DPIA Summary

Data Protection Impact Assessment — Summary

Public summary of BRMUSIC-DPIA-2026-001. Last updated 2026-05-19. Full DPIA in counsel review at Phase D ≈ 2026-07-17.

What is this?

A DPIA is a document required under GDPR Article 35 before launching new processing of personal data. We did one for BananaRat Studio before EU testers joined.

What did we assess?

How we collect, use, and protect data on the platform — covering 10 data categories including your account info, your compositions, the Witness Log of your editorial actions, and analytics.

What did we find?

Residual risk: Medium-Low. No risk reaches the threshold that requires prior consultation with a Data Protection Authority. The biggest design decision: our cryptographic Witness Log uses a "forward-only redaction" approach — if you ask us to delete your account, your linkable identifying fields are erased, but the underlying cryptographic chain continues to verify (preserving authorship-evidence for any compositions you exported and kept).

Key technical safeguards

  • Anthropic LLM calls run under their zero-retention API setting
  • Audio file URLs are HMAC-signed and expire after 15 minutes
  • AuthorMark = C2PA content credentials + AudioSeal watermark (machine-readable AI disclosure per EU AI Act Article 50)
  • 30-day SLA on right-to-erasure requests, with Day-25 alerting if not on track
  • Audit log uses a signing key separate from all other application secrets
  • RFC 3161 timestamping anchors the Witness Log against tampering

What we don't do

  • We do not train AI models on your compositions
  • We do not sell your data
  • We do not embed your identity in the audio files you export

Subprocessors

We use Shopify (e-commerce, Canada/EU), Anthropic (LLM inference, USA, zero-retention), Hugging Face (ACE-Step model hosting, USA), Mailchimp (marketing email, opt-in), Google + Meta (consent-gated analytics, both EU-US Data Privacy Framework certified), and Printful (legacy products, USA/EU). Full list with safeguards in our Privacy Policy §7.

International transfers

EU/UK data may transit through Canada (where our backend runs). Canada has an EU adequacy decision under PIPEDA (renewed 15 January 2024), so no Standard Contractual Clauses are required for EU→Canada transfers. US subprocessors operate under either the EU-US Data Privacy Framework or SCCs Module 2.

Counsel review

An external counsel will review the full DPIA at Phase D D5 (around 2026-07-17). Updates will land in this summary as the document evolves.

Questions

Email feedback@bananarat.com with subject "Privacy" or "DPIA".