# Phase 2 — Classification

Generated: 2026-05-14
Based on: `data-inventory.md` (Phase 1) and user-confirmed answers to Section 7 questions.

## Confirmed parameters

| Parameter | Value |
|---|---|
| Legal entity | **ResolutionFlow LLC** |
| Registered address (DPA only — not public) | 716 Hearthstone Xing, Woodstock, GA 30189 — **`[LEGAL REVIEW: replace with registered-agent address before publishing any contracts that include this]`** |
| Privacy / legal contact | `support@resolutionflow.com` |
| Jurisdictions in scope | US federal + state baseline, CCPA/CPRA, EU GDPR, UK GDPR, all in-force US state comprehensive privacy laws (VA, CO, CT, UT, TX, OR, MT, IN, IA, TN, DE, NH, NJ, MD, MN, RI, KY). Reachable from anywhere the US permits traffic. |
| Live LLM provider | **Anthropic only** (current). Future plans: BYOK + multi-LLM — disclose only Anthropic now; revise on rollout. |
| Live embedding provider | **Voyage AI** (key set) |
| Gemini | Code path present but not currently live — **exclude from public Subprocessor List** until activated. |
| Active PSA provider | **ConnectWise only** (Autotask + HaloPSA stubs not live). |
| Sentry region | US |
| Railway region | US |
| Microsoft Learn MCP | Enabled. Pulls Microsoft docs; no Customer Data egress — disclose as informational only, not a Customer-Data subprocessor. |
| Children's data | None — disclaim under 16 / COPPA. |
| Public surfaces | Marketing pages, sales-lead form, signup, and public flow shares only. |
| Backup retention | 90 days. |
| Third-party tools outside the codebase (Zapier, CRM, etc.) | None at this time. |

## Controller vs Processor mapping

| Data category | RF role | Controller | Notes |
|---|---|---|---|
| User accounts (name, email, password_hash, profile) | **Controller** | ResolutionFlow LLC | Covered by Privacy Policy |
| Audit logs (incl. IP addresses) | **Controller** | ResolutionFlow LLC | Privacy Policy; legal basis = legitimate interests (security) |
| Telemetry (PostHog, Sentry, AI usage tracking) | **Controller** | ResolutionFlow LLC | Privacy Policy; legitimate interests + consent for analytics in EU/UK |
| Marketing leads (`sales_leads`, beta signup) | **Controller** | ResolutionFlow LLC | Privacy Policy; legitimate interests / consent |
| Billing / subscription / Stripe IDs | **Controller** | ResolutionFlow LLC | Privacy Policy; contract performance |
| **PSA-derived ticket data, intake_content, conversation_messages, file uploads, escalation packages, resolution notes, embeddings derived from this content** | **Processor** | The MSP customer | DPA-governed. RF acts on documented instructions. |
| Knowledge Flywheel / flow content authored within a tenant | **Processor** | The MSP customer | Tenant-isolated; no cross-tenant sharing detected. |
| Resolution-note writeback to ConnectWise | **Processor** | The MSP customer | RF writes to the customer's own ConnectWise tenant under instruction. |

## Under CCPA/CPRA

- ResolutionFlow is a **Business** for: user account data, marketing data, billing, telemetry.
- ResolutionFlow is a **Service Provider** for: all Customer Data routed through the Services (covered by DPA, which serves as the written contract required by CCPA §1798.140(ag)).
- ResolutionFlow **does not sell or share** personal information for cross-context behavioral advertising.

## Legal-basis assignments (GDPR Art. 6)

| Purpose | Legal basis |
|---|---|
| Provide the Services to the user / MSP | Contract performance (Art. 6(1)(b)) |
| Authenticate, secure, prevent fraud | Legitimate interests (Art. 6(1)(f)) — balancing test documented |
| Transactional email (invites, password resets, billing) | Contract performance |
| Marketing email | Consent (Art. 6(1)(a)) **`[LEGAL REVIEW: confirm whether RF is sending marketing emails today and obtain consent at the appropriate touchpoint]`** |
| Product analytics (PostHog) and error tracking with PII (Sentry `send_default_pii=True`) | Legitimate interests + consent where required for non-essential cookies (EU/UK) **`[LEGAL REVIEW: a consent banner is required before PostHog/cookie-persisted analytics fire for EU/UK visitors]`** |
| AI / LLM features | Contract performance (it's part of the Services) |
| Aggregated product improvement | Legitimate interests |
| Comply with legal requests | Legal obligation (Art. 6(1)(c)) |

## International transfer mechanism

- **EU/UK → US transfers** rely on **Standard Contractual Clauses (Module 2 / Module 3 as applicable) + UK Addendum**. **`[LEGAL REVIEW: consider EU-US Data Privacy Framework certification when ResolutionFlow LLC qualifies — it materially improves the transfer story]`**
- All current subprocessors host in the US. SCCs are the baseline transfer mechanism for each.

## Sensitive-category posture

- ResolutionFlow does **not** intentionally collect GDPR Art. 9 special categories or CPRA "sensitive PI."
- **Incidental collection risk:** free-text fields (`intake_content`, `conversation_messages`, `session_feedback`, `outcome_notes`) can incidentally contain anything an MSP technician types — including healthcare details if the MSP serves healthcare clients. This is the basis for the ToS prohibition on PHI / regulated-data submission without a BAA in place.

## HIPAA / PCI posture

- **HIPAA:** ResolutionFlow is **not currently HIPAA-compliant**. ToS will prohibit PHI submission absent a BAA.
- **PCI:** SAQ A scope — Stripe Elements handles card data; ResolutionFlow stores only Stripe IDs.

## Children's data

- B2B IT-professional tool. Disclaim under 16 / COPPA in Privacy Policy.

## Open commercial / legal decisions punted to attorney

Captured for the attorney-review checklist (Phase 4) — not blockers for generation:

- Governing law + venue / arbitration vs litigation
- Liability cap calibration
- Indemnification scope
- Refund / proration policy
- Article 27 EU representative designation
- Whether to pursue EU-US DPF certification
- Whether to use a registered-agent address for the LLC on public + contractual docs