErased after 13 monthsDetect + investigate access patterns
Support tickets24 months from resolutionErased after 24 monthsImproving service quality
Security telemetry13 monthsErased after 13 monthsPreventing breach (Art. 32)
Marketing consent recordsUntil withdrawnWithdrawal entry retained for 7 years for auditDemonstrate consent existed (Art. 7(1))

DPA signature audit trail#

Aforo\'s DPA is signed via click-through acceptance during operator onboarding. Every signature event is captured in the operator audit log under the dpa.* action namespace.

ActionCapturesWhen fired
dpa.signature_requestedDPA version, operator id, IP, UAOperator opens the DPA acceptance flow
dpa.signedDPA version, operator id, signature method (click-through or DocuSign), IP, UA, timestampOperator clicks "I accept" or DocuSign envelope completes
dpa.declinedOperator id, IP, UA, decline reasonOperator declines — account creation blocked

Click-through legality

Click-through acceptance is legally binding under the click-through doctrine adopted across major jurisdictions (US ProCD v. Zeidenberg; EU eIDAS Article 25(1); India IT Act 2000 §10A). Aforo captures the four elements regulators check for:

  • Notice — full DPA text is rendered above the accept button (no scroll-trap).
  • Opportunity to review — DPA is downloadable as PDF before signing.
  • Distinct affirmative act — separate "I accept" button with active selection, not bundled with other terms.
  • Audit trail — IP, user agent, timestamp captured for evidentiary value.
INFO
v2 — DocuSign integration for enterprise. Enterprise customers requiring wet-signature equivalence can opt into DocuSign envelope flow during onboarding. The signed PDF is stored under aforo:/legal/dpa-signed/{tenantId}/...with the same dpa.signed audit row but signature_method: DOCUSIGN.