{"_meta":{"description":"ALETHEIA Data Processing Agreement & Compliance Tracking — Canonical source for per-subprocessor transfer-mechanism status. Aligns with HQ Data Policy v2.0.","version":"2.0.0","last_updated":"2026-04-20","review_schedule":"quarterly","next_review":"2026-07-20","supersedes":"1.0.0","alignment":{"hq_data_policy_version":"2.0","aletheia_privacy_version":"1.2"}},"data_controller":{"entity":"Holistic Quality LLC","jurisdiction":"US (Ohio, USA)","contact":"privacy@holisticquality.io","security_contact":"security@holisticquality.io","legal_contact":"legal@holisticquality.io","dpo_contact":null},"independent_controllers":[{"name":"RapidAPI (R Software Inc.)","role":"Independent data controller for marketplace users' account, billing, and KYC data","relationship":"NOT a subprocessor of Holistic Quality; operates under its own privacy policy","data_received_by_hq":["Hashed API-key identifier","Request metadata (endpoint, timestamp, status, latency)"],"data_NOT_received_by_hq":["RapidAPI account email address","Passwords","Payment card details","Billing address"],"privacy_policy_url":"https://rapidapi.com/privacy"}],"processors":[{"name":"Cloudflare","service":"DNS, CDN, edge security, DDoS protection, bot management, edge rate limiting","jurisdiction":"US (global edge network)","data_location":"Global edge network","dpa_status":"in_force","dpa_version":"6.4 (April 3, 2026)","dpa_url":"https://www.cloudflare.com/cloudflare-customer-dpa/","dpa_executed":"2026-04-03","dpa_execution_model":"Self-serve — DPA is Effective per §Preamble 'from the date on which Customer signed or the parties otherwise agreed to this DPA.' Continued use of the Cloudflare platform after the v6.4 publication date (April 3, 2026) constitutes acceptance; no countersignature required.","dpa_evidence":"ftp-dba/cloudflare_customer_dpa-v6.4_april_3_2026.pdf","dpa_acknowledged_by_hq":"2026-04-20","sccs_required":true,"sccs_status":"in_force","transfer_mechanism":"2021 EU Commission SCCs (Module 2 Controller→Processor) incorporated in Cloudflare DPA v6.4; UK IDTA Addendum B1.0; Swiss FADP terms; EU-U.S./UK-U.S./Swiss-U.S. Data Privacy Framework; Global CBPR/PRP System","privacy_policy_url":"https://www.cloudflare.com/privacypolicy/","data_categories":["IP addresses (used for edge routing and security; truncated to /24 before HQ-side logging)","Security cookies (anti-bot, WAF challenge state)","TLS session metadata","Request headers (for edge routing only)"],"retention":{"edge_security_logs":"Per Cloudflare provider policy (typically 7-30 days)","bot_management_data":"Per Cloudflare provider policy"},"encryption":"TLS 1.2/1.3 in transit, encrypted at rest","subprocessor_list_url":"https://www.cloudflare.com/gdpr/subprocessors/","dpa_evidence_sha256":"7c778ab8510c5db073768b105805d88024e82ea4feb8ad19b559f236d51d0be3"},{"name":"Upstash","service":"Serverless Redis — hashed API key storage, rate limiting, account records","jurisdiction":"EU (Ireland)","data_location":"eu-west-1 (AWS Ireland)","dpa_status":"in_force","dpa_version":"Last Updated April 2025","dpa_url":"https://upstash.com/trust/dpa.pdf","dpa_executed":"2025-04-01","dpa_execution_model":"Self-serve — Upstash DPA is incorporated by reference into the Upstash Terms of Service; acceptance of the TOS constitutes acceptance of the DPA. No countersignature required for initial execution (only DPA amendments require dual signature per §Customer Instructions).","dpa_acknowledged_by_hq":"2026-04-20","sccs_required":false,"sccs_status":"N/A","transfer_mechanism":"N/A — data stored in EU (eu-west-1); no cross-border transfer from EU controller perspective for this data category","privacy_policy_url":"https://upstash.com/trust/privacy.pdf","data_categories":["API key records (one-way hashed)","Email addresses","Usage counters","Trial flags","Enterprise inquiry data","Watchlist compound IDs","Webhook configurations","Rate limit counters"],"retention":{"api_keys_active":"Duration of active subscription (max 24 months idle on paid keys per Terms)","api_keys_post_cancellation":"90 days baseline; up to 120 days if open Stripe chargeback/dispute window applies","trial_flags":"30 days (auto-TTL)","usage_metadata":"90 days (auto-TTL)","rate_limits":"24 hours (auto-TTL)","inquiry_data":"30 days (auto-TTL)","encrypted_backups":"Roll off within 35 days of source-record deletion"},"encryption":"TLS in transit, AES-256 at rest (Upstash-managed keys)","subprocessor_list_url":"https://upstash.com/trust/subprocessors"},{"name":"Vercel","service":"Serverless compute, website hosting, infrastructure logs","jurisdiction":"US","data_location":"iad1 (US-East) and global edge","dpa_status":"in_force","dpa_version":"Effective March 31, 2026 (Pro/Enterprise plans)","dpa_url":"https://vercel.com/legal/dpa","dpa_executed":"2026-03-31","dpa_execution_model":"Self-serve — DPA applies automatically to Pro and Enterprise plan customers; continued use of the Vercel platform after the effective date constitutes acceptance. No countersignature required.","dpa_evidence_url":"https://assets.vercel.com/image/upload/q_auto/front/legal/dpa/Vercel_Inc_-_Data_Processing_Addendum.pdf","dpa_acknowledged_by_hq":"2026-04-20","sccs_required":true,"sccs_status":"in_force","transfer_mechanism":"2021 EU Commission SCCs incorporated in Vercel DPA; UK IDTA Addendum; Swiss FADP; EU-U.S. Data Privacy Framework (Vercel DPF-certified)","privacy_policy_url":"https://vercel.com/legal/privacy-policy","data_categories":["Request logs (IP truncated to /24 subnet per COMP-9)","Function execution metadata","CDN cache keys","Vercel Analytics (anonymous, no cookies, no fingerprinting)"],"retention":{"function_logs":"30 days (Vercel default)","cdn_cache":"Per Cache-Control headers"},"encryption":"TLS 1.3 in transit, encrypted at rest","subprocessor_list_url":"https://vercel.com/legal/subprocessors"},{"name":"Resend","service":"Transactional email delivery (API key issuance, security advisories, rights-request verification)","jurisdiction":"US","data_location":"US","dpa_status":"in_force","dpa_version":"Updated 31 December 2025","dpa_url":"https://resend.com/legal/dpa","dpa_executed":"2025-12-31","dpa_execution_model":"Self-serve — Resend DPA becomes legally binding upon Customer's acceptance of the Agreement (Terms of Service). Signature blocks in the DPA document are explicitly 'for reference purposes only' per the preamble. No countersignature required.","dpa_evidence_url":"https://resend.com/static/documents/resend-dpa-signed.pdf","dpa_acknowledged_by_hq":"2026-04-20","sccs_required":true,"sccs_status":"in_force","transfer_mechanism":"2021 EU Commission SCCs incorporated in Resend DPA; EU-U.S. Data Privacy Framework (Resend DPF-certified)","privacy_policy_url":"https://resend.com/legal/privacy-policy","data_categories":["Email addresses","Email content (PII masked per COMP-6)","Delivery metadata"],"retention":{"email_logs":"28 days (Resend retention policy)"},"encryption":"TLS in transit","subprocessor_list_url":"https://resend.com/legal/subprocessors"},{"name":"Stripe","service":"Payment processing and subscription management (direct-issued customers only)","jurisdiction":"US","data_location":"US","dpa_status":"in_force","dpa_version":"Incorporated into current Stripe Services Agreement (SSA)","dpa_url":"https://stripe.com/legal/dpa","dpa_executed":"Per active SSA","dpa_execution_model":"Self-serve — Stripe DPA (including Data Transfers Addendum) is incorporated into the Stripe Services Agreement. Per DPA: 'by entering into the Agreement, the data exporter and data importer are deemed to have signed these 2021 Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.' No separate countersignature required.","dpa_acknowledged_by_hq":"2026-04-20","sccs_required":true,"sccs_status":"in_force","transfer_mechanism":"2021 EU Commission SCCs and Data Transfers Addendum incorporated in Stripe DPA/SSA; PCI-DSS Level 1 certified processor","privacy_policy_url":"https://stripe.com/privacy","data_categories":["Email address","Payment information (card data never touches ALETHEIA servers — PCI SAQ-A per COMP-7)"],"retention":{"billing_data":"Per Stripe retention policy"},"encryption":"TLS 1.2+ in transit, AES-256 at rest (Stripe managed)","subprocessor_list_url":"https://stripe.com/legal/service-providers"}]}