Compliance Dashboard AI Act Art. 50 GDPR Accountability Access & Suppliers Security Intake

Use this page to run a dated access review and maintain a supplier register. These two artifacts create evidence for ISO/IEC 27001 readiness, GDPR integrity/confidentiality, and NIS2 supply-chain/access-control measures.

Framework Rows

GDPR-5-6, ISO27001-3, ISO27001-5, NIS2-21-4, NIS2-21-9, NIS2-21-10

Review Rule

Unknown MFA, DPA, region, or business-need status remains visible as a gap until reviewed and dated.

Source Plan

private/technology&Architecture/compliance/20260706_quick_win_compliance_closure_plan.md

Access Review Fields

Field What To Capture Evidence Expectation
System/surface Clerk, Vercel, Cloudflare, R2/KV, model-provider consoles, GitHub, Stripe, backoffice, or admin APIs. Every critical system appears at least once.

Access Inventory — 13 Systems

SystemPurposeAccountMFA / Auth Status
ClerkAuthenticationNicolas, admin✅ Google SSO + Passkey (confirmed 2026-07-06)
VercelDeployments, logs, cronsNicolas, owner✅ Passkey (confirmed 2026-07-06)
CloudflareR2, D1, Workers, CDNNicolas, admin✅ Google SSO + Passkey (confirmed 2026-07-06)
GitHubSource code, CI/CDNicolas, owner✅ Passkeys (confirmed 2026-07-06)
StripeBilling, paymentsNicolas, admin✅ Authy app (confirmed 2026-07-06)
OpenAIAI model inferenceNicolas, API key✅ MFA enabled (confirmed 2026-07-06)
Google CloudRun/Build jobsNicolas + service acct✅ Passkey (Google account, confirmed 2026-07-06)
UpstashKV state storeNicolas, via Vercel✅ Vercel integration + Passkey (confirmed 2026-07-06)
ResendEmail deliveryNicolas, API key✅ Authy app (confirmed 2026-07-06)
Meta/WhatsAppMessagingNicolas + OAuth✅ MFA with email (confirmed 2026-07-06)
ShopifyE-commercePer-HEA OAuth✅ Passkey + OAuth scoped (confirmed 2026-07-06)
CookiebotConsent managementNicolas, admin✅ Google SSO + Passkey (confirmed 2026-07-06)
ExploriumCRM enrichmentNicolas, API key✅ Google SSO + Passkey (confirmed 2026-07-06)
AnthropicDev tooling (via Google Antigravity)Nicolas, via Google✅ Google Passkey — no direct account (confirmed 2026-07-06)
Access role Owner, admin, developer, read-only, service account, or unknown. Role matches provider console or internal policy note.

Current Access Roles

All systems accessed by Nicolas as owner/admin. No additional human users. Service accounts: Google Cloud Run service account, per-HEA OAuth connections (Gmail, Microsoft, Shopify). API keys: OpenAI, Gemini, Brave, Perplexity, Mistral, Explorium, SerpAPI.

13 API key holders need rotation review.

Account Human or service account identifier. No secrets or raw credentials in this table.

Account Summary

Single human operator: Nicolas Payen. No shared admin passwords. OAuth tokens are per-HEA scoped and encrypted (AES-256-GCM). Service keys use HMAC or provider-managed rotation.

Business reason Why the access exists. Missing reason should trigger reduce/remove/investigate.

Business Justification

All systems have documented purpose (hosting, auth, billing, AI inference, CRM sync, etc.). No orphaned access found in initial audit. Recommended: quarterly review cadence.

MFA status Confirmed, unavailable, unknown, or not applicable. Unknown stays a gap until verified.

MFA Coverage Summary

✅ Confirmed: 3 / 13  Vercel, GitHub, Stripe

❓ Unknown: 7  Clerk, OpenAI, Upstash, Resend, Meta/WhatsApp, Cookiebot, Anthropic

⚠️ Partial: 1  Cloudflare (via Google SSO — confirm Google account MFA)

🔵 OAuth-only: 2  Shopify, IMAP

Decision Keep, reduce, remove, or investigate. Decision date and reviewer are required for evidence.

Access Decisions — 2026-07-06

All access: Keep. No access removal recommended at this time.

Required follow-up:
• Confirm MFA on remaining 7 unknown systems
• Establish quarterly review cadence
• Confirm API key rotation practice

Supplier Register Fields

Field What To Capture Evidence Expectation
Supplier Vercel, Cloudflare, Clerk, model providers, Stripe, email provider, analytics provider, or support/contact tooling. Every critical runtime provider has a row.

Supplier Inventory — Top 10 High-Criticality

#SupplierPurposeCriticalityRegion (HQ)Data Processing Region(s)DPA Status
1ClerkAuthenticationHighUSUS — Clerk processes auth data in US data centres❓ Unknown
2VercelHosting/runtimeHighUS/globalUS (iad1) — serverless functions execute in US-East by default; static edge is global CDN❓ Unknown
3CloudflareR2, D1, Workers, CDNHighEU/globalEU (WEUR) — R2, D1, CDN all configured in Western Europe❓ Unknown
4StripeBillingHighUSUS/EU — Stripe processes in both; EU entity available for EU merchants❓ Unknown
5OpenAIAI inferenceHighUSUS — API inference runs in US data centres❓ Unknown
6Google CloudBackground jobsHighEU/USEU (europe-west) — Cloud Run in europe-west (confirmed 2026-07-06)❓ Unknown
7UpstashKV state storeHighEU/USEU (AWS eu-central-1) — all KV databases in Frankfurt (confirmed 2026-07-06)❓ Unknown
8ResendEmail deliveryHighUSUS — email processed in US❓ Unknown
9Meta/WhatsAppMessagingHighUSUS/global — WhatsApp Business API processes in US/regional❓ Unknown
10GitHubSource code, CI/CDHighUSUS — repos and Actions run in US❓ Unknown

31 suppliers total. 10 high-criticality, 11 medium, 10 low. See full register in source artifact.

Service purpose Hosting, storage, authentication, model inference, billing, email, analytics, or security tooling. Purpose should align with GDPR accountability table.

Purpose Mapping by Category

Hosting: Vercel, Cloudflare
Auth: Clerk
Billing: Stripe
AI: OpenAI, Gemini, Mistral
Storage: Cloudflare R2/D1, Upstash KV
Email: Resend, Gmail API, Microsoft Graph
Messaging: Meta/WhatsApp
CRM enrichment: Explorium
Monitoring: NPEHolding
Search: Brave, Perplexity, SerpAPI
Consent: Cookiebot

Data involved Customer content, personal data, billing data, logs, metadata, or no customer data. Map to data categories rather than dumping raw fields.

Data Category Mapping

Customer content: Cloudflare R2, OpenAI (chat prompts), Google Cloud
Personal data: Clerk (identity), Stripe (billing), Resend (emails)
Chat data: OpenAI, Upstash
Billing: Stripe
Tokens: Gmail/Microsoft/Shopify OAuth
No customer data: GitHub (source only), jsdelivr, Plotly, YouTube

Criticality High, medium, or low. High-criticality suppliers need owner and next review date.

Criticality Breakdown

10 HIGH  All runtime dependencies that handle customer data or auth. Outage = immediate product impact.

11 MEDIUM  Features that degrade gracefully (CRM enrichment, OCR, search).

10 LOW  Static assets, analytics tags, video embeds.

Region/transfer note EU, US, global, provider-specific, or unknown. Unknown stays visible for follow-up.

Geographic Distribution

Provider HQ predominantly US-based: 20+ suppliers.
EU data processing (confirmed 2026-07-06):
  • Cloudflare R2/D1/CDN — WEUR (Western Europe)
  • Upstash KV — AWS eu-central-1 (Frankfurt)
  • Google Cloud Run — europe-west
EU-origin providers: Mistral (France), Cookiebot (Denmark), NPEHolding (NL), Explorium (Israel/US — Google SSO).
US-only processing: Clerk (auth), Vercel (serverless), OpenAI (inference), Resend (email), GitHub (source code).
Transfer mechanisms: Most US providers include SCCs in standard DPA/ToS. Formal review pending per-supplier.

⚠️ Reduced risk  Core PII stores (R2, KV, Cloud Run) are EU-hosted. US transfers are transient (inference, deployment) or low-PII (source code). Per-supplier SCC confirmation still needed.

DPA/security status Signed, available, pending, unknown, or not needed. Link provider trust/DPA/security source when possible.

DPA Coverage — High-Criticality Suppliers

#SupplierDPA LinkStatus
1Clerkclerk.com/legal/dpa❓ Review
2Vercelvercel.com/legal/dpa❓ Review
3Cloudflarecloudflare.com DPA❓ Review
4Stripestripe.com/legal/dpa❓ Review
5OpenAIopenai.com DPA❓ Review
6Google Cloudcloud.google.com DPA❓ Review
7Upstashupstash.com/trust/dpa❓ Review
8Resendresend.com/legal/dpa❓ Review
9Meta/WhatsAppWhatsApp Business DPT❓ Review
10GitHubgithub.com DPA❓ Review

⚠️ Pending review  DPA links identified for all 10 high-criticality suppliers. Owner review needed — click each link, confirm DPA applies to your account, update status to ✅.