Records of Processing — GDPR Article 30.

This page documents the categories of personal data Exitview processes, the purpose of processing, the legal basis, the recipients, the retention period, the cross-border transfers (and their safeguards), and the technical and organizational measures (TOMs) we apply. It is published in the open so a procurement officer or DPO can audit our posture without an NDA.

1. Controller / Processor

Exitview AI is a data processor on behalf of the operating company (the controller). A Data Processing Agreement (DPA) is executed with every paying customer prior to ingest.

2. Categories of personal data

• Redacted free-text exit-interview narrative (post Stage-1 + Stage-2 CAI).
• Non-reversible 32-bit FNV-1a contributor hash (display only).
• 384-dimensional BERT embedding with iid Laplace noise (epsilon-per-dim 1.5).
• Cohort code (e.g. q4_2025) — coarse temporal grouping only.
• Sentiment scalar in [-1, 1] and three-way band label.
• Jittered submitted_at timestamp (±2 days uniform).

We never store: raw narrative, names, manager names, explicit dates, departments, employee IDs, IP addresses, device fingerprints, or session cookies tied to the respondent.

3. Purposes & legal basis

• Theme clustering for HR insight (Art. 6(1)(f) legitimate interest).
• Privacy-preserving audit publication (Art. 6(1)(f), Art. 5(1)(f) integrity).
• Billing — Stripe customer record only (Art. 6(1)(b) contract).

4. Recipients (sub-processors)

• Neon (Postgres + pgvector). EU region. SOC 2 Type II.
• HuggingFace Inference (sentence-transformers MiniLM-L6-v2 embedding).
• Anthropic (Claude Haiku — CAI second-pass redaction, server-side only).
• Stripe (payments). PCI DSS Level 1.
• Clerk (authentication). SOC 2 Type II.
• Vercel (hosting + edge / serverless runtime).

5. Cross-border transfers

EU↔US transfers occur for HuggingFace, Anthropic, Stripe, Clerk, and Vercel. All transfers rely on EU SCCs (2021/914) and supplementary measures (TLS 1.3 in transit, encryption-at-rest, named recipient list above). The CAI redaction prompt is invoked with no customer-identifying metadata so the LLM provider cannot link redacted text to an org.

6. Retention

• Redacted text + embedding: default 24 months, configurable per DPA.
• Theme cluster centroids: indefinite (no personal data).
• k-anonymity audit rows: 7 years (legal hold). Immutable.
• Stripe subscription metadata: lifetime of contract + 90 days.

7. Technical & organizational measures (TOMs)

• Two-stage redaction (regex + Constitutional-AI Haiku).
• K-anonymity ≥ 5 hard gate on every quote-returning query.
• Differential privacy: Laplace mechanism (ε=0.8) on boundary counts; iid Laplace noise on 384-dim embeddings.
• ±2 day uniform jitter on submission timestamps.
• Append-only audit table (Postgres trigger blocks UPDATE/DELETE).
• Postgres Row-Level Security with FORCE on every tenant-scoped table; per-tenant current_setting('app.user_id') policy.
• Strict CSP, HSTS preload, X-Frame-Options DENY, Cross-Origin-Opener/Resource-Policy same-origin.
• HMAC-verified Stripe webhooks (crypto.timingSafeEqual via stripe-node).
• Zod schema validation on every write path. Bounded inputs (≤4000 chars).
• Secrets in Vercel-encrypted env only; never in repo, never in client bundle.

8. Data subject rights

Because we hold only redacted text + a non-reversible hash, classical DSAR requests are answered via the controller. The hash is included on request so the controller can verify which row corresponds to a given seed they hold. Erasure is honored by the controller-initiated DELETE on exit_responses; the audit trail of the deletion is retained per item 6 above.

9. Breach notification

Material incidents are communicated to the controller without undue delay and no later than 24 hours after detection, with the information Article 33(3) requires. Contact: privacy@exitviewai.com.

Last reviewed: cycle EXITVIEW_015 / v4.2 audit.