GDPR — General Data Protection Regulation · vRegulation (EU) 2016/679
GDPR — General Data Protection Regulation
GDPR — General Data Protection Regulation — 88% covered.
92 requirements · 79 enforced · 1 designed · 6 advisory · 0 deferred.
Source: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 · License: EU Public
By category
| Category | Reqs | Enforced | Designed | Advisory | Deferred | Coverage |
|---|---|---|---|---|---|---|
| Controller & Processor (Art. 24-28, 30) | 9 | 8 | 0 | 1 | 0 | 92% |
| Data Subject Rights (Art. 15-22) | 12 | 11 | 0 | 1 | 0 | 94% |
| Chapter I — General provisions | 4 | 3 | 0 | 1 | 0 | 81% |
| Principles & Lawfulness (Art. 5-9) | 25 | 25 | 0 | 0 | 0 | 100% |
| Transparency (Art. 12-14) | 3 | 2 | 1 | 0 | 0 | 83% |
| Security & Breach (Art. 32-34) | 11 | 10 | 0 | 1 | 0 | 93% |
| DPIA & DPO (Art. 35, 37-39) | 12 | 11 | 0 | 1 | 0 | 94% |
| International Transfers (Art. 44-49) | 6 | 6 | 0 | 0 | 0 | 100% |
| Chapter VI — Independent supervisory authorities | 2 | 1 | 0 | 0 | 0 | 50% |
| Chapter VIII — Remedies, liability and penalties | 7 | 2 | 0 | 0 | 0 | 29% |
| Chapter XI — Final provisions | 1 | 0 | 0 | 1 | 0 | 25% |
Every requirement → the KYE™ artefact that enforces it
| ID | Title | Status | KYE™ enforcement |
|---|---|---|---|
gdpr.A24 |
Responsibility of the controller — appropriate technical and organisational measures | enforced | audit_events: kye.compliance.attestation.v1, kye.evidence.pack.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/21-DELEGATED-AUDITABILITY.md |
gdpr.A25.1 |
Data protection by design — implement principles at design time | enforced | audit_events: kye.purpose.admissibility.v1, kye.purpose.grant.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/31-DATA-GOVERNANCE-PACK.md |
gdpr.A25.2 |
Data protection by default — only personal data necessary for each specific purpose | enforced | audit_events: kye.purpose.admissibility.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A28 |
Processor relationships governed by contract and chain-of-custody | enforced | audit_events: kye.federation.cross_org_delegation.v1, kye.partner.attestation.v1engines: internal, internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
gdpr.A30 |
Records of processing activities (RoPA) — controller and processor | enforced | audit_events: kye.purpose.grant.v1, kye.evidence.pack.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md, constitution/31-DATA-GOVERNANCE-PACK.md |
gdpr.A15 |
Right of access — confirmation of processing and copy of the personal data | enforced | audit_events: kye.signal.dsar.requested.v1, kye.signal.dsar.fulfilled.v1, kye.dsar.workflow.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
gdpr.A17 |
Right to erasure / right to be forgotten | enforced | audit_events: kye.dsar.workflow.v1, kye.purpose.admissibility.v1engines: internal, internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/30-AUDIT-WORM-RETENTION.md |
gdpr.A18 |
Right to restriction of processing | enforced | audit_events: kye.purpose.grant.v1, kye.purpose.admissibility.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A20 |
Right to data portability — machine-readable, interoperable export | enforced | audit_events: kye.dsar.workflow.v1, kye.signal.dsar.fulfilled.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
gdpr.A21 |
Right to object to processing based on legitimate interests or direct marketing | enforced | audit_events: kye.purpose.admissibility.v1, kye.dsar.workflow.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A22.1 |
No solely-automated decision with legal or similarly significant effects without safeguards | enforced | audit_events: kye.evidence.decision_map.v1, kye.evidence.pack.v1, kye.evidence.trace_replay_spec.v1, kye.evidence.replay_proof.v1engines: internal, internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/21-DELEGATED-AUDITABILITY.md |
gdpr.A22.3 |
Right to obtain human intervention, express a point of view, and contest the decision | enforced | audit_events: kye.evidence.decision_map.v1, kye.signal.approval_decision.approved_with_restrictions.v1, kye.signal.approval_evidence_pack.generated.v1engines: internal, internalconstitution_refs: constitution/36-GOVERNEDUI.md |
gdpr.A1 |
Subject matter and objectives — protection of natural persons with regard to processing of personal data, free movement of personal data | advisory | constitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
gdpr.A2 |
Material scope — applies to processing of personal data wholly or partly by automated means | enforced | audit_events: kye.data_use_manifest.v1engines: internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
gdpr.A3 |
Territorial scope — establishment in Union, monitoring or offering goods/services to data subjects in Union | enforced | audit_events: kye.jurisdiction.attestation.v1engines: internalconstitution_refs: constitution/25-EDGE-GOVERNANCE.md |
gdpr.A4 |
Definitions — including personal data, processing, controller, processor, data subject, consent, special category data | enforced | constitution_refs: constitution/24-DESIGN-DICTIONARY.md, constitution/31-DATA-GOVERNANCE-PACK.md |
gdpr.A5.1.a |
Lawfulness, fairness and transparency principle | enforced | audit_events: kye.purpose.admissibility.v1, kye.evidence.decision_map.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A5.1.d |
Accuracy principle — personal data shall be accurate and kept up to date | enforced | audit_events: kye.data_use_manifest.v1, kye.signal.drift.detected.v1engines: internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
gdpr.A5.1.f |
Integrity and confidentiality principle — appropriate security | enforced | audit_events: kye.audit_chain_entry.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md, constitution/35-STREAMING-LOGS.md |
gdpr.A6.1.a |
Lawful basis — consent | enforced | audit_events: kye.consent.acceptance.v1, kye.purpose.admissibility.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/31-DATA-GOVERNANCE-PACK.md |
gdpr.A6.1.b |
Lawful basis — contract performance | enforced | audit_events: kye.purpose.permission.v1, kye.purpose.admissibility.v1constitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A6.1.c |
Lawful basis — legal obligation | enforced | audit_events: kye.purpose.permission.v1constitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A6.1.d |
Lawful basis — vital interests | enforced | audit_events: kye.purpose.permission.v1constitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A6.1.e |
Lawful basis — public task / official authority | enforced | audit_events: kye.purpose.permission.v1constitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A6.1.f |
Lawful basis — legitimate interests | enforced | audit_events: kye.purpose.permission.v1, kye.evidence.decision_map.v1constitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A7.2 |
Conditions for consent — clearly distinguishable, intelligible and easily-accessible form | enforced | audit_events: kye.consent.acceptance.v1constitution_refs: constitution/11-CONTENT.md |
gdpr.A7.4 |
Consent — utmost account shall be taken whether performance of contract conditional on consent | enforced | audit_events: kye.consent.acceptance.v1, kye.purpose.permission.v1constitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A8 |
Conditions applicable to child's consent in relation to information society services (under 16 / Member-State-set age) | enforced | audit_events: kye.consent.acceptance.v1, kye.purpose.admissibility.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A9.2.a |
Special-category processing — explicit consent | enforced | audit_events: kye.consent.acceptance.v1, kye.purpose.admissibility.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A9.2.g |
Special-category processing — substantial public interest | enforced | audit_events: kye.purpose.permission.v1constitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A9.2.h |
Special-category processing — preventive or occupational medicine, medical diagnosis, healthcare | enforced | audit_events: kye.purpose.permission.v1constitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A10 |
Processing of personal data relating to criminal convictions and offences | enforced | audit_events: kye.purpose.admissibility.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A11 |
Processing which does not require identification — controller not obliged to maintain identifying information | enforced | audit_events: kye.data_use_manifest.v1engines: internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
gdpr.A14 |
Information where personal data not obtained from the data subject | designed | audit_events: kye.comms.dispatch.v1, kye.data_use_manifest.v1constitution_refs: constitution/38-COMMS-RAIL.md |
gdpr.A16 |
Right to rectification | enforced | audit_events: kye.dsar_request.v1, kye.dsar_evidence_pack.v1agents: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
gdpr.A19 |
Notification obligation regarding rectification or erasure or restriction of processing | enforced | audit_events: kye.comms.dispatch.v1, kye.federation.cross_org_delegation.v1constitution_refs: constitution/38-COMMS-RAIL.md |
gdpr.A22.4 |
Automated decisions — decisions based on special-category data only with explicit consent or substantial public interest, and suitable safeguards | enforced | audit_events: kye.purpose.admissibility.v1, kye.consent.acceptance.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A23 |
Restrictions — Union/Member-State law may restrict obligations for objectives such as national security or public safety | advisory | audit_events: kye.purpose.permission.v1constitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A26 |
Joint controllers — transparent arrangement determining respective responsibilities | enforced | audit_events: kye.federation.cross_org_delegation.v1, kye.subprocessor.v1constitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A27 |
Representatives of controllers or processors not established in the Union | advisory | constitution_refs: constitution/26-COMMERCIAL.md |
gdpr.A29 |
Processing under authority of controller or processor — only on instructions | enforced | audit_events: kye.purpose.permission.v1, kye.purpose.admissibility.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A31 |
Cooperation with the supervisory authority | enforced | audit_events: kye.assurance.audit_pilot.v1agents: internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
gdpr.A32.1.c |
Security — ability to restore availability and access to personal data in a timely manner | enforced | audit_events: kye.spof_registry.v1, kye.dr_manifest.v1constitution_refs: constitution/51-NO-SPOF.md, constitution/16-EDGE-RUNTIME.md |
gdpr.A32.1.d |
Security — process for regularly testing, assessing and evaluating effectiveness of security measures | enforced | audit_events: kye.scenario_run.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
gdpr.A33.2 |
Processor breach notification — notify controller without undue delay | enforced | audit_events: kye.signal.incident.opened.v1, kye.comms.dispatch.v1engines: internalconstitution_refs: constitution/38-COMMS-RAIL.md |
gdpr.A33.3 |
Breach notification — minimum content (nature, contact, consequences, measures) | enforced | audit_events: kye.signal.incident.opened.v1constitution_refs: constitution/38-COMMS-RAIL.md |
gdpr.A33.4 |
Breach notification — phased provision of information where not all available within 72 hours | enforced | audit_events: kye.signal.incident.opened.v1, kye.comms.dispatch.v1constitution_refs: constitution/38-COMMS-RAIL.md |
gdpr.A33.5 |
Breach documentation — controller shall document any personal-data breach | enforced | audit_events: kye.signal.incident.opened.v1, kye.evidence.pack.v1constitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
gdpr.A35.2 |
DPIA — advice from DPO if designated | enforced | audit_events: kye.approval_decision.v1constitution_refs: constitution/36-GOVERNEDUI.md |
gdpr.A35.3.a |
DPIA mandatory case — systematic and extensive evaluation including profiling with legal or similarly significant effects | enforced | audit_events: kye.consequence_map.v1, kye.purpose.permission.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
gdpr.A35.3.b |
DPIA mandatory case — processing on a large scale of special-category data | enforced | audit_events: kye.data_use_manifest.v1, kye.purpose.admissibility.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
gdpr.A35.3.c |
DPIA mandatory case — systematic monitoring of publicly accessible area on a large scale | enforced | audit_events: kye.purpose.admissibility.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A35.7 |
DPIA — minimum content (description, necessity assessment, risk assessment, measures) | enforced | audit_events: kye.risk_assessment.v1, kye.evidence.pack.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
gdpr.A36 |
Prior consultation — consult supervisory authority before processing if DPIA shows high residual risk | enforced | audit_events: kye.risk.score.v1, kye.comms.dispatch.v1constitution_refs: constitution/38-COMMS-RAIL.md |
gdpr.A38 |
Position of the DPO — involved in all issues which relate to protection of personal data; resources | enforced | audit_events: kye.purpose.permission.v1constitution_refs: constitution/36-GOVERNEDUI.md |
gdpr.A39 |
DPO tasks — informing, monitoring compliance, advising on DPIA, cooperating with supervisory authority | enforced | audit_events: kye.approval_decision.v1, kye.compliance.attestation.v1constitution_refs: constitution/36-GOVERNEDUI.md |
gdpr.A45 |
Transfers on the basis of an adequacy decision | enforced | audit_events: kye.cross_border.transfer.v1, kye.jurisdiction.attestation.v1engines: internal, internalconstitution_refs: constitution/25-EDGE-GOVERNANCE.md |
gdpr.A47 |
Binding corporate rules — approved by competent supervisory authority | enforced | audit_events: kye.cross_border.transfer.v1engines: internalconstitution_refs: constitution/25-EDGE-GOVERNANCE.md |
gdpr.A48 |
Transfers or disclosures not authorised by Union law — third-country court / authority requests | enforced | audit_events: kye.purpose.admissibility.v1, kye.cross_border.transfer.v1engines: internal, internalconstitution_refs: constitution/25-EDGE-GOVERNANCE.md |
gdpr.A49 |
Derogations for specific situations — explicit consent, contract necessity, important public-interest reasons, etc. | enforced | audit_events: kye.cross_border.transfer.v1, kye.consent.acceptance.v1engines: internalconstitution_refs: constitution/25-EDGE-GOVERNANCE.md |
gdpr.A57 |
Tasks of the supervisory authority — monitor, complaint handling, investigation | out-of-scope | (no enforcement cited) |
gdpr.A58 |
Powers of the supervisory authority — investigative, corrective, advisory, authorisation | enforced | audit_events: kye.assurance.audit_pilot.v1agents: internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
gdpr.A77 |
Right to lodge a complaint with a supervisory authority | out-of-scope | (no enforcement cited) |
gdpr.A78 |
Right to an effective judicial remedy against a supervisory authority | out-of-scope | (no enforcement cited) |
gdpr.A79 |
Right to an effective judicial remedy against a controller or processor | enforced | audit_events: kye.evidence.decision_map.v1, kye.evidence.pack.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
gdpr.A82 |
Right to compensation — any person who has suffered material or non-material damage from infringement has the right to receive compensation | enforced | audit_events: kye.evidence.pack.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
gdpr.A83.1 |
General conditions for imposing administrative fines — effective, proportionate, dissuasive | out-of-scope | (no enforcement cited) |
gdpr.A83.4 |
Administrative fines up to EUR 10M or 2% global annual turnover (lesser obligations) | out-of-scope | (no enforcement cited) |
gdpr.A83.5 |
Administrative fines up to EUR 20M or 4% global annual turnover (principal obligations) | out-of-scope | (no enforcement cited) |
gdpr.A99 |
Entry into force and application — applicable from 25 May 2018 | advisory | constitution_refs: constitution/25-EDGE-GOVERNANCE.md |
gdpr.R71 |
Recital 71 — Right not to be subject to a solely automated decision producing legal effects, with right to obtain human intervention, express point of view and contest decision | enforced | audit_events: kye.approval_decision.v1, kye.evidence.decision_map.v1governedui_modules: kye.governedui.module.action_approval.v1constitution_refs: constitution/36-GOVERNEDUI.md |
gdpr.R85 |
Recital 85 — Breach notification — without delay and where feasible within 72 hours | enforced | audit_events: kye.signal.incident.opened.v1, kye.comms.dispatch.v1engines: internalconstitution_refs: constitution/38-COMMS-RAIL.md |
gdpr.R91 |
Recital 91 — DPIA scope (large scale processing, monitoring publicly accessible area, biometric/genetic, vulnerable individuals) | enforced | audit_events: kye.consequence_map.v1engines: internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
gdpr.A35.1 |
Data Protection Impact Assessment when processing is likely to result in high risk | enforced | audit_events: kye.purpose.grant.v1, kye.evidence.pack.v1, kye.compliance.attestation.v1engines: internal, internalagents: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/31-DATA-GOVERNANCE-PACK.md |
gdpr.A35.11 |
Reviewing the DPIA when there is a change of risk | enforced | audit_events: kye.resilience.drift.detected.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
gdpr.A37 |
Designation of a Data Protection Officer where required | advisory | audit_events: kye.transparency.statement.v1constitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A44 |
General principle for transfers of personal data outside the EU | enforced | audit_events: kye.cross_border.transfer.v1, kye.jurisdiction.attestation.v1, kye.evidence.tool_call_pin.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/30-AUDIT-WORM-RETENTION.md |
gdpr.A46 |
Transfers subject to appropriate safeguards (SCCs, BCRs) | enforced | audit_events: kye.cross_border.transfer.v1, kye.jurisdiction.attestation.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
gdpr.A5.1.b |
Purpose limitation — personal data collected for specified, explicit, legitimate purposes | enforced | audit_events: kye.purpose.grant.v1, kye.purpose.admissibility.v1, kye.purpose.request.v1engines: internal, internalworkers: kye-pdpconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A5.1.c |
Data minimisation — adequate, relevant, limited to what is necessary | enforced | audit_events: kye.purpose.grant.v1, kye.purpose.admissibility.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/31-DATA-GOVERNANCE-PACK.md |
gdpr.A5.1.e |
Storage limitation — retention period bounded to purpose | enforced | audit_events: kye.purpose.grant.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
gdpr.A5.2 |
Accountability — controller responsible for and able to demonstrate compliance | enforced | audit_events: kye.evidence.pack.v1, kye.evidence.decision_map.v1, kye.compliance.attestation.v1engines: internal, internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/21-DELEGATED-AUDITABILITY.md |
gdpr.A6.1 |
Lawful basis for processing must be cited per processing activity | enforced | audit_events: kye.purpose.grant.v1, kye.purpose.admissibility.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A7.1 |
Consent — controller must demonstrate that the data subject consented | enforced | audit_events: kye.consent.acceptance.v1, kye.consent.receipt.v1, kye.opmodel.consent_procedure.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A7.3 |
Right to withdraw consent at any time, as easily as given | enforced | audit_events: kye.consent.receipt.v1, kye.purpose.admissibility.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A9.1 |
Special-category data — prohibition by default | enforced | audit_events: kye.purpose.admissibility.v1, kye.purpose.grant.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/31-DATA-GOVERNANCE-PACK.md |
gdpr.A32.1.a |
Pseudonymisation and encryption of personal data | enforced | audit_events: kye.evidence.signature.v1, kye.evidence.pack.v1engines: internal, internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
gdpr.A32.1.b |
Ongoing confidentiality, integrity, availability, resilience of processing systems | enforced | audit_events: kye.resilience.drift.detected.v1, kye.compliance.attestation.v1, kye.evidence.pack.v1engines: internal, internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/30-AUDIT-WORM-RETENTION.md |
gdpr.A33.1 |
Notification of a personal data breach to the supervisory authority within 72 hours | enforced | audit_events: kye.resilience.sla_breach.v1, kye.resilience.drift.detected.v1, kye.evidence.pack.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/38-COMMS-RAIL.md |
gdpr.A34 |
Communication of a personal data breach to the data subject when high risk | advisory | audit_events: kye.resilience.sla_breach.v1, kye.evidence.pack.v1engines: internalconstitution_refs: constitution/38-COMMS-RAIL.md |
gdpr.A12 |
Transparent, intelligible and easily accessible information to data subjects | enforced | audit_events: kye.transparency.statement.v1, kye.transparency.receipt.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr.A13 |
Information provided where personal data is collected from the data subject | enforced | audit_events: kye.transparency.statement.v1, kye.purpose.grant.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |