feat(vendor-assessment): AVV/SCC/TOM/Sub-Processor checklists + assessment service

Phase 1-3 of the Vendor Contract Assessment:

Backend checklists (Doc-Check L1/L2 engine compatible):
- avv_checks.py: 28 checks (11 L1 + 17 L2) for Art. 28(3) DSGVO
- scc_checks.py: 7 checks for EU SCC 2021 (modules, annexes, TIA)
- tom_annex_checks.py: 12 checks for Art. 32 (8 control objectives)
- sub_processor_checks.py: 7 checks for sub-processor list completeness

Assessment service:
- POST /vendor-compliance/assessments — async contract analysis
- GET /vendor-compliance/assessments/{id} — poll status
- Cross-check engine: detects missing SCC when AVV mentions third-country,
  missing TOM annex, missing sub-processor list

All checklists registered in runner.py CHECKLIST_MAP (27 doc_types total).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

backend-compliance/compliance/services/doc_checks/runner.py

@@ -16,6 +16,10 @@ from .cookie_checks import COOKIE_CHECKLIST
 from .social_media_checks import JOINT_CONTROLLER_CHECKLIST
 from .dsfa_checks import DSFA_CHECKLIST
 from .eu_institution_checks import EU_INSTITUTION_CHECKLIST
+from .avv_checks import AVV_CHECKLIST
+from .scc_checks import SCC_CHECKLIST
+from .tom_annex_checks import TOM_ANNEX_CHECKLIST
+from .sub_processor_checks import SUB_PROCESSOR_LIST_CHECKLIST
 
 logger = logging.getLogger(__name__)
 
@@ -37,6 +41,17 @@ _CHECKLIST_MAP = {
     "joint_controller": (JOINT_CONTROLLER_CHECKLIST, "Art. 26 DSGVO"),
     "dsfa": (DSFA_CHECKLIST, "Art. 35 DSGVO"),
     "eu_institution": (EU_INSTITUTION_CHECKLIST, "VO (EU) 2018/1725"),
+    "avv": (AVV_CHECKLIST, "Art. 28 DSGVO"),
+    "auftragsverarbeitung": (AVV_CHECKLIST, "Art. 28 DSGVO"),
+    "dpa": (AVV_CHECKLIST, "Art. 28 DSGVO"),
+    "scc": (SCC_CHECKLIST, "EU SCC 2021"),
+    "standardvertragsklauseln": (SCC_CHECKLIST, "EU SCC 2021"),
+    "tom_annex": (TOM_ANNEX_CHECKLIST, "Art. 32 DSGVO"),
+    "tom_anlage": (TOM_ANNEX_CHECKLIST, "Art. 32 DSGVO"),
+    "tom": (TOM_ANNEX_CHECKLIST, "Art. 32 DSGVO"),
+    "sub_processor_list": (SUB_PROCESSOR_LIST_CHECKLIST, "Art. 28(3)(d) DSGVO"),
+    "sub_processor": (SUB_PROCESSOR_LIST_CHECKLIST, "Art. 28(3)(d) DSGVO"),
+    "unterauftragnehmer": (SUB_PROCESSOR_LIST_CHECKLIST, "Art. 28(3)(d) DSGVO"),
 }