Sub-Processors — Vauban Trust Center
Audience: DPO + GDPR auditors + regulators
Last updated:
Sub-Processors
Vauban utilise des sous-traitants tiers (sub-processors) pour fournir certaines fonctionnalités. Conformément au RGPD Article 28, voici la liste publique des sub-processors actifs avec data flows + retention + GDPR DPIA references.
Active Sub-Processors
| Sub-processor | Service | Data category | Region | DPA signed | DPIA |
|---|---|---|---|---|---|
| Anthropic | LLM API (Claude) | User prompts + completions (no PII required) | US (with EU data residency option) | ⏳ Phase 1+ | TBD Phase 1+ |
| Cloudflare | DNS + edge protection | Request metadata (IP, user-agent) | EU edge | ✅ Standard DPA | TBD Phase 1+ |
| GitHub (Microsoft) | Code hosting + CI/CD + Packages | Source code + commit metadata + package binaries | US (with EU enterprise option Phase 1+) | ✅ Standard DPA | TBD Phase 1+ |
| Vercel | Frontend hosting (some apps) | Static assets + edge functions | EU edge | ✅ Standard DPA | TBD Phase 1+ |
| VictoriaMetrics + Loki (self-hosted) | Monitoring + logs | Anonymized metrics + logs | Self-hosted K3s EU | n/a (self-hosted) | n/a |
| PostgreSQL (self-hosted) | Database | All Vauban data | Self-hosted K3s EU | n/a (self-hosted) | TBD per DPIA produit |
| Starknet (decentralized network) | L2 blockchain | Anchored proofs (Merkle roots, NO PII) | Decentralized (validators globally) | n/a | n/a (no PII anchored) |
Self-hosted infrastructure (Sovereignty preserved)
Per axiom Sovereignty + Anti-fragile, Vauban privilégie self-hosting :
- K3s cluster vauban-infrastructure (self-hosted EU)
- PostgreSQL primary database (self-hosted)
- VictoriaMetrics + Loki monitoring (self-hosted)
- Brain Protocol (self-hosted brain.api.vauban.tech)
- Citadel + Command Center (self-hosted internal tooling)
- Trust Center Astro static site (self-hosted, NO Vanta/Conveyor SaaS per founder mandate)
Data Flows
Brain Protocol (cross-product memory)
- Source : All Vauban products (knowledge archival)
- Storage : Self-hosted PostgreSQL K3s EU
- Retention : indefinite for institutional memory (per
.claude/rules/knowledge/brain-archival.md) - L3 anchor : Cairo MerkleAnchor Starknet mainnet (chain hash + L3 anchor_id only, NO PII)
Vauban Auth
- Source : End-user authentication flows
- Storage : Self-hosted PostgreSQL K3s EU
- Retention : per-token TTL (30 days max OAuth, configurable per integration)
- Erasure : DPO request via dpo@vauban.tech
Vauban Finance
- Source : Institutional clients (banks, asset managers via canal pro per ADR-ECO-002)
- Storage : Self-hosted PostgreSQL K3s EU
- Retention : per regulatory requirement (banks 10 years AMF/ACPR)
- Audit anchoring : L3 Starknet mainnet (Merkle roots only, NO PII)
DPIA Roadmap
| Produit | DPIA Status | Target completion |
|---|---|---|
| Brain Protocol | TBD | Phase 1+ (post-V6 audit remediation) |
| Vauban Auth | TBD | Phase 1+ (priority ; identity primitives) |
| Vauban Finance | TBD | Phase 1+ (priority ; banks AMF/ACPR target) |
| Glacis Protocol | TBD | Phase 1+ (eIDAS compliance) |
| Glacis Identity | TBD | Phase 1+ (sub-charter + DPIA combined) |
| Bastion + Citadel + Command Center | TBD | Phase 2+ (internal tooling, lower priority) |
Sub-Processor Changes
Per GDPR Article 28(2-4), Vauban notifie les data controllers de tout changement de sub-processor avec préavis raisonnable (30 jours). Subscribe : security@vauban.tech (notify list Phase 1+).
Cross-references
- DPO contact : dpo@vauban.tech (publié contact)
- Compliance matrix : compliance.md §GDPR
- Self-hosted infrastructure :
vauban-infrastructurecharter - Brain L3 anchor pattern :
governance/architecture/00-vision-framework-canonical.md - Sovereignty principle :
~/.claude/CLAUDE.md(global) +vauban-gouvernance/CLAUDE.md4 piliers architecture