Records of processing
A summary of our Records of Processing Activities: every processing purpose mapped to its lawful basis, the data it touches, who receives it, how long we keep it, and the transfer basis. The detail that sits behind the privacy policy, in one register.
Last updated 27 June 2026
Processing register
Each row maps a processing activity to its lawful basis under the PDPL and the GDPR/UK GDPR, the data categories involved, the recipients (our sub-processors), the retention, and the transfer basis. It is consistent with the privacy policy's use (§3), legal-basis (§4), retention (§5), and sub-processor (§6) sections.
| Activity | Lawful basis | Data categories | Recipients | Retention | Transfer basis |
|---|---|---|---|---|---|
| CIEM analysis | Performance of a contract | Identities, role assignments, audit/sign-in activity, consent state, inventory metadata | Vercel (compute), Neon (storage) | Inventory replaced each sync; logs per tier | SCCs + DPF where certified |
| Authentication | Performance of a contract | Entra ID profile, sign-in metadata (IP, user agent, timestamp) | Microsoft (Entra ID), Neon | Account lifetime; removed on deletion | Tenant region; SCCs + DPF where certified |
| Billing & metering | Performance of a contract; legal obligation (tax records) | Billing email, Stripe identifiers, usage records | Stripe, Neon | Billing/tax records survive deletion as required by law | SCCs + DPF where certified |
| Transactional email | Performance of a contract | Recipient address, transactional message content | Resend | Operational; minimal delivery records | SCCs + DPF where certified |
| Audit logging | Legitimate interests (security, accountability) | Admin actions, sync history | Neon | Account lifetime; deletion-audit record survives | SCCs + DPF where certified |
| Marketing analytics | Consent (opt-in) | Marketing-site visit metadata only | Google Analytics | Per Cookie Policy; withdrawable any time | SCCs + DPF where certified; consent-gated |
The full record
We maintain a full internal Record of Processing Activities and make it available to controllers and regulators on request. The summary above is the buyer-facing extract; the full record carries the additional operational detail Art. 30 expects.
To request the full RoPA, email support@permafrostepm.com.