If data subject is a child/adolescent, require age verification and parental/legal guardian consent prior to processing; deny processing otherwise and do not store the payload.
compliance-lgpdapi-conventions+1
Critical
Deletion requests: anonymize or hard-delete PII irreversibly
On LGPD deletion, remove or irreversibly anonymize PII and purge dependent caches. Keep minimal audit metadata (timestamp, request ID) not linkable back to the subject.
compliance-lgpdmigrations-backward-compat+1
Critical
Encrypt PII at rest with AES-GCM and managed keys
For fields like CPF, birth_date, and address, use AES-256-GCM with envelope encryption. Keys must come from a managed KMS; rotate data keys at least annually and store key IDs with the ciphertext.
compliance-lgpdsecurity-hardening
Critical
Require explicit consent before processing sensitive data
Before handling sensitive personal data (e.g., health, biometric), verify a valid consent record and attach its ID to the processing context. Provide a path to revoke consent and stop further processing.
compliance-lgpdapi-conventions+1
High
Audit access to PII with purpose and actor (no raw values)
Whenever PII is read, emit an audit event capturing actor, purpose, fields touched, and legal basis; never include raw PII in the audit payload—store hashes/tokens only.
compliance-lgpdobservability-logging+1
High
DSAR export: include only allowed fields and redact sensitive notes
Data subject export endpoints must whitelist fields and redact internal notes, tokens, and third-party IDs. Generate machine-readable output and log the lawful basis for the export.
compliance-lgpdapi-conventions+1
High
International transfers: enforce region allow-list for PII
Before sending PII to processors, verify the destination region is approved (e.g., BR/EEA with SCC/DPA). Block requests that include personal data and target non-approved regions.
compliance-lgpdsecurity-hardening+1
High
Mask PII in logs (CPF, email, phone)
Never write raw personal data to logs. Apply irreversible masking/redaction (e.g., CPF → ..-; emails → f**@domain.com). Include the LGPD purpose in the log context and prefer structured logging.
compliance-lgpdobservability-logging+1
High
Minimize fields at collection (privacy by default)
Collect only strictly necessary fields for the declared purpose; mark optional PII as nullable and omit from payloads when empty. Fail requests that include undeclared extra PII keys.
compliance-lgpdprivacy-pii+1
High
PRs adding new PII must declare lawful basis and DPIA flag
When a PR introduces new PII fields or processing, the PR body must include legal_basis: (e.g., consent, contract) and dpia: (yes/no with link). CI should fail if missing.
compliance-lgpdpr-hygiene+1
High
Purpose limitation for analytics (no direct identifiers)
Do not send direct identifiers (email, CPF) to analytics. Use an HMAC-based pseudonymous ID derived from user ID and a rotating key; never reversible without server secret.
compliance-lgpdprivacy-pii+1
High
Retention: set TTLs for caches and temp stores with PII
All cache entries containing PII must set an explicit TTL aligned to the retention policy (e.g., 24h). No indefinite storage of personal data in Redis or in-memory caches.
compliance-lgpdcaching-strategy+1
Low
Export for portability in machine-readable format with consent check
Provide subject data export in JSONL or CSV only after confirming lawful basis (consent/contract). Include schema version and exclude internal linkage keys.
compliance-lgpdapi-conventions+1
Low
Input validation for Brazilian identifiers (CPF/CNPJ) with checksum
Validate CPF/CNPJ format and checksum server-side; reject storage of invalid identifiers and never auto-correct them. Store normalized (digits-only) representation.