Generate

Back to editor
Media Techdue-diligence-pack-2026-05-14.pdf

SPYN — Due Diligence Pack

Compiled 2026-05-13. Distributed under NDA.

This pack is structured so each section can be sent independently to specialists — legal reads section 5, engineering reads sections 2–4, finance reads section 9. The pack is regenerated from the underlying skill library on demand; the version you are reading is current to the date above.

1. System Architecture

SPYN is a three-tier system. The mobile client is a single React Native codebase shipping to iOS and Android, with native modules for image capture and WebSocket integration. The API tier is Laravel 12 on Laravel Cloud, exposing a versioned REST/JSON API documented in OpenAPI; horizontal-scale, stateless, deployed weekly. The persistence tier is PostgreSQL (operational data) plus S3-compatible object storage (user uploads, AI-generated content artifacts) plus Redis (queues, cache, real-time presence).

Real-time fan-out for comments, reactions, and follows runs through Pusher channels with per-user authentication. Queue workers run via Laravel Horizon with cost-aware concurrency on AI generation jobs.

2. AI Infrastructure

AI Diary generation runs via OpenAI Assistants API on the enterprise tier (no training on our data). Per-user personalisation context is assembled server-side from anonymised behavioural signals and demographic flags, never raw diary content. Thread caching reduces cost; prompt-cache hits average above 60% on warm users.

Image moderation runs via Google Cloud Vision pre-publication. Flagged uploads are held for human review by the QA team using a moderator dashboard in the admin panel; auto-decline is reserved for the highest-confidence violation classes.

We do not host or fine-tune foundation models. AI Act posture is downstream deployer of OpenAI's GPAI service. See section 5.

3. Content Pipeline

Manual diaries are persisted on submit, image attachments uploaded to S3, then enqueued for moderation. AI Diaries are produced on a 24-hour rolling cadence per persona, generated in EU-region OpenAI environment, marked with C2PA content credentials in metadata and a visible "AI" chip in the UI.

Comment threads exceeding a configurable threshold (default 20) trigger an opt-in AI Comment Summary generation. Summaries are clearly labelled, include a "see all comments" affordance, and are regenerated on subsequent thread activity.

4. Key User Features

  • Manual diary authoring with media attachment.
  • AI Diary feed personalised by region, language, demographic signals.
  • Social graph — follow, mute, block — with on-device privacy controls.
  • Comments, reactions, mentions with real-time delivery.
  • AI Comment Summaries on long threads.
  • In-product DSAR self-serve (export, deletion, rectification requests).

5. Compliance Posture

GDPR. Lead supervisory authority Datatilsynet (Danish DPA). Lawful basis: contract for core processing, consent for optional analytics, legitimate interest for abuse prevention. Article 28 DPAs in place with every processor. AI-generated content treated as personal data per Recital 26.

EU AI Act. Article 50 disclosure operational across AI Diary, System User persona, and AI Comment Summary surfaces. Article 6 monitoring quarterly. Limited-risk classification signed off by Head of Legal.

Sub-processors. OpenAI (Assistants), Google (Cloud Vision), Pusher (WebSocket), AWS / Laravel Cloud (hosting + storage), Microsoft (internal collaboration), monday.com (project management — no customer data), Sentry (error tracking — PII-scrubbed), PostHog (analytics — EU-hosted, pseudonymised).

International transfers. SCCs Module 2 in place for US processors plus Transfer Impact Assessments on file.

Incident response. 72-hour breach notification playbook; monthly tabletop exercise.

6. QA Workflow

CMMI Level 2 across the engineering organisation. Six-phase SDLC with explicit gates between phases (Idea → Spec → Build → Test → Release → Monitor). Non-technical functional test cases for every screen, owned by a four-person QA team. Technical tests (load, performance, security) owned by developers, run in CI.

Defect severity tiers S1–S4. S1/S2 block release gates. Release notes follow the "not written, not delivered" rule.

7. Team & RACI

Headcount 15–20. Active roles include Project Manager (Mikkel Nygaard), Lead Developer / Full-Stack (Ahmed Mahmood Khan), QA Lead (Mikkel), four QA Testers (Earl Elvin Badua, Loïc Joubert, Niran Phongphan, Renata Gomes). Actively hiring Backend Developer, Frontend Developer, and Designer; pipeline uses standardised tests with 1–5 scoring rubric.

RACI maintained against this skill library. Every kind of work has a named Accountable individual.

8. Risk

Top current risks tracked in the SPYN risk register: vendor concentration on OpenAI; AI behaviour under load; EU AI Act classification drift; single-person key dependencies; App Store / Play Store review delays. Each has a named owner and a mitigation in flight.

9. Financial readiness

Burn rate, runway, and unit economics maintained in Finance's investor materials folder; latest snapshot regenerated on this pack's schedule. Available on request after initial meeting.

Section owners are listed in the source skill library. Generation timestamp: 2026-05-13 14:30 UTC. Regenerate from the latest skill snapshot via Vera's Generate mode.

Confidential — distributed under NDADue Diligence Pack