+# SPYN — Due Diligence Pack
+ 
+*Compiled 2026-05-13. Distributed under NDA.*
+ 
+This pack is structured so each section can be sent independently to specialists — legal reads section 5, engineering reads sections 2–4, finance reads section 9. The pack is regenerated from the underlying skill library on demand; the version you are reading is current to the date above.
+ 
+---
+ 
+## 1. System Architecture
+ 
+SPYN is a three-tier system. The **mobile client** is a single React Native codebase shipping to iOS and Android, with native modules for image capture and WebSocket integration. The **API tier** is Laravel 12 on Laravel Cloud, exposing a versioned REST/JSON API documented in OpenAPI; horizontal-scale, stateless, deployed weekly. The **persistence tier** is PostgreSQL (operational data) plus S3-compatible object storage (user uploads, AI-generated content artifacts) plus Redis (queues, cache, real-time presence).
+ 
+Real-time fan-out for comments, reactions, and follows runs through Pusher channels with per-user authentication. Queue workers run via Laravel Horizon with cost-aware concurrency on AI generation jobs.
+ 
+## 2. AI Infrastructure
+ 
+AI Diary generation runs via OpenAI Assistants API on the enterprise tier (no training on our data). Per-user personalisation context is assembled server-side from anonymised behavioural signals and demographic flags, never raw diary content. Thread caching reduces cost; prompt-cache hits average above 60% on warm users.
+ 
+Image moderation runs via Google Cloud Vision pre-publication. Flagged uploads are held for human review by the QA team using a moderator dashboard in the admin panel; auto-decline is reserved for the highest-confidence violation classes.
+ 
+We do not host or fine-tune foundation models. AI Act posture is downstream deployer of OpenAI's GPAI service. See section 5.
+ 
+## 3. Content Pipeline
+ 
+Manual diaries are persisted on submit, image attachments uploaded to S3, then enqueued for moderation. AI Diaries are produced on a 24-hour rolling cadence per persona, generated in EU-region OpenAI environment, marked with C2PA content credentials in metadata and a visible "AI" chip in the UI.
+ 
+Comment threads exceeding a configurable threshold (default 20) trigger an opt-in AI Comment Summary generation. Summaries are clearly labelled, include a "see all comments" affordance, and are regenerated on subsequent thread activity.
+ 
+## 4. Key User Features
+ 
+- Manual diary authoring with media attachment.
+- AI Diary feed personalised by region, language, demographic signals.
+- Social graph — follow, mute, block — with on-device privacy controls.
+- Comments, reactions, mentions with real-time delivery.
+- AI Comment Summaries on long threads.
+- In-product DSAR self-serve (export, deletion, rectification requests).
+ 
+## 5. Compliance Posture
+ 
+**GDPR.** Lead supervisory authority Datatilsynet (Danish DPA). Lawful basis: contract for core processing, consent for optional analytics, legitimate interest for abuse prevention. Article 28 DPAs in place with every processor. AI-generated content treated as personal data per Recital 26.
… 32 more lines

• Markdown lintpassed
• Spell-checkpassed
• Skill-references resolvepassed