chihlasm/resolutionflow
1
0
Fork 0
Code Issues 23 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
41f551991664b1ca2e3b4fd15a5d6b923b8c924b
resolutionflow/legal/classification.md
Michael Chihlas 41f5519916
All checks were successful
Mirror to GitHub / mirror (push) Successful in 6s
Details
docs(legal): add baseline legal documents (privacy, ToS, DPA, subprocessors, cookies) 
Generated by the resolutionflow-legal skill from a code scan of the FastAPI
backend + React frontend on commit 0564646. Each document is a starting
point for attorney review, not legal advice.

Includes:
- privacy-policy.md, terms-of-service.md, cookie-policy.md (public-facing)
- dpa.md (contractual; signed with MSP customers)
- subprocessor-list.md (Railway, Anthropic, Voyage, Stripe, Resend, Sentry,
  PostHog, Google Fonts — confirmed live as of scan)
- data-inventory.md + classification.md (Phase 1/2 working files)
- attorney-review-checklist.md (consolidated [LEGAL REVIEW] punch list)
- implementation-verification.md (claim-by-claim audit vs. actual code)

Three blocking issues filed before public publication:
- #175 deletion-on-offboarding (or rewrite retention claims)
- #176 narrow Sentry send_default_pii + Session Replay config
- #177 EU/UK consent for PostHog + Google Fonts

Public-facing documents intentionally route physical-mail requests through
support@ rather than publishing the LLC's registered address.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 12:51:19 -04:00

88 lines
5.9 KiB
Markdown
Raw Blame History

# Phase 2 — Classification
Generated: 2026-05-14
Based on: `data-inventory.md` (Phase 1) and user-confirmed answers to Section 7 questions.
## Confirmed parameters
| Parameter | Value |
|---|---|
| Legal entity | **ResolutionFlow LLC** |
| Registered address (DPA only — not public) | 716 Hearthstone Xing, Woodstock, GA 30189 — **`[LEGAL REVIEW: replace with registered-agent address before publishing any contracts that include this]`** |
| Privacy / legal contact | `support@resolutionflow.com` |
| Jurisdictions in scope | US federal + state baseline, CCPA/CPRA, EU GDPR, UK GDPR, all in-force US state comprehensive privacy laws (VA, CO, CT, UT, TX, OR, MT, IN, IA, TN, DE, NH, NJ, MD, MN, RI, KY). Reachable from anywhere the US permits traffic. |
| Live LLM provider | **Anthropic only** (current). Future plans: BYOK + multi-LLM — disclose only Anthropic now; revise on rollout. |
| Live embedding provider | **Voyage AI** (key set) |
| Gemini | Code path present but not currently live — **exclude from public Subprocessor List** until activated. |
| Active PSA provider | **ConnectWise only** (Autotask + HaloPSA stubs not live). |
| Sentry region | US |
| Railway region | US |
| Microsoft Learn MCP | Enabled. Pulls Microsoft docs; no Customer Data egress — disclose as informational only, not a Customer-Data subprocessor. |
| Children's data | None — disclaim under 16 / COPPA. |
| Public surfaces | Marketing pages, sales-lead form, signup, and public flow shares only. |
| Backup retention | 90 days. |
| Third-party tools outside the codebase (Zapier, CRM, etc.) | None at this time. |
## Controller vs Processor mapping
| Data category | RF role | Controller | Notes |
|---|---|---|---|
| User accounts (name, email, password_hash, profile) | **Controller** | ResolutionFlow LLC | Covered by Privacy Policy |
| Audit logs (incl. IP addresses) | **Controller** | ResolutionFlow LLC | Privacy Policy; legal basis = legitimate interests (security) |
| Telemetry (PostHog, Sentry, AI usage tracking) | **Controller** | ResolutionFlow LLC | Privacy Policy; legitimate interests + consent for analytics in EU/UK |
| Marketing leads (`sales_leads`, beta signup) | **Controller** | ResolutionFlow LLC | Privacy Policy; legitimate interests / consent |
| Billing / subscription / Stripe IDs | **Controller** | ResolutionFlow LLC | Privacy Policy; contract performance |
| **PSA-derived ticket data, intake_content, conversation_messages, file uploads, escalation packages, resolution notes, embeddings derived from this content** | **Processor** | The MSP customer | DPA-governed. RF acts on documented instructions. |
| Knowledge Flywheel / flow content authored within a tenant | **Processor** | The MSP customer | Tenant-isolated; no cross-tenant sharing detected. |
| Resolution-note writeback to ConnectWise | **Processor** | The MSP customer | RF writes to the customer's own ConnectWise tenant under instruction. |
## Under CCPA/CPRA
- ResolutionFlow is a **Business** for: user account data, marketing data, billing, telemetry.
- ResolutionFlow is a **Service Provider** for: all Customer Data routed through the Services (covered by DPA, which serves as the written contract required by CCPA §1798.140(ag)).
- ResolutionFlow **does not sell or share** personal information for cross-context behavioral advertising.
## Legal-basis assignments (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Provide the Services to the user / MSP | Contract performance (Art. 6(1)(b)) |
| Authenticate, secure, prevent fraud | Legitimate interests (Art. 6(1)(f)) — balancing test documented |
| Transactional email (invites, password resets, billing) | Contract performance |
| Marketing email | Consent (Art. 6(1)(a)) **`[LEGAL REVIEW: confirm whether RF is sending marketing emails today and obtain consent at the appropriate touchpoint]`** |
| Product analytics (PostHog) and error tracking with PII (Sentry `send_default_pii=True`) | Legitimate interests + consent where required for non-essential cookies (EU/UK) **`[LEGAL REVIEW: a consent banner is required before PostHog/cookie-persisted analytics fire for EU/UK visitors]`** |
| AI / LLM features | Contract performance (it's part of the Services) |
| Aggregated product improvement | Legitimate interests |
| Comply with legal requests | Legal obligation (Art. 6(1)(c)) |
## International transfer mechanism
- **EU/UK → US transfers** rely on **Standard Contractual Clauses (Module 2 / Module 3 as applicable) + UK Addendum**. **`[LEGAL REVIEW: consider EU-US Data Privacy Framework certification when ResolutionFlow LLC qualifies — it materially improves the transfer story]`**
- All current subprocessors host in the US. SCCs are the baseline transfer mechanism for each.
## Sensitive-category posture
- ResolutionFlow does **not** intentionally collect GDPR Art. 9 special categories or CPRA "sensitive PI."
- **Incidental collection risk:** free-text fields (`intake_content`, `conversation_messages`, `session_feedback`, `outcome_notes`) can incidentally contain anything an MSP technician types — including healthcare details if the MSP serves healthcare clients. This is the basis for the ToS prohibition on PHI / regulated-data submission without a BAA in place.
## HIPAA / PCI posture
- **HIPAA:** ResolutionFlow is **not currently HIPAA-compliant**. ToS will prohibit PHI submission absent a BAA.
- **PCI:** SAQ A scope — Stripe Elements handles card data; ResolutionFlow stores only Stripe IDs.
## Children's data
- B2B IT-professional tool. Disclaim under 16 / COPPA in Privacy Policy.
## Open commercial / legal decisions punted to attorney
Captured for the attorney-review checklist (Phase 4) — not blockers for generation:
- Governing law + venue / arbitration vs litigation
- Liability cap calibration
- Indemnification scope
- Refund / proration policy
- Article 27 EU representative designation
- Whether to pursue EU-US DPF certification
- Whether to use a registered-agent address for the LLC on public + contractual docs
Reference in New Issue View Git Blame Copy Permalink