Legal

How Krapheno Processes Data

A plain-language explanation for agency operators and their clients.

What the SmritiTree Records

Every governed decision is recorded as an append-only ledger entry containing:

  • ·The decision type (budget change, audience expansion, creative swap, etc.)
  • ·Campaign parameters at the time of the decision
  • ·The policy verdict: ALLOW, ESCALATE, or BLOCK
  • ·MIC constraint evaluation results — which constraints fired and why
  • ·A SHA-256 hash linking this record to the previous record in the chain
  • ·A timestamp

What the SmritiTree Does Not Record

Personal data of end consumers
Individual user identities
Browsing behaviour
Any data that would identify a natural person

The Architectural Guarantee

This is not a policy promise. Personal data exclusion is enforced at the database trigger level.

The ledger schema contains no columns for personal identifiers. This constraint cannot be bypassed by the API layer.

All data is scoped to organization_id — enforced via Row-Level Security across 20 tables (migration 035). No row in any ledger table references a natural person.

For Legal Teams

Additional compliance documentation is available upon request.

For Data Processing Agreements (DPA), Standard Contractual Clauses (SCC), or other compliance enquiries, please contact: admin@krapheno.com