Platypus

Third-Party Terms and Compliance Checklist

Last Updated: May 27, 2026

Purpose: Track obligations from Discord and other third-party providers and map them to controls in this codebase.

Important: This checklist supports engineering and operations and is not legal advice. Final interpretation belongs to legal counsel.

1. Active and Planned Third-Party Dependencies

  1. Discord Developer Platform (active)
  2. PostgreSQL (active)
  3. Redis (active)
  4. MinIO or S3-compatible object storage (active/planned)
  5. Stripe (planned, keys present in config)
  6. Python open-source dependencies listed in pyproject.toml (active)

2. Discord Compliance Baseline

Authoritative references:

  1. Discord Terms of Service
  2. https://discord.com/terms
  3. Discord Developer Terms of Service
  4. https://support-dev.discord.com/hc/articles/8562894815383-Discord-Developer-Terms-of-Service
  5. Effective date shown by Discord: July 8, 2024 (last updated June 6, 2024)
  6. Discord Developer Policy
  7. https://support-dev.discord.com/hc/articles/8563934450327-Discord-Developer-Policy
  8. Effective date shown by Discord: July 8, 2024 (last updated June 6, 2024)
  9. Discord Community Guidelines
  10. https://discord.com/guidelines
  11. Discord Message Content Intent Review Policy
  12. https://support-dev.discord.com (article title: Message Content Intent Review Policy)
  13. Discord App Directory Inclusion Guidelines
  14. https://support-dev.discord.com (article title: App Directory Inclusion Guidelines)

3. Discord Control Matrix

  1. Obligation: Do not request or process more API data than necessary.
  2. Status: Partially implemented.
  3. Current control: Bot intents are now configurable with safe defaults in env.
  4. Required action: Keep non-essential intents disabled unless feature + review require them.
  1. Obligation: Do not collect credentials from users or circumvent Discord privacy/safety controls.
  2. Status: No evidence of prohibited credential collection in current code.
  3. Required action: Keep this prohibition explicit in user-facing terms and product UX.
  1. Obligation: Provide privacy policy and clearly explain data use and deletion process.
  2. Status: Draft privacy policy added.
  3. Required action: Publish policy URL publicly and add it to Discord Developer Portal.
  1. Obligation: Provide user issue-reporting channel and act on reports.
  2. Status: Not yet implemented in product UX.
  3. Required action: Add support/reporting endpoint and moderation workflow.
  1. Obligation: API data deletion and update on user or Discord request.
  2. Status: Not yet implemented as a formal workflow.
  3. Required action: Implement deletion request SOP and administrative tooling.
  1. Obligation: Encrypt credentials and protect API data.
  2. Status: Partial.
  3. Current control: encryption key support exists for sensitive values.
  4. Required action: enforce secrets management in production and at-rest encryption for persisted sensitive data.
  1. Obligation: Do not scrape Discord or commercialize API data.
  2. Status: No scraping logic identified.
  3. Required action: Keep prohibited behavior in Terms and internal engineering standards.
  1. Obligation: Comply with API limits and not evade rate limits.
  2. Status: Not explicitly documented in runbook.
  3. Required action: add operational alerts for rate-limit headers and fallback handling.
  1. Obligation: Message Content Intent use may require review/approval.
  2. Status: Risk reduced.
  3. Current control: Message content intent defaults to false.
  4. Required action: If enabling, complete Discord review requirements and document lawful basis.
  1. Obligation: Promptly report API data incidents to Discord and affected users where required.
  2. Status: Incident workflow not documented.
  3. Required action: Add incident response playbook with Discord notification path.

4. Stripe and Payments Compliance (Planned)

  1. Use Stripe-hosted payment collection where possible.
  2. Do not store full card numbers, CVC, or magnetic stripe data.
  3. Publish billing terms, cancellation terms, and refund rules clearly.
  4. Implement webhook signature verification and replay protection.
  5. Maintain tax, invoicing, and chargeback handling procedures.
  6. Review and accept Stripe services agreement and product-specific terms before launch.

5. Open-Source License and Attribution Compliance

  1. Generate SBOM for production builds.
  2. Track licenses for all runtime dependencies.
  3. Add attribution/notice file where required by dependency licenses.
  4. Ensure no dependency license conflicts with commercial distribution model.

6. Production Readiness Gate (Policy + Compliance)

Before commercial launch, complete all items:

  1. Legal counsel review and finalize all policy documents.
  2. Publish public URLs for Terms, Privacy, Refund/Cancellation, and EULA.
  3. Add policy links in product surfaces and Discord Developer Portal profile.
  4. Complete Discord compliance review against latest Developer Terms/Policy.
  5. Implement and test data deletion workflow.
  6. Implement and test incident response and breach notification workflow.
  7. Verify least-privilege intents and permissions.
  8. Complete payment and tax counsel review for operating jurisdictions.