Cloudflare

1 Vendor Overview

Service: Infrastructure, DNS, CDN, and application hosting Primary Use: Labs platform hosting (labs.ethicic.com), DNS management, security services Data Classification: Limited personal data (email addresses via signup forms) Contract Status: Enterprise plan with data processing addendum Risk Level: Medium (infrastructure provider with limited data access)

2 Services Utilized

Cloudflare Pages: Static site hosting for labs.ethicic.com
DNS Management: Domain routing and security
CDN Services: Content delivery and performance optimization
Workers: Serverless functions for email signup processing
KV Storage: Anonymized analytics and signup metrics

3 Data Protection Compliance

3.1 Regulation S-P Compliance

Status: ⚠️ REQUIRES VERIFICATION

Required Documentation: - [ ] Data Processing Agreement: Verify incident notification requirements - [ ] Security Certifications: Confirm current SOC 2 Type II status - [ ] Breach Notification: Verify 72-hour notification guarantee - [ ] Audit Rights: Confirm security assessment access

Current Enterprise DPA covers: - Data residency and encryption requirements - Incident notification within 72 hours to ECIC - Subprocessor management and oversight - Data subject rights facilitation - Audit rights and security certifications

Security Certifications: - SOC 2 Type II (annual) - ISO 27001 certified - PCI DSS Level 1 compliance - GDPR compliant data processing

3.2 Green Energy & Sustainability

Status: ✅ GREEN ENERGY POWERED - Renewable Energy: 100% renewable energy commitment - Carbon Neutral: Net-zero carbon footprint for all operations - Sustainability Reports: Annual environmental impact reporting - Green Certifications: Verified renewable energy sourcing

3.3 Utah Consumer Privacy Act (UCPA)

Status: ⚠️ REQUIRES VERIFICATION

Consumer Rights Support: - Data portability through API access - Deletion capabilities for stored data - Access rights via dashboard and API - Opt-out mechanisms for data processing

4 Incident Response Integration

4.1 Breach Notification Requirements

Cloudflare → ECIC: 72 hours maximum notification ECIC → Clients: 30 days per Regulation S-P requirements

Notification Process: 1. Cloudflare Detection: Automated monitoring and threat intelligence 2. ECIC Notification: Enterprise support channel + DPA requirements 3. Assessment: ECIC compliance officer evaluates client impact 4. Client Notification: If sensitive customer information affected

4.2 Contact Information

Enterprise Support: 24/7 phone and priority ticket system
Security Incidents: security@cloudflare.com
DPA Compliance: privacy@cloudflare.com
Account Manager: [Contact maintained in LACRM]

5 Data Flow Analysis

5.1 Labs Platform Data Collection

Email Signup Processing:

labs.ethicic.com → Cloudflare Workers → KV Storage (hashed emails)
                                    → Buttondown API (newsletter)
                                    → LACRM API (CRM contact)

Data Retention: - KV Storage: Hashed emails only, no plaintext personal data - Access Logs: 30 days standard retention - Workers Logs: 24 hours for debugging, then purged

5.2 Security Controls

Encryption: All data encrypted in transit (TLS 1.3) and at rest
Access Control: Role-based access with MFA requirements
Monitoring: Real-time security monitoring and DDoS protection
Data Minimization: Only email hashes stored, full emails passed through to endpoints

6 Compliance Monitoring

6.1 Quarterly Reviews

Q4 2025: Security certification renewal verification
Incident Response Testing: Annual DPA notification drill
Access Audit: Review user permissions and access logs
Data Flow Verification: Confirm email signup processing compliance

6.2 Annual Assessments

SOC 2 Report Review: Verify Type II controls effectiveness
DPA Updates: Review and update data processing agreements
Security Baseline: Assess new features against compliance requirements
Cost-Benefit Analysis: Evaluate service value vs. compliance overhead

7 Risk Assessment

7.1 Data Protection Risks

Low Risk: Limited personal data exposure (hashed emails only)
Infrastructure Dependency: Critical for platform availability
Regulatory Changes: May require DPA updates for new requirements

7.2 Mitigation Strategies

Data Minimization: Architectural choice to hash emails immediately
Redundancy Planning: DNS and hosting backup procedures documented
Contract Management: Annual DPA review and renewal process
Incident Preparedness: Pre-approved communication templates and procedures

8 Vendor Performance Metrics

Uptime: 99.9%+ SLA with enterprise support
Security Incidents: Zero client data breaches (track record)
Compliance Response Time: 72-hour incident notification guarantee
Support Quality: Enterprise-grade technical and security support

This vendor relationship supports ECIC’s Labs platform while maintaining strict data protection compliance under both Regulation S-P and Utah privacy requirements.