Michael Chihlas
41f5519916
All checks were successful
Mirror to GitHub / mirror (push) Successful in 6s
Generated by the resolutionflow-legal skill from a code scan of the FastAPI
backend + React frontend on commit 0564646. Each document is a starting
point for attorney review, not legal advice.
Includes:
- privacy-policy.md, terms-of-service.md, cookie-policy.md (public-facing)
- dpa.md (contractual; signed with MSP customers)
- subprocessor-list.md (Railway, Anthropic, Voyage, Stripe, Resend, Sentry,
PostHog, Google Fonts — confirmed live as of scan)
- data-inventory.md + classification.md (Phase 1/2 working files)
- attorney-review-checklist.md (consolidated [LEGAL REVIEW] punch list)
- implementation-verification.md (claim-by-claim audit vs. actual code)
Three blocking issues filed before public publication:
- #175 deletion-on-offboarding (or rewrite retention claims)
- #176 narrow Sentry send_default_pii + Session Replay config
- #177 EU/UK consent for PostHog + Google Fonts
Public-facing documents intentionally route physical-mail requests through
support@ rather than publishing the LLC's registered address.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
5.9 KiB
5.9 KiB
Phase 2 — Classification
Generated: 2026-05-14
Based on: data-inventory.md (Phase 1) and user-confirmed answers to Section 7 questions.
Confirmed parameters
| Parameter | Value |
|---|---|
| Legal entity | ResolutionFlow LLC |
| Registered address (DPA only — not public) | 716 Hearthstone Xing, Woodstock, GA 30189 — [LEGAL REVIEW: replace with registered-agent address before publishing any contracts that include this] |
| Privacy / legal contact | support@resolutionflow.com |
| Jurisdictions in scope | US federal + state baseline, CCPA/CPRA, EU GDPR, UK GDPR, all in-force US state comprehensive privacy laws (VA, CO, CT, UT, TX, OR, MT, IN, IA, TN, DE, NH, NJ, MD, MN, RI, KY). Reachable from anywhere the US permits traffic. |
| Live LLM provider | Anthropic only (current). Future plans: BYOK + multi-LLM — disclose only Anthropic now; revise on rollout. |
| Live embedding provider | Voyage AI (key set) |
| Gemini | Code path present but not currently live — exclude from public Subprocessor List until activated. |
| Active PSA provider | ConnectWise only (Autotask + HaloPSA stubs not live). |
| Sentry region | US |
| Railway region | US |
| Microsoft Learn MCP | Enabled. Pulls Microsoft docs; no Customer Data egress — disclose as informational only, not a Customer-Data subprocessor. |
| Children's data | None — disclaim under 16 / COPPA. |
| Public surfaces | Marketing pages, sales-lead form, signup, and public flow shares only. |
| Backup retention | 90 days. |
| Third-party tools outside the codebase (Zapier, CRM, etc.) | None at this time. |
Controller vs Processor mapping
| Data category | RF role | Controller | Notes |
|---|---|---|---|
| User accounts (name, email, password_hash, profile) | Controller | ResolutionFlow LLC | Covered by Privacy Policy |
| Audit logs (incl. IP addresses) | Controller | ResolutionFlow LLC | Privacy Policy; legal basis = legitimate interests (security) |
| Telemetry (PostHog, Sentry, AI usage tracking) | Controller | ResolutionFlow LLC | Privacy Policy; legitimate interests + consent for analytics in EU/UK |
Marketing leads (sales_leads, beta signup) |
Controller | ResolutionFlow LLC | Privacy Policy; legitimate interests / consent |
| Billing / subscription / Stripe IDs | Controller | ResolutionFlow LLC | Privacy Policy; contract performance |
| PSA-derived ticket data, intake_content, conversation_messages, file uploads, escalation packages, resolution notes, embeddings derived from this content | Processor | The MSP customer | DPA-governed. RF acts on documented instructions. |
| Knowledge Flywheel / flow content authored within a tenant | Processor | The MSP customer | Tenant-isolated; no cross-tenant sharing detected. |
| Resolution-note writeback to ConnectWise | Processor | The MSP customer | RF writes to the customer's own ConnectWise tenant under instruction. |
Under CCPA/CPRA
- ResolutionFlow is a Business for: user account data, marketing data, billing, telemetry.
- ResolutionFlow is a Service Provider for: all Customer Data routed through the Services (covered by DPA, which serves as the written contract required by CCPA §1798.140(ag)).
- ResolutionFlow does not sell or share personal information for cross-context behavioral advertising.
Legal-basis assignments (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Provide the Services to the user / MSP | Contract performance (Art. 6(1)(b)) |
| Authenticate, secure, prevent fraud | Legitimate interests (Art. 6(1)(f)) — balancing test documented |
| Transactional email (invites, password resets, billing) | Contract performance |
| Marketing email | Consent (Art. 6(1)(a)) [LEGAL REVIEW: confirm whether RF is sending marketing emails today and obtain consent at the appropriate touchpoint] |
Product analytics (PostHog) and error tracking with PII (Sentry send_default_pii=True) |
Legitimate interests + consent where required for non-essential cookies (EU/UK) [LEGAL REVIEW: a consent banner is required before PostHog/cookie-persisted analytics fire for EU/UK visitors] |
| AI / LLM features | Contract performance (it's part of the Services) |
| Aggregated product improvement | Legitimate interests |
| Comply with legal requests | Legal obligation (Art. 6(1)(c)) |
International transfer mechanism
- EU/UK → US transfers rely on Standard Contractual Clauses (Module 2 / Module 3 as applicable) + UK Addendum.
[LEGAL REVIEW: consider EU-US Data Privacy Framework certification when ResolutionFlow LLC qualifies — it materially improves the transfer story] - All current subprocessors host in the US. SCCs are the baseline transfer mechanism for each.
Sensitive-category posture
- ResolutionFlow does not intentionally collect GDPR Art. 9 special categories or CPRA "sensitive PI."
- Incidental collection risk: free-text fields (
intake_content,conversation_messages,session_feedback,outcome_notes) can incidentally contain anything an MSP technician types — including healthcare details if the MSP serves healthcare clients. This is the basis for the ToS prohibition on PHI / regulated-data submission without a BAA in place.
HIPAA / PCI posture
- HIPAA: ResolutionFlow is not currently HIPAA-compliant. ToS will prohibit PHI submission absent a BAA.
- PCI: SAQ A scope — Stripe Elements handles card data; ResolutionFlow stores only Stripe IDs.
Children's data
- B2B IT-professional tool. Disclaim under 16 / COPPA in Privacy Policy.
Open commercial / legal decisions punted to attorney
Captured for the attorney-review checklist (Phase 4) — not blockers for generation:
- Governing law + venue / arbitration vs litigation
- Liability cap calibration
- Indemnification scope
- Refund / proration policy
- Article 27 EU representative designation
- Whether to pursue EU-US DPF certification
- Whether to use a registered-agent address for the LLC on public + contractual docs