Records of Processing Activities
Effective: March 8, 2026
This document fulfills the obligation under GDPR Article 30 to maintain records of processing activities. It is maintained by the Data Protection Officer and made available to supervisory authorities upon request.
1. Controller Information
Controller: H33.ai, Inc.
Contact: privacy@h33.ai
Data Protection Officer: Eric Beans
DPO Contact: privacy@h33.ai
Website: https://h33.ai
2. Processing Activities
The following table documents all personal data processing activities carried out by H33, including the purpose, lawful basis, data categories, data subjects, recipients, and retention periods for each activity.
| Processing Activity | Purpose | Lawful Basis | Data Categories | Data Subjects | Recipients | Retention |
|---|---|---|---|---|---|---|
| User Authentication | Verify identity for API access | Contract (Art.6(1)(b)) | Email, phone, IP address | API customers | Auth1, AWS | Account lifetime + 90 days |
| Biometric Verification | FHE-encrypted identity verification | Explicit consent (Art.9(2)(a)) | Biometric templates (FHE-encrypted) | End users | H33 FHE engine | Account lifetime |
| Payment Processing | Process credit pack purchases | Contract (Art.6(1)(b)) | Email, payment intent ID | Customers | Stripe | 7 years (financial records) |
| Document Validation (Vault) | Validate sensitive documents | Legitimate interest / Contract | Document fields (FHE-encrypted) | Operators, document subjects | H33-Vault, Cachee | Per customer retention policy |
| Fraud Intelligence (Share) | Cross-institution fraud detection | Legitimate interest (Art.6(1)(f)) | Fraud signals (FHE-encrypted) | Bank customers (indirect) | Participating institutions | 12 months |
| Website Analytics | Improve service quality | Legitimate interest (Art.6(1)(f)) | IP, browser, pages visited | Website visitors | Netlify Analytics | 30 days |
| Customer Support | Resolve inquiries | Contract (Art.6(1)(b)) | Email, name, inquiry details | Customers | Support team | 2 years |
| Compliance Logging | Audit trail for regulatory compliance | Legal obligation (Art.6(1)(c)) | Access logs, audit events | All users | Internal compliance | 7 years |
3. Data Protection Measures
H33 implements comprehensive technical and organizational measures to protect personal data across all processing activities:
- Fully Homomorphic Encryption (FHE): Biometric templates and sensitive document fields are encrypted using BFV lattice-based FHE. Data remains encrypted during processing -- H33 systems never access plaintext biometric or document data.
- Post-Quantum Signatures: All authentication and audit operations are signed using Dilithium (ML-DSA, FIPS 204), providing tamper-evident logging resistant to quantum computing attacks.
- Transport Security: All data in transit is protected by TLS 1.3 with post-quantum key exchange (Kyber/ML-KEM).
- Encryption at Rest: All databases and storage volumes are encrypted using AES-256 at rest via AWS managed encryption.
- Authentication Security: httpOnly cookies for session management, JWT tokens with 15-minute access token expiry and 7-day refresh token rotation.
- Access Controls: Role-based access control, principle of least privilege, multi-factor authentication for administrative access.
- Audit Logging: Dilithium-signed audit trail for all data access and processing operations, retained for 7 years.
4. International Transfers
H33 does not routinely transfer personal data outside the European Economic Area (EEA). Infrastructure is hosted in AWS us-east-1 (US East, N. Virginia). Where transfers to the United States occur, the following safeguards are in place:
- Standard Contractual Clauses (SCCs): EU Commission-approved SCCs are incorporated into data processing agreements with all US-based sub-processors, including AWS and Stripe.
- Supplementary Measures: FHE encryption provides a supplementary technical measure as recommended by the EDPB -- personal data processed by H33 (biometric templates, document fields) is encrypted with lattice-based cryptography that cannot be decrypted by the infrastructure provider or any third party.
- Data Processing Agreements: Executed with all sub-processors, specifying data categories, processing purposes, and security requirements.
5. Review
This Records of Processing Activities document is reviewed annually, or upon material changes to processing operations. It was last updated on March 8, 2026. The next scheduled review is March 2027.
Changes that trigger an interim review include:
- Introduction of new processing activities or data categories
- Changes to lawful bases for existing processing
- Addition of new sub-processors or data recipients
- Changes to retention periods
- New international data transfer mechanisms
Questions about data processing?
Contact our Data Protection Officer at privacy@h33.ai