Each entry below describes a single processing activity in enough detail for an auditor to assess the lawful basis, the necessity, and the safeguards. Database table names use the schema's real prefixes (usr_, decd_, grdn_, aud_, etc.).
Activity A-01
Account creation (administrator)
Purpose
To allow an authenticated administrator to create and curate memorial gardens.
Data categories
Email address, first and last name, optional profile photo. (No password — see ADR-001.)
Data subjects
Administrators (typically next-of-kin of a deceased person).
Lawful basis
Performance of contract (the user requested an account to access the service).
Recipients
SMTP provider (for OTP and confirmation emails).
Storage
Table user, prefix usr_.
Retention
Until account deletion + 30 days. After that: name and email anonymised, account row retained for audit-trail integrity for 7 years.
Cross-border
None — domestic SMTP, domestic hosting.
Safeguards
TLS in transit; at-rest disk encryption; access via authenticated session only; audit log on all administrative profile changes.
Activity A-02
Memorial garden creation + content
Purpose
To host the deceased's profile, photos, posts, comments, and tributes.
Data categories
Deceased person's name, dates, photos, biographical detail; photos and text uploaded by administrators and viewers; metadata of posts (timestamps, authorship).
Data subjects
The deceased; administrators and invited contributors; identifiable third parties named in posts.
Lawful basis
Legitimate interest (memorialisation), with explicit administrator consent on creation. Deceased's data: POPIA s.4 — POPIA does not apply to deceased natural persons but we treat their dignity with the same care; living third parties named in posts retain their POPIA rights.
Recipients
Invited viewers (per-garden); public visitors (only on the public Visitors' Bench surface, if enabled).
Storage
Tables garden, deceased, attachment, post, comment, pendingPost, pendingComment.
Retention
Indefinite (memorialisation is the core promise). Deletion on administrator request via DSAR endpoint.
Cross-border
Static assets cached at Cloudflare edge nodes globally. No hot data transferred outside ZA.
Safeguards
Trust-tier moderation (ADR-007); audit log; uploaded files scanned for content type; permission cascades via recursive garden model (ADR-003).
Activity A-03
Email-OTP authentication
Purpose
To authenticate administrators and invited viewers without passwords.
Data categories
Email address, OTP code (hashed), request IP, timestamp, purpose flag (login / register).
Data subjects
Administrators, invited viewers.
Lawful basis
Performance of contract (authentication is required to deliver the service).
Storage
Table otp_codes; OTP value bcrypt-hashed at rest.
Retention
10 minutes (single-use, expires on consumption or timeout). Aggregated request counts retained for rate-limit forensics for 30 days.
Cross-border
None — domestic SMTP.
Safeguards
Codes hashed at rest; rate-limit on issuance (ADR-010); 30-second resend cooldown; tied to session identity.
Activity A-04
Public visitor "Garden Key" sessions
Purpose
To let public visitors return to a memorial they've previously contributed to without re-authenticating fully.
Data categories
Email, pseudonymous Garden Key cookie token (30-day expiry), garden ID associations.
Data subjects
Public visitors.
Lawful basis
Consent (the visitor entered their email to participate); legitimate interest (continuity of memorial visits).
Recipients
SMTP provider for the gate-key OTP.
Storage
Tables gateKey, gateKeyEmail, gateKeyOTP; cookie mhsrip_gate_key.
Retention
30 days from last interaction; visitor may delete via clearing the cookie.
Safeguards
HttpOnly + Secure cookie flags; SameSite=Lax; rate limit on OTP issuance.
Activity A-05
RSVP memory submission (public)
Purpose
To allow guests to leave a written memory in advance of a service.
Data categories
Name (or "Anonymous" choice), optional email, free-text message, IP address (rate-limit only), timestamp.
Data subjects
Public visitors / RSVP guests.
Lawful basis
Consent (visitor voluntarily submits).
Recipients
Garden administrator (notification + inbox).
Storage
Table serviceMemoryMessage.
Retention
Indefinite or until administrator deletes; may be quoted into the funeral programme by the administrator.
Safeguards
Rate-limit 5/IP/hour; CAPTCHA (Turnstile) when configured; audit log on flag/dismiss/quote actions.
Activity A-06
Tribute purchase (Petals)
Purpose
To process visitor tribute payments and split the fiat value 80 / 20 between the nominated charity and the platform (see ADR-004).
Data categories
Cardholder name, Stripe-tokenised card identifier (we never see the PAN), email, transaction amount, currency, charity nomination.
Data subjects
Visitors making payment.
Lawful basis
Performance of contract (the visitor purchased a tribute).
Recipients
Stripe Payments Europe Ltd / Stripe, Inc. (PCI-DSS-certified processor).
Storage
Tables petalsTransaction, petalsWallet, memorialCharity, charityDisbursement. No card number stored on our side.
Retention
7 years (financial / tax obligations).
Cross-border
Stripe processes in the EEA (Ireland) and the United States. Safeguards: EU SCCs + Stripe US is Data Privacy Framework certified.
Safeguards
Stripe Elements for PAN capture (no PAN traverses our server); webhook signature verification; reconciliation against auditLog.
Activity A-07
Charity disbursement aggregation
Purpose
To aggregate the 80% charity share across transactions for monthly bank-transfer to the nominated charity.
Data categories
Charity bank-account details, aggregated tribute totals, transfer reference numbers.
Data subjects
Charities (legal persons — POPIA does not strictly apply, but treat with care).
Lawful basis
Legitimate interest (delivering on the platform's charity promise to families).
Recipients
Banking partner of MHSRIP (for outbound transfer).
Storage
Tables charity, charityType, charityDisbursement.
Retention
7 years (financial records).
Cross-border
None — domestic banking partner.
Safeguards
Audit log on every disbursement; quarterly reconciliation against bank statements; annual external audit of the disbursement ledger.
Activity A-08
Co-administrator nomination + succession
Purpose
To allow a garden administrator to nominate a successor (see ADR-006).
Data categories
Successor email, succession order, relationship label.
Data subjects
Administrators, nominated successors.
Lawful basis
Performance of contract.
Recipients
SMTP provider (invitation email to the successor).
Storage
Table gardenAdmin, prefix gAdm_.
Retention
Until administrator removes the successor or the succession activates.
Safeguards
Successor must accept invitation by signing in (verifies email control); audit log on every nomination + activation.
Activity A-09
Siteadmin broadcast emails
Purpose
Platform-wide announcements (new supplier, scheduled maintenance, feature launch).
Data categories
Recipient email, recipient user-ID, broadcast subject + body, send timestamp.
Data subjects
Subscribed users.
Lawful basis
Legitimate interest (transactional/operational); explicit consent for marketing-flavoured broadcasts.
Storage
Tables siteadminBroadcast, siteadminBroadcastRecipient.
Retention
12 months (forensic reasons); send-status retained indefinitely as part of audit trail.
Safeguards
Audit log on draft / queue / send; queue worker isolated from web request thread; recipient list opt-out per broadcast.
Activity A-10
Audit logging (administrative actions)
Purpose
Tamper-evident record of every administrative action — POPIA s.17 + GDPR Article 30 accountability.
Data categories
Actor user-ID, action verb, target type + ID, free-form metadata JSON, IP address, user agent, timestamp.
Data subjects
Administrators, siteadmins.
Lawful basis
Legal obligation (accountability under POPIA + GDPR); legitimate interest (operational integrity).
Recipients
Internal only; available to acquirer auditor on lawful request.
Storage
Table auditLog; append-only (no UPDATE / DELETE paths in code — see ADR-002).
Retention
7 years on-line; archive thereafter.
Safeguards
Append-only enforcement at code layer; backup integrity check (weekly restore-test).
Activity A-11
Region detection (analytics)
Purpose
To localise content (currency labels, regulatory copy) and segment analytics by country.
Data categories
IP address (transient — used for geo-lookup, not stored long-term), inferred country code, region cookie.
Data subjects
All visitors.
Lawful basis
Legitimate interest.
Recipients
None — geo-lookup is local (geoip-lite offline DB).
Storage
Cookie mhsrip_region (90-day expiry); not persisted to DB.
Retention
90 days (cookie); aggregated analytics retained 24 months.
Cross-border
None — fully offline lookup.
Safeguards
IP not persisted; cookie clearable by user; aggregated analytics privacy-by-default.
Activity A-12
Backups (operational)
Purpose
Operational resilience — point-in-time restore in the event of corruption or accidental deletion.
Data categories
Full database snapshot (all PII categories above) + uploaded files.
Data subjects
Inherits from the underlying activities.
Lawful basis
Legitimate interest (operational integrity).
Recipients
VPS host (encrypted at rest); off-site backup destination (when configured).
Storage
Encrypted gzip dumps under /var/backups/mhsrip/ on the application server.
Retention
Daily backups: 14 days. Weekly backups: 8 weeks. Monthly archive: 12 months.
Cross-border
None at present (backups stay on ZA infrastructure).
Safeguards
At-rest encryption; restricted file permissions (0600, owner www-data); weekly restore-test cron verifies backup integrity.