{"schema_version":"1.0.0","data_residency":{"primary_database_region":"eu-north-1 (Stockholm)","hosting_region":"EU edge (Vercel) — pre-launch migration to fully EU-hosted backend planned","backup_region":"eu-north-1 (Stockholm)"},"gdpr":{"legal_basis_tier1_roles":"Article 6(1)(f) — legitimate interest","legal_basis_api_consumers":"Article 6(1)(b) — contractual necessity","data_subject_rights_endpoint":"/privacy"},"subprocessors":[{"name":"Supabase","purpose":"Primary database","region":"EU (Stockholm, eu-north-1)","dpa_signed":true},{"name":"Vercel","purpose":"Build + edge hosting (pre-launch; EU migration planned)","region":"EU edge","dpa_signed":true},{"name":"Sentry","purpose":"Error tracking (no PII per scrubber config)","region":"EU","dpa_signed":true},{"name":"Plausible","purpose":"Privacy-first analytics (cookieless, no PII)","region":"EU (Germany)","dpa_signed":false},{"name":"Betterstack","purpose":"Uptime monitoring + hosted status page","region":"EU","dpa_signed":false},{"name":"Maskinporten (Digdir)","purpose":"Norwegian government auth broker","region":"Norway (EU/EEA)","dpa_signed":false},{"name":"Lovdata","purpose":"Read-only legal-text reference (no data sent)","region":"Norway (EU/EEA)","dpa_signed":false},{"name":"Resend","purpose":"Transactional email (welcome, magic link, password reset)","region":"EU (Ireland)","dpa_signed":true}],"retention":{"api_request_logs_days":30,"error_logs_days":30,"delta_logs_anonymized_after_months":12,"audit_log_retention":"forensic — see Processing Activities Register","evaluation_snapshots_retention_months":24},"audit":{"append_only":true,"correlation_id_header":"X-Correlation-ID","trust_metadata_on_every_response":true},"rulebook":{"last_updated":null,"recent_versions_endpoint":"/trust#rulebook-history"},"last_verified_at":"2026-05-21","generated_at":"2026-05-21T15:14:04.708Z"}