Morphee Transfer Impact Assessment (TIA)

DRAFT — Requires legal review before finalization.

This document assesses international data transfers pursuant to GDPR Articles 44-49. It must be reviewed by qualified legal counsel.

Last updated: 2026-02-13

---

1. Purpose

This Transfer Impact Assessment (TIA) documents all transfers of personal data from the EU/EEA to third countries, assesses the legal framework and risks for each transfer, and identifies the appropriate safeguards under GDPR Chapter V.

---

2. Summary of Transfers

#	Recipient	Country	Data Transferred	Transfer Mechanism	Risk Level
1	Anthropic	United States	Conversation content, user names	DPF (self-certified) + SCCs (under review)	High
2	Supabase	United States (or EU)	Email, password hash, JWTs	DPF (self-certified) + SCCs (under review)	Medium
3	Google (APIs)	United States	OAuth tokens, calendar/email data	Google DPA + SCCs	Medium
4	Apple (APNs)	United States	Device tokens, notification content	Apple DPA	Low
5	Google (FCM)	United States	Device tokens, notification content	Google DPA	Low

---

3. Transfer Assessments

3.1 Anthropic (Claude AI API)

Field	Assessment
Recipient	Anthropic PBC, San Francisco, CA, USA
Data transferred	User messages (full conversation), user name, group name, AI-extracted memories (via RAG)
Purpose	AI response generation
Volume	Every chat message from every user
Frequency	Real-time, per user interaction
Transfer mechanism	[To be determined — verify Anthropic DPF certification or negotiate SCCs]
DPA in place?	No — action required
Anthropic data handling	Per Anthropic API Terms: API inputs/outputs are not used for model training. Data retained for 30 days for safety monitoring, then deleted.
US legal framework	Subject to FISA 702 and EO 12333 surveillance. DPF provides redress mechanism.
Supplementary measures	(1) Consent requirement before first chat. (2) Self-hosted option with local LLM eliminates this transfer. (3) Data minimization — only necessary context sent.
Risk assessment	High — high volume of sensitive conversational data. Mitigated by consent, Anthropic's retention limits, and planned local LLM alternative.

Actions required:

1. Verify Anthropic's DPF certification status at https://www.dataprivacyframework.gov/
2. If DPF-certified: document certification and rely on DPF adequacy decision
3. If not DPF-certified: negotiate SCCs (Module 2: Controller to Processor)
4. Execute DPA with Anthropic

3.2 Supabase (Authentication)

Field	Assessment
Recipient	Supabase Inc. (via GoTrue auth service)
Data transferred	Email, password hash (bcrypt), authentication tokens
Purpose	User authentication and session management
Volume	One record per user; tokens on each auth event
Transfer mechanism	[To be determined — Supabase offers EU hosting; verify deployment region]
DPA in place?	No — action required
Supabase data handling	Self-hosted GoTrue in Docker (current dev setup). Production: verify hosting region.
Risk assessment	Medium — authentication data only. Can be mitigated by selecting EU hosting region.

Actions required:

1. For self-hosted: no transfer occurs (GoTrue runs on own infrastructure) — document this
2. For managed Supabase: select EU region to avoid transfer, or verify DPF/SCCs
3. Execute DPA with Supabase if using managed service

3.3 Google (Calendar & Gmail APIs)

Field	Assessment
Recipient	Google LLC, Mountain View, CA, USA
Data transferred	OAuth tokens, calendar events, email metadata (user-initiated)
Purpose	Google Calendar and Gmail integration
Volume	Per-user, only when integration enabled
Transfer mechanism	Google Cloud DPA + EU SCCs (automatically included)
DPA in place?	Yes — Google's standard DPA applies to Cloud API usage
Google data handling	Per Google API Terms of Service and Data Processing Amendment
Risk assessment	Medium — user-initiated, scoped to integration data. Google DPA and SCCs in place.

Actions required:

1. Ensure compliance with Google API Services User Data Policy
2. Implement granular scope disclosure (M-CONSENT-007)
3. Document Google DPA reference

3.4 Apple APNs (Push Notifications)

Field	Assessment
Recipient	Apple Inc., Cupertino, CA, USA
Data transferred	Device token (opaque identifier), notification title and body
Purpose	Delivering push notifications to iOS devices
Volume	Per notification, only for opted-in users
Transfer mechanism	Apple Developer Agreement includes DPA provisions
Risk assessment	Low — device tokens are opaque, notification content is brief. User must opt-in.

Actions required:

1. Minimize personal data in notification content (use generic titles where possible)
2. Document Apple DPA reference

3.5 Google FCM (Push Notifications)

Field	Assessment
Recipient	Google LLC (Firebase Cloud Messaging)
Data transferred	Device token (opaque identifier), notification title and body
Purpose	Delivering push notifications to Android devices
Volume	Per notification, only for opted-in users
Transfer mechanism	Google Cloud DPA + SCCs
Risk assessment	Low — same as APNs assessment.

Actions required:

1. Minimize personal data in notification content
2. Document Google/Firebase DPA reference

---

4. US Legal Framework Assessment

4.1 Relevant US Surveillance Laws

Law	Scope	Risk to Morphee Data
FISA Section 702	Targets non-US persons' communications via US providers	Medium — Anthropic and Google could be compelled to disclose data
Executive Order 12333	Authorizes foreign intelligence collection	Low — primarily targets data in transit
CLOUD Act	Compels US companies to disclose data regardless of storage location	Medium — applies to all US-incorporated providers

4.2 EU-US Data Privacy Framework (DPF)

The EU-US DPF (adopted July 2023) provides an adequacy basis for transfers to DPF-certified US companies. Key protections:

• Binding safeguards limiting US intelligence access to what is necessary and proportionate
• Data Protection Review Court for EU individuals to seek redress
• Annual review by European Commission

Status for Morphee's processors:

Processor	DPF Certified?	Verification
Anthropic	[To be verified]	Check dataprivacyframework.gov
Google	Yes	Certified under DPF
Apple	Yes	Certified under DPF
Supabase	[To be verified]	Check dataprivacyframework.gov

4.3 Supplementary Measures

In addition to DPF/SCCs, the following supplementary measures are implemented or planned:

1. Technical: Encryption in transit (TLS), encryption at rest (Fernet for chat messages, memory vectors, Git files — implemented Feb 2026), local LLM alternative
2. Organizational: Consent requirement, data minimization, retention policies (planned)
3. Contractual: DPAs with all processors (pending for Anthropic, Supabase)

---

5. Self-Hosted Deployment Consideration

When Morphee is self-hosted within the EU/EEA:

• Authentication: GoTrue runs locally — no transfer
• Database: PostgreSQL runs locally — no transfer
• AI: Local LLM via Tauri (candle) — no transfer when enabled
• Remaining transfers: Only Anthropic API (if cloud LLM used) and push notifications (if enabled)

Self-hosting significantly reduces the transfer risk profile.

---

6. Decision and Actions Summary

Processor	Decision	Action Required	Priority
Anthropic	Proceed with DPF/SCCs	Verify DPF, negotiate DPA, implement SCCs if needed	Critical
Supabase	Prefer EU hosting or self-hosted	Verify hosting region, execute DPA if managed	High
Google (APIs)	Proceed — DPA in place	Document Google DPA, implement scope disclosure	Medium
Apple (APNs)	Proceed — low risk	Document Apple DPA, minimize notification content	Low
Google (FCM)	Proceed — low risk	Document Firebase DPA, minimize notification content	Low

---

7. Review Schedule

This TIA must be reviewed:

• When adding new third-party processors
• When changing the hosting region of any processor
• If the EU-US DPF adequacy decision is invalidated (Schrems III scenario)
• At least annually

---

This Transfer Impact Assessment was drafted on 2026-02-13 and requires legal review before finalization.