DIREKT Data Processing Register¶
Baseline: Phase 10 synthetic system — 2026-07-17
Status: Technical processing inventory. Lawful bases, registration and retention periods require qualified Zambia review before real data processing.
Control rules¶
- Every processing activity requires an owner, purpose, data classification, source, recipients, candidate lawful basis, retention state, deletion/rights implementation and policy version.
- A candidate lawful basis in this register is not legal approval.
- Real identity, evidence, precise location, communications or payment processing remains prohibited until the DPC/counsel/provider stop gates are satisfied.
- Public output uses explicit allowlists; private source data is not made public by default.
- Commercial state does not create verification, publication, ranking or accountability outcomes.
- New vendors require data-processing, location, sub-processor, retention, incident and cross-border review.
Processing activities¶
| ID | Activity | Subjects and data | Purpose | Candidate basis requiring review | Recipients | Retention state | Technical controls | Owner/status |
|---|---|---|---|---|---|---|---|---|
| P-001 | Authentication challenge | contact channel/value hash, masked hint, challenge hash, attempt/expiry metadata, IP/user-agent hashes | verify possession and prevent abuse | service request, legitimate security interest and/or consent | approved OTP provider only after contract | challenge expiry plus bounded security/audit history | normalized/hash-only contact, one-time code hash, attempt limit, production delivery disabled | Security/backend — synthetic only |
| P-002 | Account and session | identity ID, verified contact reference, session family, refresh-token hash, device label, IP/user-agent hashes | account access, device/session management and compromise response | contract/service and security/legal obligation | DIREKT support/security; no public recipient | active session plus bounded security history | short access token, rotating hashed refresh token, family reuse revocation, live identity status | Security/support — synthetic only |
| P-003 | Customer profile | display name, profile status | personalize customer account | contract/service | customer and authorized support | account life plus rights/legal schedule | own-account permission and safe projection | Product/support — synthetic only |
| P-004 | Provider organization/profile | representative assignments, pathway, operating model, business/qualification/experience summaries, locality/service summary | create/manage provider workspace | provider contract and legitimate marketplace purpose | provider representatives; safe public allowlist after publication | active provider plus bounded accountability/legal history | identity/provider separation, actor-resolved scope, revisions and public allowlist | Provider operations — synthetic only |
| P-005 | Provider private/public location | private base coordinates, consented public premises, service area and public locality | eligibility, service-area matching and lawful public premises display | contract, explicit consent for public premises and legitimate service delivery | assigned operations; map provider only after approval; public locality/consented premises only | active need plus bounded audit/deletion schedule | separate location classes, precise-coordinate exclusion, mobile-provider ranking ban | Privacy/provider operations — real data blocked |
| P-006 | Verification evidence | identity/business/qualification/location/experience evidence bytes, opaque object reference, MIME/size/checksum, requirement scope | evidence-backed provider verification | contract, legal obligation or explicit consent depending evidence; counsel required | assigned reviewers and approved authority/source | validity, appeal/fraud/legal period; rejected/abandoned cleanup | private storage, logical upload intent, short grants, checksum/MIME/size, immutable version | Trust/privacy — real evidence blocked |
| P-007 | Verification cases/decisions/claims | case assignment, recommendations, reason codes, decisions, limitations, validity and safe public claim | issue scoped evidence-backed trust claims | marketplace contract, legitimate interest and category law; counsel required | provider, assigned operations, public claim allowlist | decision/claim history plus appeal/legal schedule | controlled state machines, immutable decisions/events, no blanket verification | Trust operations — synthetic only |
| P-008 | Discovery and saves | public provider/category/claim/availability data, coarse/manual search area, saved-provider reference | match customers and providers | service request/legitimate interest | customer; map provider only after approval | search telemetry minimal; saves until removal/account closure | live claim enforcement, private-coordinate exclusion, deterministic non-paid ranking | Product/privacy — synthetic only |
| P-009 | Enquiry and tracked interaction | bounded service summary, timing, locality summary, provider/category/publication references, status/history | request and track a service interaction | pre-contract/service request | customer/provider and authorized support | support/review eligibility/complaint window plus legal schedule | idempotency, owner/provider scope, revisioned immutable events | Interaction operations — synthetic only |
| P-010 | Contact handoff | verified contact reference, masked hint, channel, purpose, consent/expiry/revocation | temporary call/WhatsApp handoff after accepted enquiry | explicit channel-specific consent | accepted provider; communications vendor after approval | 24-hour active grant plus minimized consent/audit history | no raw value in interaction table, masked projection, immediate revocation, external delivery disabled | Privacy/interaction — real delivery blocked |
| P-011 | Reviews and provider response | rating, bounded title/body, moderation status, response, report/appeal reasons | marketplace accountability and fair response | contract/legitimate interest; public publication and moderation basis require counsel | customer/provider, moderators; published public allowlist | publication plus moderation/appeal/legal schedule | qualifying tracked interaction, one review/response, moderation, appeal and public allowlist | Trust/support — synthetic only |
| P-012 | Customer complaint | complaint type/summary, owned interaction reference, status/events and reason | customer redress and provider conduct handling | contract, legal obligation and legitimate interest; counsel required | customer, affected provider as policy permits, complaint operations | severity/legal/consumer schedule | separate from reviews and internal incidents, owner scope, revisions, immutable events | Support/legal — synthetic only |
| P-013 | Internal incident | bounded internal operational/security details, owner, severity/status/events | detect, contain and resolve internal operational/security events | legal obligation and legitimate security interest; counsel required | authorized incident/security staff only | severity/legal/insurance schedule | separate private domain, owner-scoped transitions, immutable terminal history | Security/operations — synthetic only |
| P-014 | Product/subscription | product/price/entitlement definition, provider subscription state/events | provide/manage commercial workspace access | provider contract | provider and finance operations | contract/accounting/support schedule | separate commercial schema, actor-resolved scope, no trust/ranking effect | Finance/product — synthetic only |
| P-015 | Invoice/payment/receipt | provider/subscription/invoice references, integer minor-unit totals, payment status/reference, safe provider event metadata | bill and reconcile subscriptions | contract, accounting/tax/legal obligation; qualified review required | provider, finance/accounting and approved payment provider | statutory/accounting schedule after review | immutable invoice lines, disabled/synthetic adapter, no credential/raw webhook storage | Finance/legal — real payments disabled |
| P-016 | Ledger/reconciliation/adjustment | balanced debit/credit entries, mismatch codes, approvals, reason/policy history | financial audit, exception resolution and controlled correction | accounting/legal obligation and legitimate fraud control | finance/audit and approved professional advisers | statutory/audit/legal schedule | append-only balanced ledger, reconciliation, consistent references and two approvers | Finance/audit — synthetic only |
| P-017 | Operations assignments/access | role assignments, case/evidence grants, field work, escalations, overrides, queue ownership | administer verification, support, trust and finance work | contract/employment, legal obligation and legitimate security interest | authorized staff/contractors only | assignment plus audit/legal schedule | live permissions, purpose/assignment, short grants, four-eyes controls and audit | Operations/security — synthetic only |
| P-018 | Audit and security telemetry | actor/resource IDs, action, request/correlation ID, bounded metadata, timestamps and safe error codes | accountability, abuse detection, incident response and compliance evidence | legal obligation and legitimate security interest; counsel required | security/audit/operations | bounded operational/legal schedule | append-only events, redaction rules, no secrets/raw protected values | Security/audit — synthetic only |
| P-019 | Product analytics | synthetic/app events, coarse context, performance/error state | reliability, accessibility and product improvement | consent and/or legitimate interest; review required | approved analytics processor only after DPA | aggregate/de-identify early and delete raw identifiers quickly | no evidence/private coordinates/contact/payment credentials; disabled until approved | Product/privacy — unselected/blocked |
| P-020 | Research/pilot | interview/observation/consent notes and separately approved private examples | Phase 11 usability, comprehension, operations and willingness-to-pay validation | informed consent and research ethics/legal review | approved research team only | consented research schedule and deletion commitment | separate private system, pseudonymization, consent withdrawal and no public repo | Research/privacy — Phase 11 only |
Data-subject rights implementation matrix¶
| Right/control | Current synthetic support | Required before real data |
|---|---|---|
| Notice/transparency | policy-version fields and documentation structure | approved layered privacy notice, provider/customer/worker notices and vendor list |
| Access | account/session and bounded own-workspace APIs | authenticated rights-request workflow, identity proofing, response package and deadlines |
| Correction | profile/location/service updates and appeal/correction lifecycles | formal rights intake, authority-source correction and downstream propagation |
| Deletion | session revocation and bounded lifecycle deletion protections | classification-based deletion/anonymization, legal holds, storage/vendor propagation and backup expiry |
| Restriction/objection | suspension, revocation, consent withdrawal and publication controls | formal processing restriction/objection workflow and legal-basis handling |
| Portability/export | no production export | scoped machine-readable export with redaction, identity proofing and audit |
| Consent withdrawal | handoff revocation and public-premises consent removal | approved consent registry, downstream stop, historical proof and vendor propagation |
| Complaint | customer complaint and appeal state machines | DPC/CCPC/authority escalation procedure and service levels |
| Breach notice | incident architecture and audit | approved notification thresholds, contacts, timelines and exercise evidence |
Cross-border and vendor controls¶
Before a vendor receives real personal data, record:
- provider/legal entity and service;
- controller/processor/sub-processor role;
- hosting and support locations;
- Zambia storage/transfer authorization requirement and evidence;
- DPA/security annex and audit rights;
- encryption, access, retention, deletion and backup behavior;
- breach notice and cooperation;
- government/authority request policy;
- termination/export/deletion evidence;
- cost, quota and operational owner.
Change control¶
A new table, field, event, public projection, storage bucket, external adapter, analytics event or export must update this register, the threat model, retention schedule, privacy model, test strategy, decision/risk records and—where applicable—the DPC/counsel approval package before activation.