{
  "schema_version": 1,
  "kind": "change_consequence_data_processing_addendum",
  "product": "AI Change Consequence Certificate paid pilot",
  "pilot_scope": {
    "duration_days": 30,
    "repository_scope": "One customer-approved GitHub repository.",
    "pull_request_limit": "Up to ten real pull requests unless both parties agree in writing."
  },
  "data_roles": {
    "customer": "Controller or primary data owner for repository, pull request, reviewer, and approval data.",
    "operator": "Processor or service provider for pilot lead capture, certificate generation support, payment/approval evidence handling, and pilot reporting."
  },
  "data_categories": [
    "Repository URL, pull request URL, pull request number, title, author metadata, and changed file paths.",
    "CODEOWNERS or owner-routing metadata when present.",
    "Test identifiers, scanner summaries, dependency findings, policy status, blockers, explicit unknowns, and reviewer feedback.",
    "Business contact details submitted through intake, objection, reviewer feedback, approval, scheduling, or payment handoff forms.",
    "Payment or written approval metadata needed to reconcile the paid pilot."
  ],
  "default_storage_position": {
    "customer_source_code": "Customer source code should remain in the customer's repository by default.",
    "certificate_artifacts": "Certificates should remain as customer repository workflow artifacts or PR comments unless the customer explicitly configures another sink.",
    "operator_ledgers": "Lead, objection, approval, and revenue ledgers are optional and should be private operator-controlled repositories or signed internal systems.",
    "public_assets": "Public sample assets must not contain customer source code, customer secrets, customer approval evidence, or live revenue evidence."
  },
  "subprocessors_and_external_services": [
    {
      "name": "GitHub Actions",
      "purpose": "Run the pilot workflow in the customer repository.",
      "required": true
    },
    {
      "name": "Stripe",
      "purpose": "Create Checkout sessions and verify payment webhooks when card checkout is enabled.",
      "required": false
    },
    {
      "name": "GitHub Contents API",
      "purpose": "Write optional private lead, objection, approval, or revenue ledger JSON files when configured.",
      "required": false
    },
    {
      "name": "Configured operator webhooks or CRM",
      "purpose": "Receive signed lead, feedback, objection, approval, or revenue notifications when configured.",
      "required": false
    },
    {
      "name": "Semgrep, OSV, or customer-selected scanners",
      "purpose": "Attach security or dependency evidence when the customer enables scanner jobs.",
      "required": false
    }
  ],
  "retention_and_deletion": {
    "pilot_default_retention_days": 30,
    "operator_ledger_retention": "Keep private operator ledger artifacts only as long as needed for pilot reconciliation, sales follow-up, accounting, or written legal obligation.",
    "customer_deletion_request": "On written customer request, delete or redact operator-controlled lead, objection, reviewer-feedback, approval, and revenue artifacts unless retention is required for accounting, fraud prevention, dispute handling, or legal compliance.",
    "customer_repository_artifacts": "The customer controls deletion of artifacts and PR comments stored in the customer repository.",
    "token_rotation": "Rotate or revoke customer-provided tokens after pilot completion or immediately after uninstall if the pilot does not continue."
  },
  "security_controls": [
    "Use least-privilege GitHub workflow permissions.",
    "Keep customer source code out of operator-controlled storage by default.",
    "Sign configured webhook notifications with X-Change-Consequence-Signature.",
    "Use private repositories for operator ledgers that contain buyer or approval data.",
    "Redact secret values from launch manifests, readiness reports, public artifacts, and logs."
  ],
  "customer_controls": [
    "Disable PR comments and use workflow artifacts only.",
    "Omit optional operator ledgers or webhooks.",
    "Run without scanner integrations and record missing evidence as explicit unknowns.",
    "Uninstall the workflow and revoke tokens after the pilot.",
    "Request deletion or redaction of operator-controlled pilot artifacts."
  ],
  "exclusions": [
    "This addendum is not a negotiated data processing agreement.",
    "This addendum is not a SOC 2 report, penetration test, legal opinion, privacy policy, or compliance attestation.",
    "This addendum does not authorize storing customer source code outside the customer repository by default.",
    "This addendum does not prove that a real customer deployment has passed security or privacy review."
  ],
  "claim_boundary": "This is a buyer-readable pilot data handling addendum. It clarifies default data boundaries for evaluation, but it is not legal advice, a negotiated DPA, a privacy policy, a compliance attestation, or proof of customer acceptance."
}
