Skip to main content

Register of Processing Activities

UK GDPR Article 30 — Formal ROPA

This Register of Processing Activities (ROPA) is maintained in accordance with Article 30 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It documents all personal data processing activities carried out by Calmony Ltd as data controller.

Note for ICO audits: This document is maintained as a living record. Each processing activity below corresponds to a discrete purpose and lawful basis under UK GDPR. This ROPA is available to the Information Commissioner's Office (ICO) upon request. Controller and DPO contact details are in Section 1 below.

1. Controller & DPO Details

Data Controller

Organisation
Calmony Ltd
Registered Country
United Kingdom
Primary Contact
privacy@calmony.com
ICO Registration
Registered with the ICO (UK GDPR Art. 30(1))

Data Protection Officer / Contact

Role
Data Protection Officer (DPO)
Contact Email
dpo@calmony.com
Postal Address
Calmony Ltd, Data Protection Officer, United Kingdom
Response SLA
Within 30 calendar days

2. Processing Activities

Each record below constitutes one discrete processing activity as required by Art. 30(1)(b-g).

PA-01

Sanctions screening of individuals and entities against the OFSI consolidated list

Art. 6(1)(c)
Lawful Basis
Art. 6(1)(c) — Legal Obligation (Sanctions & AML Act 2018, MLR 2017)
Data Subjects
  • Customers' clients (natural persons)
  • Business counterparties
  • Beneficial owners
Personal Data Categories
  • Full name (including aliases)
  • Date of birth
  • Nationality / country of residence
  • Passport / ID reference numbers
  • Entity names and registration numbers
Recipients
  • Neon (database hosting — EU/UK)
  • Vercel (application hosting — EU edge)
  • OFSI / HM Treasury (source data only, no outbound transfer)
International Transfers
Neon data stored in AWS eu-west-1 (Ireland). Vercel edge caching in EU region. Standard Contractual Clauses (SCCs) and UK IDTA in place.
Retention Period
6 years from date of screening (MLR 2017, Reg. 40)
Security Measures
  • AES-256 encryption at rest
  • TLS 1.2+ in transit
  • Role-based access control (RBAC)
  • Immutable audit log per screening event
PA-02

Continuous monitoring and automated nightly re-screening against updated sanctions lists

Art. 6(1)(c)
Lawful Basis
Art. 6(1)(c) — Legal Obligation (MLR 2017, Reg. 28 — ongoing monitoring obligation)
Data Subjects
  • Customers' clients (natural persons)
  • Business counterparties
Personal Data Categories
  • Full name (including aliases)
  • Date of birth
  • Nationality
  • Previous screening results
Recipients
  • Neon (database hosting — EU/UK)
  • Resend (email notifications — EU)
  • Twilio (SMS/WhatsApp notifications — US; SCCs in place)
International Transfers
Twilio processes SMS delivery data in the US under SCCs and UK IDTA. Resend processes email delivery metadata in the EU.
Retention Period
Monitoring records retained for 6 years (MLR 2017, Reg. 40)
Security Measures
  • Inngest background job with encrypted payload
  • No raw PII in job queues — only record IDs resolved at runtime
  • Audit log entry per re-screening run
PA-03

Audit trail and compliance record-keeping for regulatory inspection

Art. 6(1)(c)
Lawful Basis
Art. 6(1)(c) — Legal Obligation (MLR 2017, Reg. 40; SAMLA 2018; SOC 2)
Data Subjects
  • Platform users (compliance officers)
  • Screened individuals / entities (indirectly)
Personal Data Categories
  • User email and name (actor)
  • Action type and timestamp
  • Resource identifiers
  • IP address (for security audit)
Recipients
  • Neon (database hosting — EU/UK)
  • Vercel (log aggregation — EU edge)
International Transfers
Audit logs stored exclusively in EU region. No transfer outside UK/EU adequacy zone.
Retention Period
7 years from creation date; thereafter anonymised (MLR 2017, HMRC requirements)
Security Measures
  • Append-only audit log table (no UPDATE / DELETE granted)
  • Database-level row security policies
  • Encrypted at rest via Neon Postgres
PA-04

Account registration, user authentication, and identity management

Art. 6(1)(b)
Lawful Basis
Art. 6(1)(b) — Performance of a Contract (provision of the screening service)
Data Subjects
  • Platform users (compliance officers, account administrators)
Personal Data Categories
  • Name
  • Email address
  • Profile image URL (OAuth)
  • Hashed password (credentials login)
  • OAuth tokens (Google / GitHub)
Recipients
  • Neon (database hosting — EU/UK)
  • Google (OAuth — US; SCCs / adequacy decision)
  • GitHub (OAuth — US; SCCs in place)
International Transfers
OAuth authentication tokens processed by Google and GitHub in the US under EU-US Data Privacy Framework and SCCs.
Retention Period
Account data retained while active; purged 12 months after account deletion request
Security Measures
  • Passwords hashed with bcrypt (cost factor ≥ 12)
  • JWT session tokens — HttpOnly, Secure, SameSite=Lax
  • Session expiry enforced (configurable, default 24h)
  • Encrypted PII fields via AES-256 application-layer encryption
PA-05

Payment processing, billing management, and subscription lifecycle

Art. 6(1)(b)
Lawful Basis
Art. 6(1)(b) — Performance of a Contract; Art. 6(1)(c) — Legal Obligation (HMRC VAT requirements)
Data Subjects
  • Platform users (billing contacts)
  • Organisations
Personal Data Categories
  • Name and email (billing contact)
  • Company name and address
  • Invoice amounts and payment history
  • Calmony Pay customer ID (pseudonymous reference)
Recipients
  • Calmony Pay (payment processing — UK)
  • Neon (billing records — EU/UK)
International Transfers
Calmony Pay processes payment card data within the UK. Raw card data never reaches Calmony Sanctions Monitor servers.
Retention Period
7 years from transaction date (HMRC tax record requirements)
Security Measures
  • No card data stored by Calmony Sanctions Monitor — Calmony Pay handles PCI-DSS compliance
  • Calmony Pay customer IDs stored as pseudonymous references
  • Webhook signatures verified via HMAC-SHA256 x-calmony-signature header
PA-06

Email and SMS/WhatsApp notifications for sanctions match alerts and system events

Art. 6(1)(f)
Lawful Basis
Art. 6(1)(f) — Legitimate Interests (ensuring timely compliance action by users)
Data Subjects
  • Platform users (notification recipients)
Personal Data Categories
  • Email address
  • Phone number (if SMS/WhatsApp configured)
  • Name (for personalisation)
Recipients
  • Resend (transactional email — EU data centres)
  • Twilio (SMS/WhatsApp — US; SCCs and UK IDTA in place)
International Transfers
Twilio routes SMS delivery data via US infrastructure under SCCs. Resend stores delivery metadata in EU.
Retention Period
Notification delivery logs retained for 90 days; purged thereafter
Security Measures
  • Email content limited to notification metadata — no raw PII in message body where avoidable
  • API keys stored as environment secrets, not in codebase
  • TLS 1.2+ for all outbound notification API calls
PA-07

Adverse media screening and enhanced due-diligence results (premium feature)

Art. 6(1)(f)
Lawful Basis
Art. 6(1)(f) — Legitimate Interests (enhanced compliance due diligence for regulated entities)
Data Subjects
  • Customers' clients (natural persons)
  • Business counterparties
Personal Data Categories
  • Full name
  • Adverse media articles and source URLs
  • Risk category classifications
Recipients
  • Neon (database hosting — EU/UK)
  • Vercel (application layer — EU edge)
International Transfers
No transfer outside UK/EU adequacy zone for adverse media results.
Retention Period
6 years from date of screening (aligned with sanctions screening records)
Security Measures
  • Access restricted to authorised users within the same organisation
  • Organisation-level Row Level Security (RLS) on all screening tables
  • Results stored encrypted at rest
PA-08

Service analytics, security monitoring, and fraud prevention

Art. 6(1)(f)
Lawful Basis
Art. 6(1)(f) — Legitimate Interests (service security and abuse prevention)
Data Subjects
  • Platform users
Personal Data Categories
  • IP address (pseudonymised after 30 days)
  • User agent string
  • Request timestamps and endpoint paths
  • Error and performance telemetry
Recipients
  • Vercel (application and edge log processing — EU)
  • SaaS Factory platform (error ingestion — UK/US)
International Transfers
Error telemetry is reported to the SaaS Factory platform (UK-hosted where applicable; Vercel edge — SCCs/IDTA in place).
Retention Period
Raw logs retained for 30 days; aggregated/anonymised analytics retained for 2 years
Security Measures
  • IP addresses pseudonymised (last octet zeroed) after 30 days
  • No PII included in error telemetry payloads (PII scrubbing applied before transmission)
  • Rate limiting applied to prevent abuse logging PII at volume

3. Categories of Recipients

The following third-party processors and sub-processors receive or have access to personal data processed by Calmony Ltd. All processors are contractually bound under Data Processing Agreements (DPAs).

RecipientRoleData ProcessedTransfer SafeguardLocation
NeonDatabase processorAll personal data stored in the platformData residency: AWS eu-west-1; SCCsEU (Ireland)
VercelApplication hostingIP addresses, request logs, edge cachesEU edge deployment; SCCsEU / UK
Calmony PayPayment processorBilling name, email, payment card (not stored by Calmony Sanctions Monitor)UK GDPR; PCI-DSSUK
ResendEmail deliveryEmail address, notification contentEU data centres; DPA in placeEU
TwilioSMS / WhatsApp deliveryPhone number, notification contentSCCs + UK IDTAUS (SCCs)
Google (OAuth)Authentication providerName, email, profile imageEU-US Data Privacy Framework; SCCsUS / EU
GitHub (OAuth)Authentication providerName, email, profile imageSCCs; Microsoft GitHub DPAUS
InngestBackground job orchestrationJob metadata (no raw PII in payloads)SOC 2 Type II; DPA in placeUS / EU

4. International Transfers

Where personal data is transferred to countries outside the UK, Calmony ensures appropriate safeguards are in place in accordance with UK GDPR Chapter Vand the ICO's International Data Transfer Agreement (IDTA).

Standard Contractual Clauses (SCCs)

Used for transfers to US-based processors (Twilio, Google, GitHub). UK IDTA addendum attached where required. Calmony Pay processes data within the UK.

EU-US Data Privacy Framework

Google LLC is certified under the EU-US DPF. This provides an adequacy basis for authentication data processed in the US.

Data Residency Controls

Neon Postgres data is stored in AWS eu-west-1 (Ireland). Vercel edge deployments default to EU regions. No primary data stored outside EU/UK.

Processor DPAs

All third-party processors have signed Data Processing Agreements (DPAs) as required by UK GDPR Art. 28. Copies are available on request to dpo@calmony.com.

5. Technical & Organisational Security Measures

Calmony implements appropriate technical and organisational measures (TOMs) as required by UK GDPR Article 32 to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

Encryption at Rest

All personal data fields are encrypted at rest using AES-256. Database-level encryption via Neon Postgres (AWS KMS).

Encryption in Transit

All connections use TLS 1.2 or higher. HSTS headers enforced. Certificate pinning on critical endpoints.

Access Control (RBAC)

Role-based access control enforced at application layer. PostgreSQL Row Level Security (RLS) restricts cross-tenant data access.

Authentication Security

Passwords hashed with bcrypt (≥12 rounds). JWT sessions with configurable expiry. Rate limiting on auth endpoints.

Audit Logging

All state-changing operations (create, update, delete) are written to an immutable append-only audit log with actor, timestamp, and resource.

API Key Security

API keys hashed with SHA-256 before storage. Keys prefixed for detection by secret-scanning tools. Never stored in plain text.

Dependency & Vulnerability Scanning

Automated dependency scanning via Dependabot. npm audit blocking in CI pipeline. SAST checks on pull requests.

Incident Response

Documented data breach response procedure. ICO notification within 72 hours where required (UK GDPR Art. 33). Runbook maintained in version control.

Data Minimisation

SELECT projections exclude unnecessary PII fields. Screening jobs reference record IDs at runtime — no raw PII in job queue payloads.

6. Review & Version History

This ROPA is reviewed at least annually, and whenever a significant new processing activity is introduced. Reviews are documented below.

VersionDateChangesReviewed By
1.01 January 2025Initial ROPA — 8 processing activities documentedDPO, Calmony Ltd

Request a Copy or Raise a Query

To request a copy of this ROPA, raise a data subject rights request, or submit a data protection query, contact our Data Protection Officer at dpo@calmony.com. ICO complaints: ico.org.uk/make-a-complaint.

Document version 1.0 — Last reviewed: 1 January 2025 — Calmony Ltd