Data Governance & Compliance

This document outlines data governance policies, compliance frameworks, and privacy controls for the platform.

Data Classification

Classification Levels

Level	Description	Examples	Handling Requirements
Public	Non-sensitive, publicly available	Marketing content, documentation	No encryption required
Internal	Business data, not for public	Tenant configurations, quota limits	Encryption at rest
Confidential	Sensitive business data	Workflow definitions, execution logs	Encryption at rest + in transit
Restricted	Highly sensitive, regulated	PII, PHI, payment data	Encryption + access controls + audit

Data Storage Matrix

Data Type	Classification	Storage Location	Retention	Encryption
Tenant Metadata	Internal	Database	Indefinite	Platform-managed
Workflow Definitions	Confidential	Database	Indefinite	Platform-managed
Execution Outcomes	Confidential	Database	90 days	Platform-managed
Metering Heartbeats	Internal	Database	30 days	Platform-managed
Audit Logs	Restricted	Database + Archive Storage	90 days (DB) + 7 years (Archive)	Customer-managed
Platform Logs	Confidential	Logging Service	30 days	Platform-managed
Embeddings	Confidential	Object Storage (per-tenant)	Tenant-controlled	Platform encryption
Secrets	Restricted	Secrets Management Service	Rotated every 90 days	Platform-managed

GDPR Compliance

Overview

The platform is designed to support GDPR-compliant deployments for European customers, implementing data protection by design and by default.

GDPR Principles Implementation

1. Lawfulness, Fairness, and Transparency

Implementation:

• Clear Terms of Service and Privacy Policy
• Consent checkboxes for optional data processing
• Data Processing Agreement (DPA) for enterprise customers
• Transparent data usage in Admin Panel

2. Purpose Limitation

Implementation:

• Data collected only for specified purposes:
  • Execution Outcomes: Metering, analytics, quota enforcement
  • Audit Logs: Compliance, security investigations
  • Metering Data: Usage tracking, capacity planning

Prohibited Uses:

• Selling data to third parties
• Training AI models on customer data without consent
• Profiling for marketing purposes
• Cross-tenant data sharing

3. Data Minimization

Implementation:

Outcome payloads exclude PII and sensitive content:

Allowed Data:

• Execution identifiers (execution_id, tenant_id, workflow_id)
• Operational metrics (success/failure, duration, token count)
• Timestamps for retention policies

Forbidden Data:

• User identifiers (email, name, phone)
• Content (prompt text, AI responses)
• Network information (IP addresses)
• Any personally identifiable information

4. Accuracy

Implementation:

• Users can update tenant metadata via Admin Panel
• Automated data validation on ingestion

5. Storage Limitation

Retention Policies:

Data Type	Retention Period	Auto-Deletion
Execution Outcomes	90 days	Yes (automated retention)
Metering Heartbeats	30 days	Yes (automated retention)
Audit Logs (Database)	90 days	Yes (automated retention)
Audit Logs (Archive)	7 years	Yes (lifecycle policy)
Application Logs	30 days	Yes (retention policy)
Tenant Metadata	Until deletion request	Manual
Workflow Definitions	Until deletion request	Manual

6. Integrity and Confidentiality

Implementation:

• Encryption at Rest: AES-256 for all data stores
• Encryption in Transit: TLS 1.3 for all APIs
• Access Controls: Least-privilege access policies
• Audit Logging: Comprehensive API call tracking

GDPR Rights Implementation

Right to Access (Article 15)

Users can export all their data via Admin Panel. Export includes:

• Tenant metadata
• Workflow definitions
• Execution outcomes
• Audit logs

Right to Erasure (Article 17)

Cascade deletion of all tenant data:

1. Delete from tenants table
2. Delete all workflow definitions
3. Delete execution outcomes
4. Delete embeddings storage
5. Delete log streams
6. Create audit log entry (deletion event)
7. Revoke integration tokens

Deletion SLA: Within 30 days of request

Right to Rectification (Article 16)

Users can correct their data via Admin Panel API endpoints.

Right to Data Portability (Article 20)

Export format is machine-readable JSON:

Export Contents:

• Export metadata: Version, tenant ID, export timestamp
• Tenant configuration: Service tier, creation date, settings
• Workflow definitions: All registered workflows
• Execution history: All historical execution data
• Format: Structured JSON, machine-readable, portable

Right to Restriction of Processing (Article 18)

Users can pause all processing, which:

• Deactivates all workflows
• Returns 423 Locked for execution requests
• Continues metering (for transparency)
• Keeps data export available

Right to Object (Article 21)

Users can object to specific processing (e.g., analytics), and their data will be excluded from aggregate analytics.

GDPR Breach Notification

Timeline (Article 33 & 34):

• Discovery to DPA notification: < 72 hours
• DPA to affected individuals: < 24 hours (if high risk)

HIPAA Compliance

Overview

The platform supports HIPAA-eligible deployments for healthcare customers handling Protected Health Information (PHI).

HIPAA Requirements Matrix

Requirement	Implementation
Access Control (§164.312(a))	Role-based access policies, MFA, least-privilege
Audit Controls (§164.312(b))	Comprehensive logging with 7-year retention
Integrity (§164.312(c))	Checksums, signed execution plans, tamper detection
Transmission Security (§164.312(e))	TLS 1.3, encrypted network channels
Encryption (§164.312(a)(2)(iv))	AES-256 at rest, TLS 1.3 in transit

PHI Handling

Prohibited:

• Logging PHI in application logs
• Storing PHI in Control Plane
• Cross-tenant PHI access

Required:

• Customer-managed encryption keys for PHI at rest
• Dedicated network isolation for PHI workloads
• Enhanced audit logging
• Business Associate Agreement with platform vendor

SOC 2 Compliance

Trust Service Criteria

Criteria	Implementation
Security	Network isolation, encryption, access controls, monitoring
Availability	Multi-AZ deployment, auto-scaling, health checks
Processing Integrity	Input validation, execution plan signing, outcome verification
Confidentiality	Data classification, encryption, access logging
Privacy	GDPR rights implementation, data minimization, consent management

Data Retention Policies

Retention Schedule

Legal Hold

For litigation or investigation purposes:

• Suspends automatic deletion
• Applies to specific tenant or time range
• Requires security team approval
• Audit logged

Cross-Border Data Transfers

EU-US Data Transfers

Mechanisms:

1. Standard Contractual Clauses (SCCs): Included in DPA
2. Data Processing Agreement: GDPR-compliant terms
3. EU Region Deployment: Optional eu-west-1 / eu-central-1 deployment

Data Residency Options

Option	Regions	Use Case
US Only	us-east-1, us-west-2	US customers, no EU data
EU Only	eu-west-1, eu-central-1	EU customers, GDPR compliance
Multi-Region	US + EU	Global customers with geo-routing

Vendor/Subprocessor Guidelines

Approved Subprocessors

Vendor	Purpose	Data Accessed	DPA
Platform Provider	Infrastructure	All data (encrypted)	✅
LLM Provider	AI inference	Prompts (no PII)	✅

Subprocessor Requirements

1. DPA Required: All subprocessors must sign Data Processing Agreement
2. SOC 2 Report: Annual SOC 2 Type II attestation required
3. Encryption: Data encrypted in transit and at rest
4. Data Minimization: Access only to required data
5. Audit Rights: Right to audit upon request

New Subprocessor Process

1. Security team reviews vendor security posture
2. Legal reviews DPA and contract terms
3. Customer notification (30 days advance notice)
4. Add to subprocessor list in Trust Center

Privacy Impact Assessment

When Required

• New data collection
• New subprocessor onboarding
• New AI model integration
• Cross-border data transfer changes

Assessment Template

1. Purpose: What data is collected and why?
2. Necessity: Is all collected data required?
3. Proportionality: Are retention periods appropriate?
4. Security: What controls protect the data?
5. Rights: How are data subject rights supported?
6. Transfers: Are cross-border transfers compliant?