This guide describes how the shyware SDK supports SaaS customers acting as controllers for their users' personal data. shyware processes customer user data only to provide, secure, maintain, and support the SDK and related services under the customer's documented instructions.
Operator Obligations
| Obligation | Description |
|---|---|
| Art. 6 lawfulness basis | Identify and document the legal basis for each processing purpose before production. Template: privacy policy §Legal Basis. |
| Art. 9 special category consent | If using biometric IDV: obtain explicit written consent before enrollment. Some jurisdictions prohibit biometric processing entirely. |
| Art. 28 sub-processor DPAs | Execute signed DPAs with all providers listed in the generated Records of Processing before processing personal data. |
| Art. 30 Records of Processing | Generate from shyconfig: node scripts/generate-rop.mjs --config shyconfig.json. Complete REQUIRED_OPERATOR_INPUT fields. |
| Storage limitation (Art. 5(1)(e)) | Add retention block to shyconfig.json with deletion_cron. Operationally enforce the cron schedule. |
| Key independence | Verify eligibility_authority_key ≠ reconciling_authority_key ≠ auth_key at scoping-identifier creation. |
| Quarterly independent audit | Engage an independent auditor to verify three-authority operational separation before production and quarterly thereafter. |
Records of Processing Generator
Run node scripts/generate-rop.mjs --config shyconfig.json --format md to generate a pre-filled Art. 30 RoP from your deployment's shyconfig. All fields derivable from the config are pre-filled; operator-specific fields are marked REQUIRED_OPERATOR_INPUT.
92 assertions verify correct structure for all 11 contract versions.