# Records of Processing Activities (ROPA)

**Data Controller:** Jeff Emmett
**Last Updated:** [DATE]
**Version:** 1.0

This document fulfills the requirement under GDPR Article 30 to maintain records of processing activities.

---

## Overview

| Item | Details |
|------|---------|
| **Controller Name** | Jeff Emmett |
| **Controller Address** | 23 Birchpark Dr, L3M 4M9 Grimsby, Canada |
| **Contact Email** | [YOUR_EMAIL] |
| **Data Protection Officer** | Not required (< 250 employees, no large-scale processing) |
| **EU Representative** | Not required (processing not regular/large-scale) |

---

## Processing Activity 1: Website Hosting & Analytics

| Field | Details |
|-------|---------|
| **Activity Name** | Website Hosting and Analytics |
| **Purpose** | Hosting websites, collecting anonymized usage analytics to improve user experience |
| **Legal Basis** | Legitimate Interest (Art. 6(1)(f)) for basic hosting; Consent (Art. 6(1)(a)) for analytics |
| **Data Subjects** | Website visitors |
| **Personal Data Categories** | IP address (anonymized), browser type, pages visited, referrer URL, device type |
| **Special Categories** | None |
| **Data Sources** | Direct collection via website |
| **Recipients** | netcup GmbH (hosting), Cloudflare Inc (CDN), Vercel Inc (analytics) |
| **Third Country Transfers** | USA (Cloudflare, Vercel) - protected by SCCs/DPA |
| **Retention Period** | Server logs: 14 days; Analytics: 14 months |
| **Security Measures** | TLS encryption, access controls, ISO 27001 certified infrastructure |

### Websites Covered:
- jeffemmett.com
- mycofi.earth
- bondingcurve.tech
- convictionvoting.xyz
- decolonizeti.me
- [Add all your domains]

---

## Processing Activity 2: Newsletter Subscriptions

| Field | Details |
|-------|---------|
| **Activity Name** | Newsletter Management |
| **Purpose** | Sending newsletters and updates to subscribers |
| **Legal Basis** | Consent (Art. 6(1)(a)) - explicit opt-in |
| **Data Subjects** | Newsletter subscribers |
| **Personal Data Categories** | Email address, name (optional), subscription date, open/click tracking |
| **Special Categories** | None |
| **Data Sources** | Direct collection via subscription forms |
| **Recipients** | Self-hosted (Listmonk on netcup infrastructure) |
| **Third Country Transfers** | None (self-hosted in Germany) |
| **Retention Period** | Until unsubscribe + 30 days |
| **Security Measures** | TLS encryption, authentication required, database encryption |

### Consent Mechanism:
- Double opt-in required
- Clear unsubscribe link in every email
- Consent records stored with timestamp

---

## Processing Activity 3: Contact Form Submissions

| Field | Details |
|-------|---------|
| **Activity Name** | Contact Form Processing |
| **Purpose** | Responding to inquiries from website visitors |
| **Legal Basis** | Legitimate Interest (Art. 6(1)(f)) / Pre-contractual measures (Art. 6(1)(b)) |
| **Data Subjects** | People who submit contact forms |
| **Personal Data Categories** | Name, email address, message content |
| **Special Categories** | None |
| **Data Sources** | Direct submission via website forms |
| **Recipients** | Self-hosted email (or specify email provider) |
| **Third Country Transfers** | Depends on email provider |
| **Retention Period** | 2 years after last communication |
| **Security Measures** | TLS encryption, spam filtering |

---

## Processing Activity 4: User Accounts (if applicable)

| Field | Details |
|-------|---------|
| **Activity Name** | User Account Management |
| **Purpose** | Providing authenticated access to services |
| **Legal Basis** | Contract performance (Art. 6(1)(b)) |
| **Data Subjects** | Registered users |
| **Personal Data Categories** | Email, username, hashed password, account settings |
| **Special Categories** | None |
| **Data Sources** | User registration |
| **Recipients** | Self-hosted only |
| **Third Country Transfers** | None |
| **Retention Period** | Account lifetime + 30 days after deletion request |
| **Security Measures** | Password hashing (bcrypt), session management, 2FA optional |

---

## Data Processors (Sub-processors)

| Processor | Service | Location | DPA Signed | Contact |
|-----------|---------|----------|------------|---------|
| netcup GmbH | Web hosting infrastructure | Germany | Yes (online) | support@netcup.de |
| Cloudflare, Inc. | CDN, DNS, DDoS protection | USA (with EU options) | Yes (standard) | privacy@cloudflare.com |
| Vercel Inc. | Web analytics | USA | Yes (ToS) | privacy@vercel.com |

---

## Technical and Organizational Measures (TOMs)

### Confidentiality
- [x] TLS/SSL encryption for all websites
- [x] Access controls for server infrastructure
- [x] SSH key authentication (no password auth)
- [x] Firewall and network segmentation

### Integrity
- [x] Regular backups
- [x] Version control for code
- [x] Audit logging

### Availability
- [x] Redundant infrastructure
- [x] DDoS protection (Cloudflare)
- [x] Monitoring and alerting

### Resilience
- [x] Disaster recovery procedures
- [x] Regular backup testing

---

## Data Subject Rights Procedures

### Access Requests (Art. 15)
1. Receive request via email
2. Verify identity
3. Compile data within 30 days
4. Provide data in machine-readable format

### Erasure Requests (Art. 17)
1. Receive request via email
2. Verify identity
3. Delete from: databases, backups (when rotated), analytics
4. Confirm deletion within 30 days

### Portability Requests (Art. 20)
1. Receive request via email
2. Verify identity
3. Export data as JSON/CSV
4. Provide within 30 days

---

## Data Breach Response Plan

### Detection
- Monitoring systems in place
- Log analysis for anomalies

### Assessment (within 24 hours)
1. Identify scope of breach
2. Assess risk to data subjects
3. Document findings

### Notification (within 72 hours if required)
1. Notify supervisory authority if risk to rights/freedoms
2. Notify affected individuals if high risk
3. Document all actions

### Recovery
1. Contain breach
2. Remediate vulnerabilities
3. Review and update security measures

---

## Review Schedule

| Review Type | Frequency | Last Review | Next Review |
|-------------|-----------|-------------|-------------|
| ROPA Update | Annually | [DATE] | [DATE + 1 year] |
| Security Audit | Annually | [DATE] | [DATE + 1 year] |
| Processor Review | Annually | [DATE] | [DATE + 1 year] |
| Privacy Policy Review | Annually | [DATE] | [DATE + 1 year] |

---

## Change Log

| Date | Version | Changes | Author |
|------|---------|---------|--------|
| [DATE] | 1.0 | Initial creation | Jeff Emmett |

---

*This document should be kept up to date and reviewed at least annually or whenever there are significant changes to processing activities.*