docs: OVH/GDPR compliance standing constraints + multi-tenant gates

- HOST-MATRIX §4: four standing constraints (EU region, off-box backups, MFA, no contract republishing) - HOST-MATRIX: multi-tenant checklist (GDPR docs, DPIA, DPA, insurance, sanctions) - HIVE-ONBOARDING §9: cross-referenced multi-tenant gates - Reference: OVH DPA + GTS compliance analysis
2026-06-20 10:29:16 +02:00 · 2026-06-20 10:29:16 +02:00 · 848689a523
commit 848689a523
parent bbb9da0966
2 changed files with 35 additions and 0 deletions
--- a/docs/HIVE-ONBOARDING.md
+++ b/docs/HIVE-ONBOARDING.md
@ -164,6 +164,21 @@ plus a Collection is enough to start), billing/metering, a native Bitwarden prot
 Rust, multi-region control plane, and recursive auto-spawn (gate it off until policy
 exists). Those are product layers; the four steps above are the engine.

+## 9. Multi-tenant GDPR + OVH GTS gates
+
+Before the hive serves paying customers, these administrative items must be completed.
+None are technical blockers; all are paper-and-process:
+
+- [ ] GDPR controller documentation package (privacy notice, legal basis, ROPA)
+- [ ] Data Protection Impact Assessment for AI auto-decisions (GDPR Art. 35)
+- [ ] Customer-facing Data Processing Agreement (controller→processor chain)
+- [ ] Professional indemnity / third-party insurance ($10.6)
+- [ ] Customer sanctions screening (denied parties / export controls)
+- [ ] OVH GTS §10.6 — pass terms down to sub-licensees
+
+See [`HOST-MATRIX.md §4`](./HOST-MATRIX.md#%C2%A74-compliance-standing-constraints) for the
+four standing constraints that apply now (internal use).
+
 ---

 _See [`CAPABILITY-ROUTING.md`](./CAPABILITY-ROUTING.md) for the routing layer the moat rests
--- a/docs/HOST-MATRIX.md
+++ b/docs/HOST-MATRIX.md
@ -206,3 +206,23 @@ meter proves otherwise.
  - Track D: old clawdie_glass cleanup

 _See [`../AGENTS.md`](../AGENTS.md) for the canonical agent matrix and operating rules._
+
+## §4 Compliance standing constraints
+
+- **EU region only**: All OVHcloud resources in FR/DE/PL. Sidesteps non-EU transfer/SCC burden under GDPR.
+- **Off-box backup before any reinstall**: OVH DPA §10 + GTS §6.3/6.5/10.6 — reinstall/termination = irreversible deletion including OVH-side backups, no recovery, OVH not liable. Identity/skills covered by git (layered-soul + hermes-soul on Forgejo). Runtime state (ZFS snapshots, Vaultwarden DB) must be verified backed up outside OVH.
+- **MFA on the OVH account**: GTS §2.3/2.4 — operator responsible for account credentials, liable for fraudulent use. Master key to all infra.
+- **Do not commit OVH contracts/credentials**: GTS §13 makes contract terms confidential. A compliance summary only in public repos — no verbatim DPA/GTS text, no NIC handles or login credentials.
+
+### Multi-tenant GDPR gates (administrative, not technical)
+
+These switch on when the hive goes multi-tenant. None block current internal use:
+
+- [ ] GDPR controller docs (privacy notice, legal basis for processing, ROPA)
+- [ ] DPIA for AI auto-decisions (Art. 35 — automated agent task assignment)
+- [ ] Pass OVH terms down to customers (GTS §10.6 — sub-licensing)
+- [ ] Third-party / "AAA" professional indemnity insurance (§10.6)
+- [ ] Customer sanctions screening (GTS §14.3 — denied parties / export controls)
+- [ ] Data Processing Agreement with each tenant (DPA §12 — controller→processor chain)
+
+See [`HIVE-ONBOARDING.md §9`](./HIVE-ONBOARDING.md) for the integration checklist.