Compliance
Records of Processing Activities
GDPR Article 30 · Controller: Beweird SAS · DPO: privacy@azothos.ai
Last updated: 8 May 2026 · Review cycle: quarterly
How to read this document
Each record describes one processing activity. For each activity we document: the purpose, legal basis, categories of data subjects and personal data, recipients, retention period, and the technical and organisational measures (TOMs) in place.
ACT-001User account management
| Purpose | Creating and maintaining user accounts; authenticating users to the dashboard. |
| Legal basis | Contract (Art. 6(1)(b)) — necessary to deliver the Service. |
| Data subjects | Registered users. |
| Personal data | Email address, hashed password (Supabase Auth), authentication tokens, last sign-in timestamp. |
| Recipients | Supabase (Auth + Database sub-processor). |
| Retention | For the duration of the account, plus 30 days after deletion. |
| Transfers | Supabase US (EU-US DPA in place). |
ACT-002AI usage telemetry (traces)
| Purpose | Recording AI API call metadata for cost attribution, optimisation, and analytics presented in the dashboard. |
| Legal basis | Contract (Art. 6(1)(b)) — the platform cannot function without recording call data. |
| Data subjects | Workspace members whose agents generate AI calls. |
| Personal data | Model name, provider, token counts, cost_usd, latency_ms, agent_id, workflow_id, status, traced_at. No prompt or response text is stored in traces. |
| Recipients | Supabase (Database). |
| Retention | 12 months, then auto-deleted by purge_expired_data(). |
| Transfers | Supabase US (EU-US DPA in place). |
ACT-003Semantic cache
| Purpose | Caching AI model responses to serve semantically identical prompts without a new LLM call, reducing cost. |
| Legal basis | Legitimate interest (Art. 6(1)(f)) — economic optimisation; overrides minimal personal data interest. |
| Data subjects | End users of the workspace's AI-powered products. |
| Personal data | Prompt text (hashed for exact lookup; full text for similarity search), cached response text, cost_usd, model, provider, expires_at. |
| Recipients | Supabase (Database); OpenAI (embedding generation — prompt text sent for vectorisation). |
| Retention | 7 days (configurable per entry), then auto-expired. |
| Transfers | Supabase US; OpenAI US (DPA in place). |
ACT-004Billing and subscription management
| Purpose | Processing payments for paid plans (Developer, Pro, Team, Scale, Enterprise); managing subscriptions; issuing invoices. |
| Legal basis | Contract (Art. 6(1)(b)); Legal obligation for invoicing (Art. 6(1)(c)). |
| Data subjects | Workspace owners who subscribe to a paid plan. |
| Personal data | Email address, Stripe customer ID, subscription ID, subscription status, invoice history. Card details held exclusively by Stripe (not by Azoth). |
| Recipients | Stripe (Payment Processor sub-processor). |
| Retention | Subscription data for the duration of the contract + 7 years (legal/tax retention). |
| Transfers | Stripe US (EU-US DPA in place). |
ACT-005Audit logging
| Purpose | Recording administrative and security-relevant actions for accountability, compliance, and incident response. |
| Legal basis | Legal obligation (Art. 6(1)(c)) — SOC 2 and GDPR accountability principle; Legitimate interest for security. |
| Data subjects | Authenticated users performing write operations. |
| Personal data | User ID, workspace ID, action type, entity type/ID, IP address, user agent, timestamp. |
| Recipients | Supabase (Database); log aggregators (Axiom / Datadog — optional). |
| Retention | 24 months (SOC 2 audit trail requirement), then auto-deleted. |
| Transfers | Supabase US; log aggregator per customer configuration. |
ACT-006Loop detection and agent governance
| Purpose | Detecting infinite loops or cost-runaway in AI agents to protect workspace budget and prevent abuse. |
| Legal basis | Contract (Art. 6(1)(b)) — core platform safety feature. |
| Data subjects | Workspace members whose agents are monitored. |
| Personal data | Agent ID, workspace ID, prompt hash (not plaintext), call timestamps, cost per call, detected pattern type. |
| Recipients | Supabase (loop_events table); Upstash Redis (ephemeral 5-minute sliding window). |
| Retention | Redis: 5-minute TTL. DB: 6 months, then auto-deleted. |
| Transfers | Supabase US; Upstash US/EU (DPA in place). |
ACT-007Error tracking and observability
| Purpose | Capturing application errors and performance metrics to maintain service reliability. |
| Legal basis | Legitimate interest (Art. 6(1)(f)) — necessary to maintain the SLA committed to customers. |
| Data subjects | Users who encounter application errors. |
| Personal data | Error stack trace, browser metadata, URL, Sentry session ID. PII stripped by beforeSend hook (no auth tokens, cookies, or API keys). |
| Recipients | Sentry (Error Tracking sub-processor). |
| Retention | 90 days in Sentry. Session Replay only recorded with analytics_consent cookie. |
| Transfers | Sentry US (DPA in place). |
ACT-008Webhook delivery
| Purpose | Delivering outbound webhook notifications to customer-configured URLs upon platform events. |
| Legal basis | Contract (Art. 6(1)(b)) — optional feature configured by workspace owners. |
| Data subjects | Workspace owners who configure webhook endpoints. |
| Personal data | Webhook URL, event payload (workspace-scoped operational data), HTTP response code, delivery timestamp. |
| Recipients | Customer-specified endpoints (controller to controller). |
| Retention | 6 months, then auto-deleted. |
| Transfers | Customer-specified endpoint location. |
ACT-009AI inference via Anthropic
| Purpose | Forwarding user prompts to Anthropic's language models to generate AI completions on behalf of workspace members. |
| Legal basis | Contract (Art. 6(1)(b)) — AI inference is the core service; without forwarding prompts, the platform cannot function. |
| Data subjects | End users whose prompts are processed by the platform. |
| Personal data | Prompt text (already PII-redacted per workspace data policy before forwarding), session identifiers, model parameters. |
| Recipients | Anthropic PBC (AI inference sub-processor; DPA in place; Anthropic's data processing terms apply). |
| Retention | Anthropic retains inputs/outputs for up to 30 days for safety and abuse monitoring per their API policy. Azoth does not retain prompt content beyond the ingest_queue processing window (≤5 minutes). |
| Transfers | Anthropic US. Standard Contractual Clauses (SCCs) in place for EU-US transfers. |
Technical and organisational measures (TOMs)
- Encryption in transit — TLS 1.3 on all endpoints; HSTS enforced.
- Encryption at rest — Supabase (PostgreSQL) AES-256 at rest; Upstash Redis TLS.
- Access control — Row-Level Security (RLS) on all tables; workspace-scoped API keys; RBAC with owner/admin/member roles.
- Audit logging — Immutable audit_logs table; all write operations logged with actor, IP, and entity.
- Data minimisation — API keys stored as SHA-256 hashes; no plaintext secrets at rest.
- Retention enforcement — Automated purge_expired_data() function scheduled nightly (pg_cron or GitHub Actions).
- Breach notification — Sentry error tracking + structured alerting; 72-hour notification SLA per GDPR Art. 33.
- Sub-processor contracts — DPA in place with Supabase, Stripe, Upstash, Vercel, Resend, and Anthropic.
Data subject rights
- Access (Art. 15) — Available via dashboard Settings → Export data, or
GET /api/v1/export. - Portability (Art. 20) — Machine-readable JSON/NDJSON export via
GET /api/v1/export. - Erasure (Art. 17) — Account deletion via dashboard Settings → Delete account, or
DELETE /api/v1/me. Data purged within 30 days. - Rectification (Art. 16) — Profile data editable in dashboard. Contact privacy@azothos.ai for data we hold.
- Objection / restriction (Art. 21/18) — Contact privacy@azothos.ai. We respond within 30 days.
Supervisory authority
As a French company, our lead supervisory authority is the CNIL (Commission Nationale de l'Informatique et des Libertés). You may also contact your local EU supervisory authority. To exercise any right, email privacy@azothos.ai.