{
  "document": "Record of Processing Activities (RoPA) - GDPR Article 30",
  "v": "V61_AUTO_GENERATED_TEMPLATE",
  "ts_generated": "AUTO",
  "controller": {
    "name": "WEVAL Consulting",
    "founder": "Yacine Mahboub",
    "dpo": "Yacine Mahboub (acting - to be formalized)",
    "address": "Casablanca, Morocco / Paris, France",
    "email": "ymahboub@weval-consulting.com"
  },
  "processing_activities": [
    {
      "id": "RoPA_001",
      "purpose": "B2B lead generation (prospects commerciaux)",
      "legal_basis": "Art. 6(1)(f) Legitimate Interest",
      "data_subjects": "Business contacts (named contacts at prospect companies)",
      "data_categories": ["name", "business_email", "job_title", "company"],
      "recipients": "internal sales team WEVAL",
      "third_country_transfers": "none - sovereign EU/MA hosting",
      "retention": "5 years after last contact OR opt-out",
      "security_measures": "TLS, Authentik SSO, Vaultwarden secrets, encrypted DB"
    },
    {
      "id": "RoPA_002",
      "purpose": "HCP communications (Ethica client)",
      "legal_basis": "Art. 6(1)(a) Consent via consent.wevup.app",
      "data_subjects": "Healthcare Professionals (Maghreb)",
      "data_categories": ["name", "specialty", "email", "consent_status"],
      "recipients": "Ethica Group (data controller)",
      "third_country_transfers": "none",
      "retention": "until consent withdrawn",
      "security_measures": "same as RoPA_001 + consent audit trail"
    },
    {
      "id": "RoPA_003",
      "purpose": "Employee/founder data",
      "legal_basis": "Art. 6(1)(b) Contract performance",
      "data_subjects": "Founder Yacine",
      "data_categories": ["identity", "contact", "financial"],
      "retention": "10 years (tax law)",
      "security_measures": "same as RoPA_001"
    }
  ],
  "breach_procedure_72h": {
    "step_1_detect": "monitoring alerts + SSO logs + Cloudflare WAF",
    "step_2_assess": "scope + risk level + affected subjects",
    "step_3_contain": "isolate + rotate keys + document",
    "step_4_notify_cnil": "if high risk: within 72h via declaration.cnil.fr",
    "step_5_notify_subjects": "if high risk: direct comms",
    "step_6_document": "full post-mortem + lessons learned"
  },
  "dpia_summary": {
    "high_risk_processing": "HCP data (Ethica) - health sector sensitive",
    "systematic_assessment": "done via consent + retention + minimization",
    "balancing_test": "legitimate interest B2B < subject rights (opt-out always respected)"
  },
  "status": "AUTO_TEMPLATE - Yacine reviews + signs + uploads to CNIL declarations",
  "next_step_owner": "Yacine review + sign within Q2 2026"
}