> **REVIEW BY LEGAL COUNSEL REQUIRED BEFORE EXECUTION. Template sourced from GDPR.eu community version, adapted by the COHESION team. Not legal advice.**

# Data Protection Impact Assessment (DPIA) Template

**Controller:** [Customer legal entity name]
**Processor:** COHESION AUTH LLC
**Service:** COHESION Judgment Independence Score API and related services
**Assessment date:** [Date]
**Assessment version:** [Version]
**Data Protection Officer (DPO):** [Name, where the Controller has appointed one]
**Assessment author:** [Name, role]

This DPIA is prepared pursuant to Article 35 of Regulation (EU) 2016/679 (the "GDPR") to assess the impact on the rights and freedoms of data subjects of Processing Personal Data through the Services.

---

## 1. Description of Processing (GDPR Art 35(7)(a))

### 1.1 Nature of Processing

The Services capture behavioral telemetry from operators using AI-augmented systems and compute, in real time, a continuous Judgment Independence Score ("JIS") that reflects the extent to which an operator exercises independent judgment over AI output. The Processing consists of:

(a) **Capture** of per-interaction telemetry fields: time-to-decision, decision category (accepted, modified, rejected, independent), modification extent, hover events, scroll depth, alternative-view checks, outcome-correctness flag, and ambient scenario-type.

(b) **Computation** of a seven-dimension score (Deferral Resistance, Error Detection Capability, Independent Performance, Deliberation Depth, Post-Error Recalibration, Domain Confidence, Decision Autonomy) aggregated into a single JIS value with a published weighting scheme.

(c) **Aggregation** of JIS over time using an exponentially weighted moving average with a configurable half-life, producing trend lines and decay projections.

(d) **Invisible Maintenance Interventions** (IMP): calibration injections, recommendation withholdings, and unranked presentations at frequencies defined by the operator's current JIS and per-dimension scores. These are designed to be indistinguishable from normal workflow interactions in real time. Disclosure at the organizational onboarding level satisfies the transparency requirement.

(e) **Compliance reporting** on demand, producing records suitable for submission to a regulator implementing EU AI Act Article 14.

### 1.2 Scope and context

- **Categories of data subjects:** Operators (typically credentialed staff in regulated industries such as healthcare, aviation, financial services, legal, pharmaceutical, critical infrastructure) whose workflows include AI-augmented decisions.
- **Categories of Personal Data:** Pseudonymous `operator_id`, behavioral interaction telemetry, derived JIS and per-dimension scores, technical metadata. See `legal/templates/DPA-TEMPLATE.md` Schedule B for the full enumeration.
- **Volume:** Customers typically transmit between 5,000 and 5,000,000 scored decisions per month per organization, matching the published monthly decision allotments (Developer through Enterprise) documented in `docs/trust/security-posture.md` Section 8.
- **Duration:** Interaction telemetry is retained for 24 months. Rate-limit state for 2 hours. Audit events for 90 days. See `docs/trust/security-posture.md` Section 7.
- **Geography:** Processing occurs on Cloudflare infrastructure in the United States and the European Union (edge routing). Enterprise-tier customers may request EU-only routing.
- **Sub-processors:** Cloudflare (required), Sentry (opt-in only). See `docs/trust/sub-processors.md`.

### 1.3 Purposes

See Schedule A of `legal/templates/DPA-TEMPLATE.md`. In summary: JIS computation, compliance reporting, authentication, rate-limit enforcement, anomaly alerting.

---

## 2. Necessity and proportionality assessment (GDPR Art 35(7)(b))

### 2.1 Lawful basis

The Controller relies on one of the following lawful bases under GDPR Article 6(1) (to be confirmed by the Controller):

- (f) Legitimate interests, where the Controller's interest in maintaining regulator-grade human oversight of AI systems outweighs the data-subject's interests, provided that reasonable safeguards are in place and operators are informed of the general fact of Processing.
- (c) Legal obligation, where the Controller is subject to a framework that mandates continuous oversight of AI systems (for example, EU AI Act Article 14 once in force for the relevant high-risk AI system).

The Processor takes no view on the Controller's choice of lawful basis but will Process only on documented instruction.

### 2.2 Regulatory context

Relevant regulatory frameworks that make this Processing necessary and proportionate include:

- EU AI Act Article 14 (Human Oversight), in force on the proposed schedule per the Parliament-Council text.
- Colorado SB 205 (Colorado Artificial Intelligence Act) effective 2026-06-30 for deployers of high-risk AI systems.
- NYC Local Law 144 for automated employment decision tools.
- NIST AI Risk Management Framework core functions (Govern, Map, Measure, Manage).
- ISO/IEC 42001 AI management system standard.

The COHESION framework has been empirically validated against a 21-case cross-case library (see `case-studies/2026-04-19-cross-case-summary/`); it is a measurement framework, not a theoretical proposal.

### 2.3 Proportionality

The Processor implements data minimization by:

- Excluding direct identifiers (name, email, national identifier) from the scoring path. The operator identifier is pseudonymous and the mapping to a natural person is held by the Controller only.
- Deny-list redaction in the SDK layer to reduce the risk that free-text fields carry special-category data.
- Short retention for rate-limit state (2 hours) and audit events (90 days).
- 24-month retention for interaction telemetry, calibrated to the minimum needed to compute decay curves and serve regulator-facing compliance reports.

---

## 3. Risks to the rights and freedoms of data subjects (GDPR Art 35(7)(c))

### 3.1 Risk register

| # | Risk | Likelihood (1 Low - 5 High) | Severity (1 Low - 5 High) | Combined |
|---|---|---|---|---|
| R1 | Unauthorized disclosure of interaction telemetry through API-key compromise | 2 | 3 | 6 |
| R2 | Re-identification of operators by correlating pseudonymous `operator_id` with other data held by the Controller or a third party | 2 | 4 | 8 |
| R3 | Discriminatory impact from JIS being used in employment, licensing, or insurance decisions in a way that disadvantages protected characteristics | 3 | 4 | 12 |
| R4 | Operator perception of surveillance causing chilling effects on authentic judgment | 3 | 3 | 9 |
| R5 | Automated decision-making consequences under GDPR Article 22 where JIS is used as the sole or principal basis for a legally significant decision | 2 | 5 | 10 |
| R6 | Cross-border transfer exposure in the absence of an adequacy decision | 2 | 3 | 6 |
| R7 | Incident-response latency at v1.1.0, given single-operator on-call | 2 | 3 | 6 |
| R8 | Data loss from D1 platform failure beyond published RPO | 1 | 4 | 4 |
| R9 | Inadvertent special-category data in free-text fields bypassing SDK redaction | 2 | 4 | 8 |
| R10 | Visibility of invisible-maintenance interventions allowing operators to game scores | 2 | 3 | 6 |

Combined score uses multiplication. Combined score 9 and above is treated as requiring proactive mitigation; 12 and above requires a written mitigation plan.

---

## 4. Measures to address the risks (GDPR Art 35(7)(d))

### 4.1 Technical measures

- **SDK deny-list redaction** (R9): the Python and TypeScript SDKs include a configurable deny-list of fields that are stripped before transmission.
- **Pseudonymous operator_id** (R2): the Processor never receives the mapping to a natural person; the mapping remains with the Controller.
- **Retention windows** (R1, R2, R6): 24 months for interactions, 2 hours for rate-limit state, 90 days for audit events. Enforced by Cloudflare Cron Triggers per `scoring-api/wrangler.toml:66-76`.
- **80 millisecond uniform authentication timing floor** (R1): defeats timing-oracle attacks that would otherwise allow distinguishing between unknown prefix, wrong hash, inactive org, and rate-limited. Implemented at `scoring-api/worker.js:30, 265-266`.
- **Peppered SHA-256 key storage** (R1): API keys are never stored in plaintext; pepper lives in Cloudflare Secrets Store. Evidence: `scoring-api/worker.js:1181-1189`.
- **Two-layer rate limiting** (R1): 60 per-IP per 60 seconds pre-auth, 1000 per-key per 60 seconds post-auth.
- **Customer self-service revocation** (R1): `/v1/admin/key/revoke` allows immediate revocation on compromise suspicion.
- **Invisible-maintenance disclosure** (R4, R10): disclosure at onboarding satisfies transparency while preserving invisibility at the individual-interaction level.

### 4.2 Organizational measures

- **Sub-processor discipline** (R6): Cloudflare only in the default configuration; Sentry opt-in only. See `docs/trust/sub-processors.md`.
- **Incident-response runbook** (R7): `scripts/incident-response-runbook.md` with named decision trees. RPO 24 hours, RTO 4 hours. Documented in `docs/trust/backup-recovery.md`.
- **Controller-side controls on JIS use** (R3, R5): the Services Agreement requires the Controller to ensure that JIS is not the sole or principal basis for legally significant decisions without meaningful human review, and to conduct any bias audit mandated by applicable law (for example, NYC Local Law 144) on the Controller's use of the score.
- **Quarterly restore drill** (R8): see `docs/trust/backup-recovery.md` Section 4.
- **Annual DPIA review** (all): this DPIA is reviewed annually and whenever a material change occurs (new sub-processor, new data category, new jurisdiction).

### 4.3 Residual risk per item

| # | Residual likelihood | Residual severity | Residual combined | Acceptable? |
|---|---|---|---|---|
| R1 | 1 | 2 | 2 | Yes |
| R2 | 1 | 3 | 3 | Yes |
| R3 | 2 | 4 | 8 | Yes, contingent on Controller compliance with Section 4.2 organizational measures |
| R4 | 2 | 2 | 4 | Yes |
| R5 | 1 | 4 | 4 | Yes, contingent on Controller compliance |
| R6 | 1 | 3 | 3 | Yes, subject to SCC incorporation |
| R7 | 2 | 2 | 4 | Yes at v1.1.0, revisit at first-hire |
| R8 | 1 | 3 | 3 | Yes |
| R9 | 1 | 3 | 3 | Yes |
| R10 | 1 | 2 | 2 | Yes |

---

## 5. Residual risk rating

**Overall residual risk: LOW to MODERATE**, acceptable for pilot deployment subject to:

1. Controller compliance with the organizational measures in Section 4.2 (in particular, not making JIS the sole basis for legally significant decisions and conducting any required bias audit).
2. Execution of the DPA, including the SCCs where applicable.
3. Quarterly restore drills and annual DPIA review.
4. Commitment to the first-hire milestone that expands on-call coverage beyond a single operator.

The assessment does **not** identify any processing that requires prior consultation with the Supervisory Authority under GDPR Article 36(1).

---

## 6. Sign-off

**Data Protection Officer (Controller):**
Name:
Date:
Signature:

**Controller representative:**
Name:
Title:
Date:
Signature:

**Processor acknowledgement (COHESION AUTH LLC):**
Name:
Title:
Date:
Signature:

---

## Appendix A: Source documents

- `docs/trust/security-posture.md`, Sections 1, 2, 3, 4, 7 (technical controls).
- `docs/trust/sub-processors.md` (sub-processor inventory).
- `docs/trust/backup-recovery.md` (RPO, RTO, restore procedure).
- `legal/templates/DPA-TEMPLATE.md` (Schedules A through F).
- `scripts/incident-response-runbook.md` (incident decision trees).
- `website/standard/spec.md` (seven dimensions, JIS weighting, decay curves, IMP definitions). Published at `cohesionauth.com/standard`.

---

> **Template notes:** This DPIA is a TEMPLATE. Every Controller deploying the Services must tailor and execute its own DPIA for its own Processing context, then have the document reviewed by qualified legal counsel. COHESION AUTH LLC provides this template as a starting point; it does not constitute legal advice. Sourced from GDPR.eu community version and adapted.
