🧑‍⚖️GDPR EU compliance

EU Compliance Statement – Web3 Analyzer (Self‑Hosted Version)

Last updated: 25 May 2025

---

1 Scope

This statement explains how a self‑hosted deployment of Web3 Analyzer—installed inside the customer’s own Make.com and Apify workspaces, using PDF.co for white‑paper parsing, OpenAI GPT models for text evaluation, and optionally storing reports in Google Workspace—complies with the EU General Data Protection Regulation (GDPR) and related data‑sovereignty expectations.

2 Why GDPR Applies

The analyzer processes publicly available content (project websites, white‑papers, social links). Names of founders or team members can be personal data, so GDPR applies, albeit with a low‑risk profile.

3 Lawful Basis

Legitimate Interest under Art. 6 (1)(f) GDPR. Purpose – accelerate first‑pass due‑diligence and cut fraud risk. Necessity – replaces a manual activity already performed. Balance – data subjects publish the information themselves; impact is minimal. → See dedicated Legitimate‑Interest Assessment.

4 Data Flow & Residency

User Browser
   └► Make.com (EU region – controller’s account)
         ├► Apify Actor (EU store – controller’s account)
         ├► PDF.co API  (US – SCCs, ≤60 min file retention)
         ├► OpenAI GPT API  (US – SCCs, ≤30 days log retention, no training)
         └► Google Drive* (EU data region – optional report storage)

Google Drive is optional; any S3, SharePoint or on‑prem storage may be configured.

4.1 Make.com

• EU data region enabled at organisation level.

• Logs & transient files stay in EU data centres.

• One‑click Data‑Processing Agreement (DPA) available in console.

4.2 Apify

• “EU Storage” option enforced on each Actor run.

• DPA + Standard Contractual Clauses (SCCs) downloadable from dashboard.

4.3 PDF.co

• Processes PDFs on AWS infrastructure (us‑west‑2).

• Files encrypted at rest (AES‑256) and auto‑deleted ≤60 min.

• DPA + SCCs legitimise EU→US transfer.

4.4 OpenAI GPT (ChatGPT)

• Text fragments (website & white‑paper chunks) are sent to the OpenAI API endpoint in the US.

• OpenAI’s enterprise privacy terms: • No data used for model training or service improvement. • Retention ≤30 days for abuse monitoring, then permanent deletion.

• Transfers rely on SCCs appended to the OpenAI DPA.

• Mitigations: 1. Input is strictly public data; no special‑category or KYC documents. 2. Personal names can be masked (regex pseudonymisation) before sending, if required. 3. Optional: use Azure OpenAI “France Central” region for full EEA residency (requires customer Azure subscription).

4.5 Google Workspace (optional report storage)

• Enterprise tiers allow EU Data Regions for Drive.

• Google provides GDPR‑compliant DPA + updated SCCs.

5 Security Controls (cross‑platform)

Measure	Implementation
Access	SSO/SAML + role‑based rights in Make, Apify, Google Workspace
Encryption	TLS 1.2+ in transit; AES‑256 at rest across all services
Retention	Make & Apify logs auto‑purged ≤48 h; PDF.co ≤60 min; OpenAI ≤30 days (or 0 with Azure‑EU option); report storage per customer policy
Audit Trail	Make execution history, Apify log stream, Google Drive file versioning

6 Data‑Subject Rights

Unlikely to be triggered; if they are:

1. Locate record via project URL.

2. Delete Drive files / internal DB entry.

3. Purge Make & Apify logs.

4. Ensure OpenAI logs older than 30 days are auto‑expired (or request early deletion via OpenAI support). Deadline: 30 days (Art. 12 GDPR).

7 Customer Responsibilities

1. Record the processing activity in the Art. 30 register.

2. Keep LIA on file; review annually.

3. Ensure EU data region + DPA/SCC acceptance in all third‑party consoles (Make, Apify, PDF.co, OpenAI).

4. Provide privacy‑notice clause (e.g., “We screen publicly available Web3 materials using automated tools hosted in the EU; limited data may be processed in the US under SCCs.”).

8 Conclusion

With EU‑region settings enabled in Make & Apify, SCC‑based transfers for PDF.co and OpenAI steps, and EU‑region or on‑prem storage for reports, the self‑hosted Web3 Analyzer operates within EU data‑protection law. No special‑category data are processed, transfers are legitimised, and the customer remains full controller of the data.