Privacy & PII rules

On LGPD deletion, remove or irreversibly anonymize PII and purge dependent caches. Keep minimal audit metadata (timestamp, request ID) not linkable back to the subject.

Never store CVV/CVC or other SAD after authorization in databases, caches, files, or telemetry. Schema/models must not define fields for CVV/CVC; reject writes containing cvv/cvc keys. (PCI DSS 4.0 Req. 3.2.1)

Provide a single idempotency-keyed erasure workflow that scrubs PII in primary DB, caches, search indices, and object storage; emit an audit event with erasure_request_id. (GDPR Art. 17)

Never emit Primary Account Number (PAN) or Sensitive Authentication Data (SAD: CVV/CVC, full track data, PIN) to application or audit logs. Per PCI DSS 4.0 Req. 3 and 10, always mask PAN as first6last4 and fully redact SAD before logging.

Protect /exports/ with role checks, fresh MFA, and rate limits; add requester and approved_by to the audit event.

Reject PRs adding real PAN/CVV in fixtures, seeds, or mocks. Only use Luhn-valid test PANs from the gateway or opaque tokens (e.g., tok_) and never include CVV. Add a check to fail if a PAN regex is matched. (PCI DSS data minimization)

Add a 'Security & Privacy' section in ADRs addressing threat model impacts, secrets handling, data retention, and PII processing; link to relevant runbooks and DPA if applicable.

Tag records by data_class (PII, telemetry, auth) and enforce retention (e.g., PII ≤ 365 days unless legal hold). Provide scheduled deletion jobs and audit log entries.

Any PR that adds or modifies telemetry/analytics must prove that no PHI leaves the boundary. Use irreversible tokenization or hashing (HMAC with secret salt) for identifiers and document the data dictionary.

All bulk exports of PII require approval, step-up MFA, rate limits, and watermarking of files with requestor and timestamp; record export_id in the audit log.

Never write Protected Health Information (PHI/ePHI) to logs. Redact fields like name, SSN, MRN, DOB, address, diagnoses, and lab results; store only non-identifying metadata and a stable request trace id. If logging is required for troubleshooting, replace values with consistent tokens and record access separately in the audit log.

Data subject export endpoints must whitelist fields and redact internal notes, tokens, and third-party IDs. Generate machine-readable output and log the lawful basis for the export.

When reading from PHI tables, project only authorized fields and avoid SELECT *. Implement whitelists per role and document them. Reject requests lacking a Purpose-Of-Use justification.

PII tables must include an expires_at (or retention_policy) column and a scheduled deletion/archival job aligned to data category. No indefinite retention. (GDPR Art. 5(1)(e))

Enable config.force_ssl = true; add filter_parameters to redact PII and secrets; use secure_same_site for cookies.

Only set analytics/marketing cookies if consent.purposes.analytics === true and consent.version matches current policy; re-check on version bump. (GDPR Art. 7, ePrivacy)

Before emitting logs, detect and redact PII and secret patterns (emails, tokens, keys). Replace values with consistent hashes or tokens; never log full credentials.

Never write raw personal data to logs. Apply irreversible masking/redaction (e.g., CPF → ..-; emails → f**@domain.com). Include the LGPD purpose in the log context and prefer structured logging.

Collect only strictly necessary fields for the declared purpose; mark optional PII as nullable and omit from payloads when empty. Fail requests that include undeclared extra PII keys.

Consent must be stored per user and per purpose with lawful_basis, version, granted_at, source, and optional revoked_at. Do not overwrite or store a single boolean flag. (GDPR Art. 7, purpose limitation)

Do not send direct identifiers (email, CPF) to analytics. Use an HMAC-based pseudonymous ID derived from user ID and a rotating key; never reversible without server secret.

Wrap PII scrubbing and session invalidation in a single DB transaction; publish a gdpr.erased event with subject ID and timestamp after commit.

Implement a scheduled worker to delete or anonymize records past expires_at, with metrics on deletions and failures. Dry-run mode allowed only in non-prod.

Run a scheduled job that deletes telemetry after 30 days and anonymizes PII after the retention window; log deletions with data_class and count.