# Records of Processing Activities (RoPA)

**Controller**: Luis Enrique Moya Rozas (individual developer, resides in Mexico)
**Contact**: luisenriquemr96@gmail.com
**Last reviewed**: May 20, 2026
**Document version**: 1.0

This document is the Record of Processing Activities required by **Article 30 GDPR**. It is NOT public — show it only to a supervisory authority, an auditor, or a CMS-operator customer who requests evidence of compliance.

---

## Activity 1 — License management (customer accounts)

| Field | Value |
|---|---|
| **Purpose** | Issue, validate, renew, and revoke EasyGSM CMS licenses to paying customers. |
| **Categories of Data Subjects** | CMS operators (customers who buy licenses from us). |
| **Categories of Personal Data** | Email, username, full name (optional), payment metadata (no card data), license activation history (machine_id, IP, OS, version), purchase history. |
| **Recipients** | Internal only — the developer. Payment data shared with payment-acceptance providers chosen at checkout. |
| **International transfers** | Stored in EU (Hetzner DE). Remote admin access from Mexico — Art. 49(1)(b) basis. |
| **Retention** | While license is active + 7 years after final transaction for tax/audit purposes (Mexico CFF 5y minimum + margin). |
| **Security measures** | TLS-only public endpoints; bcrypt password hashes; 2FA on admin panel; AES-GCM for sensitive fields at rest. |
| **Legal basis** | Art. 6(1)(b) GDPR (contract) — necessary to perform the license agreement. |

---

## Activity 2 — CMS backup recovery (processor role)

| Field | Value |
|---|---|
| **Purpose** | Receive, store, and on customer request, return encrypted database backups uploaded by CMS instances for disaster recovery. |
| **Categories of Data Subjects** | End-users of customer CMS instances. |
| **Categories of Personal Data** | All fields stored in customer CMS databases (username, email, full name, phone, IMEIs, orders, wallet balance, transactions, IPs) — see DPA Annex 1 for full list. |
| **Recipients** | Internal only. Backups not shared with third parties. |
| **International transfers** | Stored in EU (Hetzner DE). Admin access from Mexico — Art. 49(1)(b). |
| **Retention** | Most recent 3 versions per license; older versions auto-purged. 90 days after license termination, then permanently deleted. |
| **Security measures** | AES-256-GCM in transit over per-installation keys; HMAC integrity. Sensitive fields (passwords, TOTP) remain bcrypt/Fernet inside the dump — unreadable to us. |
| **Legal basis** | Art. 28 GDPR (processor); contractual basis with each CMS operator who is the controller. |

---

## Activity 3 — Operational network logs (optional, processor role)

| Field | Value |
|---|---|
| **Purpose** | When opt-in by CMS operator, capture request/response bodies between CMS and upstream providers for debugging integrations. |
| **Categories of Data Subjects** | End-users of customer CMS instances (IMEIs, codes appear). |
| **Categories of Personal Data** | IMEIs of devices targeted by orders, unlock codes returned, model/serial info. Authentication credentials are scrubbed before transmission. |
| **Recipients** | Internal only. |
| **International transfers** | Stored in EU. Admin access from Mexico — Art. 49(1)(b). |
| **Retention** | Subject to per-instance configuration; default purge at 30 days from receipt; 180 days after license termination then permanent deletion. |
| **Security measures** | Same as Activity 2 (in-transit AES-GCM); access-controlled storage. |
| **Legal basis** | Art. 28 GDPR (processor); opt-in basis with controller. |

---

## Activity 4 — License heartbeats (telemetry)

| Field | Value |
|---|---|
| **Purpose** | License validation, clone detection, version tracking. |
| **Categories of Data Subjects** | CMS operators (no end-user PII). |
| **Categories of Personal Data** | machine_id, hostname, public IP, OS info, CPU count, CMS version, configured domains. |
| **Recipients** | Internal only. |
| **International transfers** | Stored in EU. Admin access from Mexico — Art. 49(1)(b). |
| **Retention** | Latest heartbeat per machine retained while license active; historical heartbeats purged after 30 days. |
| **Security measures** | HTTPS in transit; signed payloads (Ed25519); access-controlled storage. |
| **Legal basis** | Art. 6(1)(b) GDPR (contract) — license enforcement. |

---

## Activity 5 — Anti-tampering security events

| Field | Value |
|---|---|
| **Purpose** | Detect and respond to attempts to bypass anti-tampering protections in the CMS. |
| **Categories of Data Subjects** | CMS operators (no end-user PII). |
| **Categories of Personal Data** | machine_id, license_key, short reason string (e.g., `code_hash_mismatch`). |
| **Recipients** | Internal only. |
| **International transfers** | Stored in EU. Admin access from Mexico — Art. 49(1)(b). |
| **Retention** | 7 years (for legal investigation in case of license-key sharing or fraud claims). |
| **Security measures** | TLS-only transmission; append-only log. |
| **Legal basis** | Art. 6(1)(f) GDPR (legitimate interest — protection of intellectual property and detection of fraud). |

---

## Activity 6 — Privacy requests (DSAR)

| Field | Value |
|---|---|
| **Purpose** | Receive and respond to data-subject requests via /legal/contact-privacy. |
| **Categories of Data Subjects** | Anyone who submits the form (end-users, CMS operators, prospects). |
| **Categories of Personal Data** | Email address, name (optional), subject and body of request. |
| **Recipients** | Internal only; potentially forwarded to relevant CMS operator if request relates to their instance. |
| **International transfers** | Email inbox is Google Gmail (US, DPF certified). |
| **Retention** | Until request is resolved + 1 year for compliance audit trail. |
| **Security measures** | Email account with 2FA; encrypted in transit (TLS); access logs. |
| **Legal basis** | Art. 6(1)(c) GDPR (legal obligation — Art. 12-22 GDPR response). |

---

## Audit notes

- This RoPA must be updated whenever a new processing activity begins or an existing one materially changes (e.g., new sub-processor, new data category, new retention).
- Review at minimum annually.
- The TOMs (Annex 2 of the DPA) are tested as part of pre-deployment security review for changes touching auth, encryption, or backup paths.
- No DPO has been formally designated. Per Art. 37 GDPR, no obligation arises in the current scale of processing; the operator acts as the Privacy Contact.
- An EU Representative under Art. 27 GDPR may need to be appointed if processing of EU-resident Data Subjects becomes regular and on large scale. Status: under review.