Trust · Compliance · LGPD
This section consolidates the operative legal documents for canna-br. Board members, lawyers, and risk committees: start here.
Published Documents
Section titled “Published Documents”| Document | Version | Status |
|---|---|---|
| Privacy Policy | v0.1 (2026-06-09) | Active |
| Terms of Service | v0.1 (2026-06-09) | Active |
| DPO — Data Protection Officer | v0.1 interim (2026-06-09) | Active |
Pending Documents (roadmap)
Section titled “Pending Documents (roadmap)”| Document | Planned version | Notes |
|---|---|---|
| DPA — Data Processing Agreement template | v0.3 | Template for adopting associations to sign with canna-br |
| RIPD — Data Protection Impact Assessment (Art. 38 LGPD) | v0.4 | Required before processing health data in real production |
| Detailed post-pilot ToS | v0.3 | Formal contract with legal entity once incorporated |
| Annual transparency report | Annual from 2027 | Voluntary publication of processing statistics |
| Independent security audit | v1.0 | Third party; none contracted yet |
| SOC 2 Type II | No timeline | Out of scope for v1.0 |
| ISO 27001 | No timeline | Out of scope for v1.0 |
What does NOT exist yet — radical honesty for the board
Section titled “What does NOT exist yet — radical honesty for the board”This list is deliberately explicit. Any association adopting canna-br needs to know:
- No independent security audit — the code is public (AGPL-3.0) but no third party has formally audited it as of this publication date.
- No SOC 2 or ISO 27001 — canna-br is pre-seed and individually operated; certifications require an incorporated entity and significant investment.
- No independent DPO — Gabriel Fonseca holds both technical roles and DPO during the pilot. Conflict of interest documented at /trust/dpo/.
- No formalized DPA — the data processing agreement between canna-br and each adopting association has no signable template yet. Planned for v0.3.
- No RIPD — the Data Protection Impact Assessment (Art. 38 LGPD) for health data has not been drafted yet. Planned for v0.4.
- SNGPC in mock — the XML adapter is implemented but the XSD schema specific to patient associations has not yet been published by ANVISA (Jun/2026). Real homologation pending.
- Shared dev/sim infra without DPA — the current instance is an EU VPS (Contabo) shared with other maintainer services (Langfuse, SurrealDB, NATS). Not recommended for production with member data. Target state: self-hosted on the association’s own infrastructure (Docker Compose) or managed hosting with an EU/BR provider under a DPA contract — see /trust/dpo/ and document roadmap above.
Technical-Legal Disclaimer
Section titled “Technical-Legal Disclaimer”Important notice
canna-br is a software tool. Legal compliance (LGPD, RDC 1.014, Portaria 344/98) is the sole responsibility of the adopting association and its lawyers/DPO. No technical mechanism substitutes for independent legal counsel or the formal designation of a licensed pharmacist Technical Supervisor (RT farmacêutica) and DPO as required by law.
LGPD Contact
Section titled “LGPD Contact”Dedicated channel: gabriel@devmagic.com.br with subject [LGPD] or [DPO].
Response within 15 business days. Complaints unresolved within 30 days: escalated to ANPD — gov.br/anpd (Brazil’s National Data Protection Authority).
Machine-translated v1 — English version generated by LLM, human polish in progress. Report translation errors to gabriel@devmagic.com.br.