Two findings from the post-merge 4-eyes audit (3 expert agents: PM,
Business, Security). Both surgical — no code changes.

1. NEW docs/dpa-template.md (Article 28 GDPR skeleton)

The Compliance-Edition pitch in /enterprise and COMMERCIAL-LICENSE.md
promises a "DPA template" inclusive in every tier. Until now, no such
file lived in the repo — a procurement reviewer asking "send the DPA
template" got nothing back. Business-Agent flagged this as a HIGH
liability and trust gap before first customer.

The new docs/dpa-template.md is a 12-section Art. 28 GDPR skeleton with
bracketed placeholders that get filled in the pilot conversation:
parties, subject matter, nature of processing, data subjects + data
categories, audit log + integrity attestation, sub-processors (cross-
links existing docs/sub-processors.md), TOMs (cross-links security/
threat-model/patch-policy/incident-response/release-signing), the
controller's instructions and rights, breach notification (72 h),
return/deletion at end, liability, governing law (Hamburg). The
finalisation note describes the contact path (legal@filemorph.io) and
turnaround.

This is published as a template — not a binding contract — so a
reviewer can read the substance before requesting a signed instance.
The wording matches the existing /enterprise template language ("DPA
template in pilot conversation"), so the public claim is now backed by
a public artefact.

2. REMOVE docs/sprint-s1-technology-first.md (moved to docs-internal/)

PM-Agent + Business-Agent both flagged this as sprint-internal history
unsuitable for the public repo. The file lists S1 commit SHAs with
internal rationale ("our 2 GB output cap would have OOM-killed a small-
RAM server", "we audited as one batch before push") — useful when
reviewing historical engineering decisions, not useful for self-hosters
or compliance reviewers. Self-host onboarding lives in README +
docs/installation.md + docs/self-hosting.md, not in this sprint recap.

The file is preserved locally under docs-internal/sprint-history/
(gitignored, intentionally outside the public repo). Per the security
audit's recommendation, no force-push or filter-repo: the historical
content remains retrievable via git log on this commit, which matches
the project's transparency posture (git history is a feature, not a
liability, for a Compliance-Edition product whose customers audit
provenance).

What this PR does NOT touch (deferred):
- .github/workflows/notify-ops.yml — moving requires coordinated change
  in MrChengLen/filemorph-ops (set up reverse polling first), then
  delete here; otherwise a deploy gap opens. Tracked for a follow-up
  PR that includes both sides.
- enterprise.html / COMMERCIAL-LICENSE.md claims-audit — three
  promise/reality wording fixes need legal review before commit
  (Business-Agent recommendation). Tracked for PR-Audit-Claims-1.
- .env.example sectioning + Phase 2/3 of the post-audit plan — separate
  PRs to keep diffs reviewable.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>