Data Protection Impact Assessment template
Worksheet for customers integrating AffixIO verification infrastructure. Complete with your legal and privacy teams. AffixIO provides processor artefacts; you remain controller for eligibility decisions.
Print or save as PDF: use your browser print dialog (Ctrl+P / Cmd+P). Layout is optimised for A4.
1. Project overview
Project name: _______________________
Controller: _______________________
AffixIO role: Processor (verification API returning signed allow/deny)
Use case: (e.g. AI agent gate, payment eligibility, age verification, programme eligibility)
2. Processing description
- Data subjects: _______________________
- Personal data categories sent to AffixIO: _______________________ (minimise; prefer tokens or hashed attributes)
- Lawful basis (controller): _______________________
- Automated decision-making: yes / no. Human review path: _______________________
- Retention at verifier (default none after verdict): _______________________
- Proof and audit retention in your systems: _______________________
3. Necessity and proportionality
Why is a stateless verification boundary needed instead of copying records to another database?
Can zero-knowledge or selective disclosure circuits (Noir / Barretenberg) reduce data exposure?
Are Merkle audit proofs sufficient for your regulator or auditor without exporting source records?
4. Risks and mitigations
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Unauthorised API access | Scoped keys, backend proxy, rotation | ||
| Excessive data in verify payload | Data minimisation, field allow lists | ||
| Incorrect automated verdict | Policy testing, appeal path, logging | ||
| Sub-processor transfer | DPA, SCCs, sub-processor list |
5. Consultation and sign-off
DPO contact: _______________________ Date: __________
AffixIO artefacts used: Procurement pack, Security, Architecture, executed DPA.