{
  "schemaVersion": "0.1",
  "errorPolicy": "allOrNothing",
  "revisionMessage": "Initial PII data-flow diagram with vendor trust boundary",
  "ops": [
    {
      "op": "createFrame",
      "id": "trust-frame",
      "title": "External trust boundary",
      "containerType": "boundary",
      "children": [
        "vendor"
      ],
      "style": "boundary"
    },
    {
      "op": "createNode",
      "id": "customer",
      "nodeType": "actor",
      "shape": "roundedRect",
      "label": "Customer",
      "icon": "lucide:user",
      "style": "internal"
    },
    {
      "op": "createNode",
      "id": "webapp",
      "nodeType": "service",
      "shape": "roundedRect",
      "label": "Onboarding\nWeb App",
      "icon": "lucide:globe",
      "style": "internal"
    },
    {
      "op": "createNode",
      "id": "orch",
      "nodeType": "service",
      "shape": "roundedRect",
      "label": "KYC\nOrchestrator",
      "icon": "lucide:shield",
      "style": "internal"
    },
    {
      "op": "createNode",
      "id": "vendor",
      "nodeType": "service",
      "shape": "cloud",
      "label": "KYC Vendor\n3rd party (DPA)",
      "icon": "lucide:cloud",
      "style": "vendorNode"
    },
    {
      "op": "createNode",
      "id": "iddocs",
      "nodeType": "database",
      "shape": "cylinder",
      "label": "ID Document Store\nS3 + KMS",
      "icon": "lucide:file-lock",
      "style": "internal"
    },
    {
      "op": "createNode",
      "id": "vault",
      "nodeType": "database",
      "shape": "cylinder",
      "label": "Customer Vault\ntokenized PII",
      "icon": "lucide:key",
      "style": "safeStorage"
    },
    {
      "op": "createNode",
      "id": "audit",
      "nodeType": "database",
      "shape": "cylinder",
      "label": "Audit Log\nhashed events (immutable)",
      "icon": "lucide:scroll-text",
      "style": "safeStorage"
    },
    {
      "op": "createEdge",
      "id": "e1",
      "from": {
        "elementId": "customer"
      },
      "to": {
        "elementId": "webapp"
      },
      "label": "submit KYC",
      "router": "orthogonal",
      "style": "plainEdge"
    },
    {
      "op": "createEdge",
      "id": "e2",
      "from": {
        "elementId": "webapp"
      },
      "to": {
        "elementId": "orch"
      },
      "label": "full PII",
      "router": "orthogonal",
      "style": "plainEdge"
    },
    {
      "op": "createEdge",
      "id": "e3",
      "from": {
        "elementId": "orch"
      },
      "to": {
        "elementId": "vendor"
      },
      "label": "full PII (DPA)",
      "router": "orthogonal",
      "style": "unsafe"
    },
    {
      "op": "createEdge",
      "id": "e4",
      "from": {
        "elementId": "orch"
      },
      "to": {
        "elementId": "iddocs"
      },
      "label": "ID photo",
      "router": "orthogonal",
      "style": "unsafe"
    },
    {
      "op": "createEdge",
      "id": "e5",
      "from": {
        "elementId": "orch"
      },
      "to": {
        "elementId": "vault"
      },
      "label": "tokenized",
      "router": "orthogonal",
      "style": "safe"
    },
    {
      "op": "createEdge",
      "id": "e6",
      "from": {
        "elementId": "orch"
      },
      "to": {
        "elementId": "audit"
      },
      "label": "hashed events",
      "router": "orthogonal",
      "style": "safe"
    }
  ]
}