Improve AI data privacy transfer evidence gates

[danyili2632]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: ai-data-privacy
Skill path: skills/ai-security/ai-data-privacy/

What Was Wrong

The skill covered LLM provider terms, DPAs, retention, consent, and training-use settings, but it did not require a separate evidence gate for processor/subprocessor chains and GDPR Chapter V transfer mechanisms. A review could therefore clear a third-party AI integration based on a DPA or no-training statement while missing storage/processing/support regions, subprocessors, onward transfers, SCC/TIA evidence, or EU-US DPF verification.

What This PR Fixes

This PR adds first-class processor, subprocessor, and transfer evidence handling:

• Adds processor/subprocessor list, region, and transfer-mechanism evidence to the required context.
• Adds a new Processor, Subprocessor, and Transfer Evidence review step.
• Adds code/documentation grep guidance for provider roles, regions, telemetry, human review, and adjacent AI tooling.
• Adds a processor/subprocessor matrix covering role, AI data types, purpose, regions, onward transfers, transfer mechanism, evidence, and status.
• Adds findings for missing transfer mechanism, missing role evidence, unauthorized subprocessors, unverified EU-US DPF reliance, SCC/TIA gaps, incomplete region evidence, and unmapped encryption/key-control claims.
• Updates severity guidance, output format, privacy control summary, GDPR framework mapping, pitfalls, and references.

Addresses #1122.

Evidence

Before (skill could miss this):

provider: third-party LLM API
evidence_collected:
  provider_dpa: present
  no_provider_training_statement: present
missing:
  processor_subprocessor_chain: missing
  storage_processing_support_regions: missing
  transfer_mechanism: missing
  scc_module_or_dpf_certification: missing
  transfer_impact_assessment: missing

After (now correctly handled):

The report must include a Processor, Subprocessor, and Transfer Matrix with legal role, AI data types, storage/processing/support regions, subprocessors/onward transfers, transfer mechanism, evidence source, and Pass/Gap/Not Evaluable status.

Test Cases Added/Updated

• Added vulnerable test cases (tests/vulnerable/)
• Added benign test cases (tests/benign/)
• Existing markdown validation still passes

This skill has no existing test-case directory; validation was performed with content marker checks, link checks, and git diff --check.

Validation

• git diff --check
• Marker check for Processor, Subprocessor, subprocessor, Transfer Matrix, EU-US Data Privacy Framework, SCC, Transfer Impact, Not Evaluable, support-access, Chapter V, and Article 46
• Official reference URL checks returned HTTP 200 for European Commission SCCs, EDPB supplementary measures, and the EU-US Data Privacy Framework program
• Prompt-injection phrase scan only matched existing defensive guidance and existing system-prompt privacy examples

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: Crypto, preferably Base USDC to 0x6CBF4b5cb88b8C2B7af776Bc2B073163B5d3C08A; payment details can also be coordinated privately after acceptance.