Outlining 3rd party data flows

[sharlychan-cds]

Give your user story a simple, clear title

Description

We need to have more granular and standardized documentation of how data flows between Notify and third parties for various documents (e.g. privacy/ security statement, PIA). Starting documentation here

WHY are we building? We need to be able to describe what’s being shared and retained so users can be fully aware and have trust. If not, we run the risk of a data breach and we also have different responsibilities to PTs. If we don't figure this out, we run the risk of losing trust with our users.

If we have clear sight on our data flows and document them well, we will be able to have clearer public documentation to share with our users and inspire trust.

WHAT are we building? VALUE created by our solution

Acceptance Criteria** (Definition of done)

• [x] Make a standardized template to use to go through with each third party
• [ ] Make a list of all third parties

Fill out the template for the following:

• [x] Cloud Based Sensor
• [ ] Mixpanel
• [ ] AWS
• [ ] Freshdesk
• [ ] Google analytics

To be refined through discussion with the team

Given some context, when (X) action occurs, then (Y) outcome is achieved

• A11y
• Bilingualism
• Privacy considerations
• Security controls in place
• Measuring success and metrics

[yaelberger-commits]

Policy needs to work with SRE and devs (or maybe using AWS PIA documentation to fill in info gaps)

[yaelberger-commits]

@sharlychan-cds has this mostly been done through our Privacy Analysis? I'd like to icebox this for now if so.