Compliance

@fabricorg/platform/privacy (packages/platform/privacy/index.ts) defines contracts for data classification, redaction, anonymization, and retention. The platform supplies the contracts; verticals declare the rules in their FabricModule.

Data classes

The platform recognizes a small set of cross-industry data classes:

type PlatformDataClass =
  | "asset_event"
  | "read_model"
  | "raw_payload"
  | "evidence_packet"
  | "action_evidence"
  | "access_event";

Each class can carry its own retention rule and redaction policy.

Redaction rules

interface RedactionRule {
  fieldPath: string;            // e.g. "payload.borrower.ssn"
  method: "nullify" | "mask" | "hash" | "tokenize" | "generalize" | "drop";
  reason: string;
  dataClass?: PlatformDataClass;
}

A vertical declares redaction rules in its module:

{
  redactionRules: [
    {
      fieldPath: "payload.borrower.ssn",
      method: "tokenize",
      reason: "Direct identifier",
      dataClass: "asset_event",
    },
  ],
}

The rules are applied by the platform's anonymization pipeline when an event or read model is rendered for a context that requires redaction (analytics export, cross-tenant query, retention-driven anonymization).

Methods:

Data classification rules

interface DataClassificationRule {
  fieldPath: string;
  classification: string;            // vertical-defined: "PII", "PHI", "financial", etc.
  containsDirectIdentifier?: boolean;
  containsSensitiveData?: boolean;
}

Classification is metadata on a field path. It does not by itself trigger redaction — it informs which redaction rule applies and which retention rule governs the row.

Retention rules

interface RetentionRule {
  dataClass: PlatformDataClass;
  retainForDays: number;
  afterRetention: "delete" | "anonymize" | "archive";
  legalHoldExempt?: boolean;
}

Each dataClass has a retention policy. After retainForDays, the platform's retention worker takes the configured action.

legalHoldExempt: true means the rule is suspended for any record under legal hold (a vertical concept layered on top — typically a tag on the row that defers retention until the hold is released).

Anonymization metadata

When a row is anonymized, the platform stamps it with AnonymizationMetadata:

interface AnonymizationMetadata {
  redactionState: "anonymized";
  policyVersion: string;
  jobId: string;
  redactedAt: string;
  reason: string;
  dataClass: PlatformDataClass;
  redactedFields: AnonymizationFieldMetadata[];
  preservedSemantics: string[];     // e.g. "row_existed_at_time_T", "actor_was_agent"
}

This makes it auditable that a row was redacted, when, by which policy version, and what semantic facts were preserved. The metadata itself is not redacted.

Cross-tenant analytics

The AnalyticsDataContract shape governs what a downstream analytics consumer is allowed to see:

interface AnalyticsDataContractSource {
  name: string;
  privacyClass:
    | "raw"
    | "operational_pii"
    | "tenant_scoped_tokenized"
    | "anonymized"
    | "aggregated"
    | "differentially_minimized";
  containsDirectIdentifiers?: boolean;
  containsGloballyStablePersonTokens?: boolean;
  anonymizationPolicyVersion?: string;
  minimumGroupSize?: number;
}

A contract is draft, accepted, or deprecated. Cross-tenant joins require an explicitly accepted contract referencing the right privacy class. This makes it hard to accidentally ship a query that combines two tenants' raw PII.

What this gives you

• Redaction is declarative and bound to versioned rules.
• Retention is automatic per data class.
• Anonymization is auditable — what, when, why, by which version.
• Cross-tenant access is gated by contracts.

See also

• Audit trail — what the platform records.
• Policy model — the gate before a write.
• Privacy package — @fabricorg/platform/privacy source.