{"service":{"name":"VC Deal Flow Signal (GitDealFlow)","url":"https://signals.gitdealflow.com","operator":"GitDealFlow","contact":"signal@gitdealflow.com","security":"https://signals.gitdealflow.com/.well-known/security.txt","privacyPolicy":"https://signals.gitdealflow.com/.well-known/ai-policy.json"},"dataPosture":{"processesPii":false,"processesEndUserPii":false,"publicDataOnly":true,"notes":"All ranked entities are corporate GitHub orgs and public-domain venture entities. Inputs are public GitHub events. No end-user records are stored beyond email + Stripe customer ID for paid subscribers (handled by Stripe and Resend; we do not collect KYC-grade PII).","sourcesOfTruth":["GitHub public events API","Wikidata public dump","SSRN preprint repository"]},"gdpr":{"status":"applicable_low_risk","controllerForPaidSubscriberPii":true,"processors":["Stripe (payments)","Resend (transactional email)","Vercel (hosting)"],"legalBasis":"Legitimate interest for public-data processing (Art. 6(1)(f)); contract for paid subscribers (Art. 6(1)(b))","dpa":"Available on request from signal@gitdealflow.com","dataResidency":["EU (Vercel fra1, primary)","US (Vercel iad1, failover)"],"rightsContact":"signal@gitdealflow.com","retentionDefaults":{"subscriberEmail":"Until unsubscribe + 12 months","stripeCustomerRecord":"Lifetime of subscription + 7 years (tax law)","analytics":"PostHog default 30 days, no PII"}},"ccpa":{"status":"applicable_low_risk","sellOrShare":false,"opt_out_url":"https://signals.gitdealflow.com/privacy"},"hipaa":{"status":"not_applicable","reason":"No protected health information processed"},"pci":{"status":"not_applicable_offloaded","reason":"All card data handled by Stripe (PCI-DSS Level 1). We never see card numbers."},"soc2":{"status":"not_certified","notes":"Sub-scale operation; SOC 2 Type II is on the roadmap once we have an enterprise pipeline. For interim assurance, we lean on Vercel SOC 2 Type II + Stripe SOC 2 Type II (data processors).","compensatingControls":["Vercel-managed hosting + automatic deploys (Vercel SOC 2 Type II covers infra)","Stripe-managed payments (Stripe SOC 2 Type II covers card data)","Public-data-only inputs eliminate insider-threat exfiltration risk"]},"iso27001":{"status":"not_certified","notes":"Same posture as SOC 2 — relying on subprocessor certifications."},"aiUsage":{"userDataUsedForTraining":false,"modelInferenceProviders":["Anthropic (occasional, for /api/ask + /api/answer summarisation; no user data persisted)"],"botPolicy":"https://signals.gitdealflow.com/.well-known/ai-policy.json","agentEntrypoints":"https://signals.gitdealflow.com/.well-known/agent-card.json"},"subprocessors":[{"name":"Vercel","role":"Hosting + edge","url":"https://vercel.com/legal/dpa"},{"name":"Stripe","role":"Payments","url":"https://stripe.com/legal/dpa"},{"name":"Resend","role":"Transactional email","url":"https://resend.com/legal/dpa"},{"name":"PostHog (EU)","role":"Product analytics, no PII","url":"https://posthog.com/dpa"},{"name":"PocketBase (self-hosted Hetzner)","role":"Subscriber records","url":"https://hetzner.com/legal/"}],"incidentResponse":{"breachNotificationSla":"72 hours from confirmed breach (GDPR Art. 33)","responseEmail":"signal@gitdealflow.com","publicLog":"https://signals.gitdealflow.com/corrections","statusPage":"https://signals.gitdealflow.com"},"enterprise":{"contractsAndDpa":"signal@gitdealflow.com","ssoOptions":"Available on Sharp Tier (€497/mo) and custom enterprise scopes","offboarding":"Self-serve at /account or by emailing signal@gitdealflow.com. Subscriber data deleted within 30 days; Stripe records retained per tax law."},"complianceDocumentVersion":"1.0","lastReviewed":"2026-05-05"}