Refine AI – Regulatory Compliance & Data Protection Framework

(EU AI Act & GDPR–Aligned Architecture for clients)
Version: 1.1 (Informational – Subject to Contractual Agreement)
Prepared by: Refine, Inc. — Security, Data Protection & AI Governance
Scope: Enterprise and customer-managed deployments of the Refine platform, governed by contractual agreements and, where applicable, a Data Processing Agreement (DPA).

1. Executive Summary

Purpose

This document provides a full-stack, formally auditable compliance and data-protection framework for enterprise deployments of the Refine platform, aligned with the EU AI Act, GDPR, and standard corporate IT, Legal, and Security requirements. It details architecture, data flows, lawful bases, technical/organizational measures (TOMs), model governance, analytics, retention/deletion, and auditability.

Hosting & sovereignty

Refine operates on Google Cloud Platform (GCP) in EU regions (Frankfurt primary, Netherlands secondary) using Cloud Run for application execution and Cloud SQL for data storage. All personal data remains in the EU. Resilience, redundancy, and backups are provided by GCP’s managed services, which carry internationally recognized certifications (e.g., ISO/IEC 27001/17/18, SOC 1/2/3, EU Cloud Code of Conduct). Refine inherits these controls and adds tenant isolation, encryption key management, role-based access, and full audit logging.

Gemini model

Refine uses a Gemini-based (Google Cloud) large language model fine-tuned by Refine that adapts to the language and culture, based on the Refine AI Methodology, a PhD whitepaper which the company based upon. Multi-lingual with over 90 languages, like Ukranian, Afrikaans, German, English, Serbian, Chinese (Mandarin), Arabic and more. As long as our model supports the language client prefers, we fine tune the model so the quality of the culture and language fits the needs of the company, industry, culture, corporate culture, intercultural sensitivity, bias and more. Client inputs/outputs are not used to train foundation models. AI is assistive with human oversight and explainability.

Differentiated analytics

Internal Analytics (anonymized): performance/latency/feature use for platform improvement.
Client Analytics (pseudonymized): progress and KPI tracking (SSO-based access to Refine’s dashboards or direct login).
Authorized Exports: optional daily/weekly/monthly aggregated or pseudonymized reports, fully permissioned and audit-logged.

Retention & deletion

Aligned to Refine’s GDPR Policy (v1.2):

Account data: for the duration of the contract or until de-provisioning.
User-generated content (audio/text/feedback): Default retention is 180 days, configurable per customer agreement.
Operational/service logs: through contract + up to 12 months post-contract for billing/audit.
Anonymized usage data: retained indefinitely for statistics.

Outcome for clients

EU-hosted, sovereign, and auditable AI training at scale, with strict privacy by design, clear accountability, and documented compliance to satisfy internal and external audits.

2. Definitions & Roles

Controller / Processor

Client = Data Controller (determines purposes and means of processing in the enterprise deployment).
Refine = Data Processor (processes personal data on client’s documented instructions).
Google Cloud = Sub-processor (provides cloud infrastructure/services pursuant to its DPA).
Other Sub-processors (Processor’s sub-processors under Art. 28): Deepgram (speech), Resend (email delivery), Vercel (frontend hosting) — used under DPAs/SCCs.

Personal Data

Identity/account data; professional context; user inputs/responses (audio/text/UI); AI feedback and scores; operational/technical data (e.g., IP, device, logs).

Special categories

Not intentionally collected. If any are incidentally captured (e.g., in free-text responses), they are minimized and subject to enhanced safeguards and deletion where appropriate.

Children’s data

Not applicable (enterprise adult workforce).

3. System Architecture & Data Lifecycle

3.1 Architecture Overview

Application Execution: Cloud Run (EU region); containerized services with least-privilege service accounts and per-tenant logical separation.
Data Storage: Cloud SQL (EU region) with AES-256 encryption at rest, automated backups, and point-in-time recovery options (managed by GCP).
Model Inference: Vertex AI / Gemini in EU regions; requests and responses encrypted in transit (TLS 1.3).
Speech Processing: Deepgram in EU regions where available; otherwise used with SCCs and contractual safeguards.
Email: Resend for transactional messages (identity/email only).
Frontend: Vercel; session auth bound to SSO, no persistent personal data at edge.

3.2 Data Flow (Narrative)

1. Authentication & SSO

Refine supports multiple secure authentication options depending on client needs:

Direct platform login using secure email-based authentication
SSO login via SAML or OIDC with any enterprise identity Provider (Azure AD, Okta, Google Workspace, SAP IAS, etc.)
Hybrid Access for Organizations who wish to enable both SSO and direct login to support contractors or external users.
Optional SCIM provisioning for automated user lifecycle management (creation, role assignment, deactivation)
Role-based access control & full audit logging for all admin actions

When SSO is enabled, the Refine platform does not store user passwords; authentication is delegated entirely to the Client’s Identity Provider.

2. Lesson Interaction

Users submit responses (audio/text/interaction). Input is transmitted via TLS 1.3 to Refine, then to Gemini (and Deepgram for audio) within the agreed regions.

3. Processing

The model generates feedback/scores; Refine applies business logic (progression rules, cultural adaptation, KPI calculations).

4. Storage

Inputs/outputs and analytics are stored in the client organization inside Refine’s Cloud SQL (EU).

5. Analytics & Exports

Internal Analytics: anonymized, stored separately in Refine’s internal EU Cloud SQL.
Client Analytics: pseudonymized within the client’s organization, visible via role-based SSO.
Authorized Exports: generated by Cloud Run, encrypted at rest/in transit, delivered by secure link/SFTP; operation is audit-logged.

6. Deletion

Automated jobs enforce retention windows; ad-hoc erasure (Art. 17) on request is logged and confirmed to the client organization.

4. Legal Bases & Transparency (GDPR)

4.1 Audit Rights

The client may exercise audit and verification rights annually or upon justified security concern, with 15-business-day notice unless emergency.

Scope options

Document Review – Refine policies, DPA, sub-processor contracts, TOM evidence.
On-site / Remote Inspection – interviews, log reviews, configuration sampling.
Pen-Test / Vulnerability Report Review – summary under NDA.

4.2 Evidence of Controls

GCP Certificates: ISO 27001/17/18, SOC 2 Type II, EU Cloud CoC, CSA STAR.
Refine Evidence: encryption configs, IAM screenshots, incident logs (redacted).
Third-Party Pen-tests: annual; executive summary provided within 30 days post-completion.

4.3 Joint Audits & Table-Top Exercises

Annual tabletop simulating breach or data-subject request:

4 h planning call;
1-day execution;
2-week corrective-action review.

4.4 Sample Audit Checklist (Appendix F)

Verify SSO configuration & RBAC.
Validate encryption in-transit/at-rest.
Check deletion logs vs retention schedule.
Inspect sub-processor notification trail.
Confirm DSAR workflow completeness.
Review export audit logs.
Examine change-management approvals.
Cross-check training records.
Inspect incident post-mortems & timelines.

4.5 Joint Audit Execution Summary

Step	Responsible	Evidence Generated
Pre-audit notification	Client Compliance Team	Email & scope definition
Evidence collection	Refine Security Team	GCP certificates, policy pack
Interview phase	Joint session	Meeting minutes
Draft report & findings	Client Auditor	Report summary
Corrective action plan	Refine CISO / PM	CAP tracker log

4.6 Lawful Bases (Art. 6)

Contract (Art. 6(1)(b)): delivering personalized lessons, storing inputs/outputs for learning continuity, providing client analytics to the client organization.
Legitimate Interest (Art. 6(1)(f)): platform security, performance, fraud prevention, Internal Analytics (anonymized), and reporting necessary for service quality. A Legitimate Interest Assessment (LIA) is maintained; balancing tests confirm minimal privacy risk with strong safeguards.
Consent (Art. 6(1)(a)): only for non-essential cookies (if enabled) or optional features expressly requiring consent (none by default for client deployment).

4.7 Transparency Notices

Refine provides:

User-facing privacy notice (embedded link from the app), clearly explaining purposes, retention, rights, and contact.
Admin-facing data catalog (fields processed, purposes, recipients, and retention windows).
Export-of-records (Art. 30) maintained and made available to the client for audits.

5. EU AI Act Alignment

Principle / Article	Refine Implementation for Clients
Transparency (Art. 13)	In-product disclosures clarifying that responses are generated by Refine AI using Gemini on Google Cloud, with scope and limitations clearly explained.
Human Oversight (Art. 14)	AI is assistive; admins/instructors may review or override content and scores. Configuration supports human gates for sensitive or high-stakes outcomes.
Accuracy & Robustness (Art. 15)	Continuous evaluation of latency, error rates, bias across languages/cultures; regression testing prior to model updates, with validated rollback plans.
Data Governance (Art. 10)	Purpose limitation enforced; input/output strictly limited to training-use cases. Client data is never used to train foundation models.
Record-Keeping (Art. 12)	Versioning of lesson templates, model configurations, and comprehensive audit logs for access, exports, and lifecycle events, retained exclusively in EU regions.
Risk Management (Art. 9)	Risk register covering bias, misinterpretation, prompt injection; defined mitigations, ownership, and quarterly review cadence.
Security & Resilience	Inherited GCP security controls combined with Refine’s tenant isolation, RBAC, encryption, monitoring, and incident response procedures.

6. Technical & Organizational Measures (TOMs)

6.1 Access Control & Authentication

Refine supports multiple secure authentication options depending on the client's identity setup:

SSO (SAML/OIDC) for all users when a Client Identity Provider is connected
Direct platform login using secure email-based authentication (if enabled)
Hybrid access for organizations that need both internal SSO users and external contractors
Optional SCIM provisioning for automated user lifecycle management
Least-privilege RBAC with role-based access control
No client passwords are stored by Refine when SSO is used

6.2 Encryption & Key Management

In transit: TLS 1.3 (HSTS, modern ciphers).
At rest: AES-256 for Cloud SQL and storage; encrypted logs.
Keys: Managed by GCP KMS with strict IAM; option to use CMEK (customer-managed keys) if the client requires it.

6.3 Network & Isolation

Private service perimeters, VPC segmentation, firewall hardening, and egress controls for inference endpoints.
No cross-tenant traffic; APIs gated by tenant context.

6.4 Logging, Monitoring & Alerting

Centralized audit logs: auth events, data access, admin actions, exports, configuration changes.
SIEM integration (upon request) via Pub/Sub.
Alerting on anomalous access, excessive export attempts, or data volume spikes.

6.5 Secure SDLC & Change Management

Peer review, CI/CD with artifact signing, dependency scanning (SCA), SAST/DAST pipelines.
Pre-production environment with synthetic data; change approval board for production releases.
Emergency rollback procedures.

6.6 Vulnerability & Patch Management

Weekly vulnerability scans; monthly patch windows; severity-based SLAs (e.g., Critical: 72h).
Annual third-party penetration tests (reports can be shared under NDA).

6.7 Business Continuity & Disaster Recovery

Resilience: GCP multi-zone; automatic backups; RPO/RTO targets discussed below.
Targets:

Availability: ≥ 99.9% application uptime (contractual SLA optional).
RPO: ≤ 24 hours (configurable).
RTO: ≤ 24 hours (configurable).

Periodic DR tests; post-test reports available to client organization.

6.8 Vendor & Sub-processor Management

DPAs + SCCs with all sub-processors.
Annual vendor risk reviews (financial stability, breach history, certifications).
Right-to-audit clauses consistent with enterprise requirements.

7. Data Classification & Minimization

Classes:

P1 Identifiers: name, corporate email, role.
P2 Inputs/Responses: audio, text, interaction history.
P3 Derived Scores/Feedback: AI feedback, scores, progression, KPIs.
P4 Operational: logs, metrics, telemetry (not shown to end users).

Minimization:

Collect only data required for learning, personalization, and KPI reporting.
Masking in analytics; no raw audio in exports by default.
Fine-grained retention windows per class (see Section 10).

8. Analytics & Reporting

8.1 Streams & Identifiability

Internal Analytics (Anonymized): aggregates for product improvement; no identifiers; stored in separate internal EU instance.
Client Analytics (Pseudonymized): progress & KPI metrics tied to tenant-scoped encrypted IDs; visible in Refine UX under SSO.
Authorized Exports: optional daily/weekly/monthly CSV/PDF; aggregated or pseudonymized; audit-logged.

8.2 KPI Examples for clients

Lesson completion, streaks, time-on-task, XP deltas.
CEFR progression curves (for language-linked content).
Communication micro-skills mastery by job family.
Team-level heatmaps (adoption, improvement velocity).
No personal audio in routine exports unless explicitly requested/approved.

8.3 Export Governance

Export permission limited to defined roles; access grants logged.
Each export produces an immutable audit record (timestamp, requester, scope, file hash).
Pre-templated report categories to reduce scope creep.

9. Data Subject Rights & Request Handling

Access, Rectification, Portability, Erasure, Restriction, Objection supported (Arts. 15–22).
Requests initiated via Client HR or directly through Refine support (as Processor, we coordinate with the client organization).
SLAs: Acknowledge within 72h, fulfill within 30 days (expeditable).
Identity verification is mandatory; DSAR logs maintained.

10. Retention & Deletion (Aligned to Refine GDPR Policy v1.2)

Data Type	Retention Period	Purpose / Notes
Account & Identity Data	For the duration of client’s contract or until account de-provisioning by the client.	Authentication and continuity.
User-Generated Content (audio, text, AI feedback)	≈180 days default; configurable up to 12–24 months if the client instructs.	Learning continuity; personalization; then auto-deletion.
Operational & Service-Generated Data	While account active + ≤12 months post-contract (billing, security audit).	Includes logs and incident traces.
Anonymized Usage Data	Indefinite (irreversibly de-identified).	Statistics and service improvement.

Deletion Controls. Automated cleanup; on request erasure (Art. 17) within 30 days; deletion receipts and evidence logged.

11. Incident Response & Breach Notification

EU deployment defaults to EU processing; no transfers outside the EU unless explicitly requested or strictly necessary (e.g., global email edge delivery).
Where transfers occur, SCCs and appropriate safeguards are in place with sub-processors.
China (PIPL): Optional China-specific deployment avoids cross-border transfers; if cross-border is required, the client’s lawful basis, consent, and security assessment procedures apply.

12. Cross-Border Data Transfers

EU deployment defaults to fully EU-based processing
No transfers outside EU unless explicitly requested or necessary (e.g., global email edge delivery)
Where transfers occur, SCCs and safeguards apply
China (PIPL): Optional China-specific deployment avoids cross-border movement; if transfers occur, lawful basis, consent, and security assessment obligations apply

13. AI Model Governance

13.1 Lifecycle Phases

Phase	Purpose	Governance Controls
Training	Gemini foundation model fine-tuned using synthetic / licensed datasets (no client data).	Data source vetting; bias audit; copyright verification; training record kept 1 year.
Validation	Multi-lingual benchmarking (15 languages) & domain testing.	Accuracy ≥ 90 %; bias variance ≤ 5 %; QA review logs retained.
Deployment	Controlled rollout in EU tenant environments.	Change approval board; canary testing; rollback capability.
Monitoring	Continuous accuracy / bias / latency tracking.	Auto-alerts; quarterly bias and quality reports; audit trail of overrides.
Retirement	Decommission and archive old models.	Model checksum + signature recorded; data deleted within 90 days.

13.1 Model Cards (Deployment-Specific)

Purpose & Scope: corporate communication/skills development.
Data Inputs: user responses (audio/text), professional context, historic scores.
Limitations: non-deterministic generative outputs; potential for plausible but incorrect content mitigated by validation cues and human oversight.
Performance: measured by learning-outcome proxies (retention, progression, score deltas).
Risks: cultural misinterpretation, bias, tone mismatch; mitigation through multilingual/cultural calibration and review gates.

13.2 Bias, Fairness & Explainability

Pre-deployment testing by culture/language;
Ongoing monitoring (disparity metrics);
Explainability via rule-level feedback and “why” statements;
Appeal mechanisms for admins to correct outputs and flag systematic errors.

13.3 Prompt/Response Security

Injection defense patterns (delimiters, content filters, function bounds);Guardrails for restricted content; Logging of prompt/response metadata sans sensitive payloads in internal analytics. Each AI output includes a logic chain explaining decision path and confidence score. Admins may invoke “Override & Annotate” function; system logs who and why for traceability (EU AI Act Art. 14). Explainability reports exportable for audits in JSON / PDF. Annual Explainability Review board with the client and Refine AI Governance team.

13.4 Alignment with ISO/IEC 42001

Clause	Implementation
6 Context of Organization	Documented AI purpose and stakeholders (the client, Refine).
7 Leadership & Policy	Refine AI Ethics Policy + Governance Charter signed by executives.
8 Planning & Risk Management	Quarterly AI Risk Register (Appendix E).
9 Support & Competence	Staff training, AI ethics program, role definition.
10 Operation & Lifecycle Controls	Training–Validation–Deployment–Monitoring–Retirement cycle (13.1).
11 Performance Evaluation	Bias reports and client feedback surveys.
12 Improvement	Corrective actions post incident / audit review.

Appendix E – AI and Data Risk Register(GDPR Art. 32; EU AI Act Art. 9; ISO/IEC 27001 A.6–A.18)

#	Risk Scenario	Impact	Likelihood	Mitigation / Control	Residual Risk	Owner	Review Cycle
1	Prompt Injection / Malicious Input	Medium → Data Leak	Low	Input sanitization / context filtering	Low	AI Security Lead	Quarterly
2	Bias or Cultural Distortion	Reputational	Medium	Bias testing (13.2) + human review	Low	AI Ethics Board	Quarterly
3	SSO Mis-configuration	Unauthorized access	Low	Federated auth testing + SCIM sync	Low	DevOps Lead	Bi-annual
4	Sub-processor Failure (GCP / Deepgram)	Service Disruption	Low	Multi-region redundancy + SLA audit	Low	CTO	Annual
5	Data Retention Overrun	GDPR non-compliance	Low	Automated deletion jobs + audit log	Low	DPO	Monthly
6	Export Mis-delivery	Confidentiality breach	Medium	SFTP whitelist + PGP encryption + 2-person approval	Low	Compliance Mgr	Monthly
7	Model Misinterpretation	Business impact	Medium	Explainability dashboard + override controls	Low	Product Mgr	Quarterly
8	Human Error in Admin Panel	Minor	Medium	RBAC + confirmation prompts + training	Low	HR Lead	Quarterly
9	Security Vulnerability Unpatched	Major	Medium	Weekly scan + patch SLA 72 h Critical	Low	Security Ops	Monthly
10	Cross-border Transfer Violation	Regulatory	Low	EU data residency / SCC controls	Very Low	DPO	Annual

Formal Footnotes and Citations

GDPR Art. 5(1) – Data minimization and storage limitation principles.
GDPR Art. 6(1)(b,f) – Lawful bases for contract and legitimate interest.
GDPR Art. 25 – Privacy by Design / Default implemented via TOMs (Sec. 6).
GDPR Art. 28(3) – Processor obligations mapped (Table 1).
GDPR Art. 32–34 – Security and breach notification (runbook Sec. 11).
GDPR Art. 44 ff. – Cross-border data transfer safeguards (Sec. 12).
EU AI Act Arts. 9–16 – Risk Management, Data Governance, Transparency, Human Oversight (Secs. 5 & 13).
ISO/IEC 27001:2022 § A.5–A.18 – Information-Security Controls referenced throughout TOMs.
ISO/IEC 42001 (2023 draft) – AI Management System alignment (Sec. 13).

14. Sub-Processors (at Publication)

Google Cloud Platform (GCP) – infrastructure, databases, AI services (EU).
Google Cloud Vertex AI / Gemini – model inference (EU).
Deepgram – speech-to-text (EU where available).
Resend – transactional email (global infra; minimal data: name/email).
Vercel – frontend hosting/edge delivery (no persistent PII at edge).

Controls: DPAs, SCCs, security questionnaires, breach clauses, and annual vendor reviews.

15. Organizational Governance & Accountability

Policies: Information Security, Acceptable Use, Access Control, Vulnerability Management, Incident Response, Vendor Management, Privacy by Design.
Training: Annual privacy & security training for staff; role-specific secure coding modules.
Records of Processing (Art. 30): maintained and available to the client.
DPIA Support: Refine provides data flows, TOMs, and risk matrices to assist client’s DPIA.

16. Mapping Matrices

16.1 GDPR Mapping (selected)

GDPR Article	Control / Evidence
Art. 5 Principles	Minimization, storage limitation, integrity/confidentiality implemented; retention schedules (Sec. 10).
Art. 6 Lawful Basis	Contract & legitimate interest defined (Sec. 4.1); LIA on file.
Art. 12–14 Transparency	In-product notices; privacy policy; admin data catalog.
Art. 15–22 Rights	DSAR workflow with SLA; audit logs of fulfillment.
Art. 25 Privacy by Design	Data minimization; pseudonymization; secure defaults; SSO.
Art. 28 Processor	DPA with the client; sub-processor register; SCCs.
Art. 30 Records	Records of processing kept and shared upon request.
Art. 32 Security	Encryption, IAM, logging, secure SDLC (Sec. 6).
Art. 33/34 Breach	Playbooks; “without undue delay” notification.
Art. 44+ Transfers	SCCs and regionalization; China optional localization.

16.2 EU AI Act Mapping (selected)

Concept	Implementation
Transparency	Clear model disclosure and user-facing explanations (Sec. 5).
Human Oversight	Assistive-only outputs with override controls (Sec. 5).
Accuracy / Robustness	QA, regression testing, monitored KPIs (Sec. 5, 6).
Data Governance	Purpose limitation; no foundation model training using client data (Sec. 5).
Logging / Traceability	Comprehensive audit logs; export logs (Sec. 6, 8).
Risk Management	Risk register; quarterly review cycle (Sec. 5).

17. Service Levels & Operational Metrics

Service Availability: 99.9% monthly uptime target (excl. scheduled maintenance).
Support Response: Critical (1h), High (4h), Normal (24h) — business hours or 24/7 by contract.
Change Notifications: Material updates notified 7–14 days in advance (except critical security patches).

18. Client-Specific Customizations

Refine supports full customization for each client, including:

Regionality & Sovereignty: EU or region-specific deployments
Authentication Options: Direct platform login, SSO (SAML/OIDC), optional SCIM.
Role-based Access & Permissions
Client-tailored analytics dashboards & KPI exports
Custom skill libraries and lesson paths based on internal frameworks
Language, Culture, and corporate-identity adaptation
Retention: Default 180-day content retention; extendable to 12–24 months on written instruction.
Controls Review: Quarterly joint review (export history, access logs, incidents, model performance).
Legal Pack: DPA, Sub-processor list, Records of Processing, LIA summaries, DPIA assistance, Breach playbooks, Change control policy.

19. Open Items for Joint Confirmation

CMEK requirement (yes/no).
Exact retention durations per data class beyond defaults (e.g., 12 or 24 months for user-generated content).
Report catalog finalization: KPIs, cadence, distribution lists.
Pen-test report sharing cadence (annual, with NDA).
SLA/Support levels and contacts.

20. Summary Statement

Refine’s EU-sovereign deployment for the client—powered by GCP and leveraging Gemini—delivers enterprise-grade AI learning within a documented, enforceable, and auditable compliance framework. The design integrates privacy by design, tenant isolation, SSO-only access, controlled exports, and retention rules aligned to client’s governance. Security and continuity rest on GCP’s certified controls, which Refine inherits and extends with application-level safeguards and comprehensive logging.

Result: Client’s data, users, and learning outcomes are fully protected, measurable, and controllable—satisfying both internal governance and external regulatory scrutiny under the EU AI Act and GDPR.

Appendix A – Sub-Processor Contact & Regions (abridged)

Google Cloud Platform (GCP): EU (Frankfurt, Netherlands).
Vertex AI / Gemini: EU regions.
Deepgram: EU region where available; SCCs where necessary.
Resend: Global; minimal PII.
Vercel: Global edge; session-bound.

Appendix B – Data Inventory (Illustrative)

Identity (name, email, role), Organization (business unit, plant), Inputs (audio/text), Outputs (feedback/scores), Progression metadata, Logs (auth, exports, config), Analytics metrics (aggregated/pseudonymized).

Appendix C – DPIA Aid (Headings)

Processing purpose, lawful bases, necessity/proportionality, risk identification, mitigations, residual risk, monitoring plan.

Appendix D – Export Templates (Examples)

Learning KPI Executive Summary (monthly): adoption, streaks, skill gains, CEFR progression.
Operational Health (weekly): latency, completion, error rates.
Cohort Onboarding (daily during ramp): completions, first-week engagement, early signals.

Legal Foundations Summary Table

Mapping of GDPR Article 28(3) Processor Obligations to Refine’s Implemented Controls (GDPR Art. 28 §3(a–h))

GDPR Obligation	Legal Reference	Refine Implementation & Control Evidence
Processing only on documented instructions	Art. 28 (3)(a)	Refine processes client data solely under written instructions in the signed DPA. No independent processing. Access control and code-level tenancy enforcement ensure purpose limitation.
Confidentiality of persons authorized to process	Art. 28 (3)(b)	Every Refine employee/contractor signs confidentiality & data-handling clauses. Annual privacy & security training (records retained).
Appropriate technical & organizational measures (TOMs)	Art. 28 (3)(c)	Encryption (TLS 1.3/AES-256), IAM, logging, pseudonymisation, tenant isolation, secure SDLC, incident response per Sections 6 & 11.
Sub-processor engagement only with prior authorization	Art. 28 (3)(d)	Sub-processors (GCP, Deepgram, Resend, Vercel) listed in Annex A. DPAs + SCCs executed; the client receives prior-notice updates.
Assistance to controller with data-subject rights	Art. 28 (3)(e)	DSAR workflow (Section 9) supports access/erasure/portability. SLA = 30 days; audit trail kept.
Assistance with security, DPIA & consultation duties	Art. 28 (3)(f)	DPIA toolkit provided (Appendix C). Technical summaries and TOMs shared for client’s supervisory authority filings.
Deletion or return of data after contract termination	Art. 28 (3)(g)	Automated purge within 30 days of termination; deletion log & confirmation issued (Section 10).
Audit & inspection rights for controller	Art. 28 (3)(h)	The client may audit annually or request evidence (ISO/SOC reports from GCP, pen-test summaries, policy reviews). Procedures defined in Section 4.