Data Protection & Privacy

A data classification scheme is applied to all data accessible to the agent. The agent's authorization is constrained by classification.

All data the agent may encounter is classified according to a documented scheme — typically public, internal, confidential, restricted — and the agent's authorization is constrained by classification. The agent cannot access data at a classification level above its authorization, and classification boundaries are enforced at the retrieval and prompt layers.

Cross-tenant data isolation is verified through automated tests on a documented cadence. Failures are treated as incidents.

For multi-tenant deployments, tenants' data is isolated and verified through automated tests on a documented cadence. A tenant cannot retrieve from or be influenced by another tenant's content. Isolation failures are treated as incidents under MON-07 and trigger immediate investigation. This is the data-layer complement to IAM-08's credential isolation.

PII handling is enforced at runtime per policy: detection, classification, redaction, or blocking as defined for each agent and context.

Personally identifiable information is detected in inputs and outputs through documented techniques and handled per the organization's data classification policy — detection, classification, redaction, or blocking depending on the agent's authorization and the context. PII that should not be retained is redacted from logs, memory, and any downstream artifact.

Retention policies apply to conversation logs, agent memory, derived artifacts, and traces. Data is not retained longer than the documented period absent legal hold.

Data retention periods are documented per data class — conversation logs, agent memory, derived artifacts, traces — and enforced by deterministic process. Data is not retained beyond the documented period absent a legal hold. The retention policy covers all agent-related data stores, including those managed by third-party providers.

Right-to-deletion procedures apply to agent memory, vector embeddings, and any derived data, with evidence of execution on request.

Subject deletion requests (right to erasure) can be fulfilled across all agent-related data stores — including agent memory, vector embeddings, conversation logs, and derived data — within statutory windows. Evidence of execution is retained. The procedure covers not just structured databases but also the increasingly complex data stores used by modern agent architectures.

Sources of training, fine-tuning, and RAG data are documented. Opt-out and consent requirements are honored.

The provenance of data used for training, fine-tuning, and retrieval-augmented generation is documented — where the data came from, under what terms, and what consent or opt-out obligations apply. Opt-out and consent requirements are honored at the data-ingestion layer, not as an afterthought. This control is increasingly critical as regulatory scrutiny of training-data provenance intensifies.

Data residency requirements are honored, including geographic constraints on inference, storage, and logging.

Cross-border data transfers are governed by documented mechanisms appropriate to applicable law. Data residency requirements — geographic constraints on where inference occurs, where data is stored, and where logs are retained — are honored and enforceable. For agents using cloud-based model providers, the data residency of the provider's inference infrastructure is documented.

Encryption is applied at rest and in transit to all agent-related data, including prompts, completions, traces, and memory.

All agent-related data — prompts, completions, traces, memory stores, configuration — is encrypted at rest and in transit using current cryptographic standards. This includes data held by third-party providers. Encryption is verified, not assumed, and key management follows documented procedures.

Consent for AI processing is captured from end users and customers where required by law or contract.

Where law or contract requires consent for AI processing, consent is captured from end users and customers before the agent processes their data. Consent records are tracked per data subject and respected at the prompt and retrieval layers — an agent cannot process data for a subject who has not consented or who has withdrawn consent.

For agents with persistent or session memory, the memory architecture is documented: storage type, scope, write paths, read paths, eviction or decay policy, and access controls.

For agents with persistent or session memory, the memory architecture is fully documented as part of the Behavior Charter (GOV-02). Documentation covers storage type, scope (per-user, per-session, per-tenant, or global), write paths, read paths, eviction or decay policy, and access controls. This documentation is the foundation for assessing memory-related risks across INP, DAT, and MON domains.

Memory stores, vector indexes, and retrieval surfaces are scoped such that one user, session, or tenant cannot read or influence another's stored content unless explicitly authorized. Isolation is verified by automated tests.

Memory stores, vector indexes, and retrieval surfaces are scoped such that one user, session, or tenant cannot read or influence another's stored content unless explicitly authorized. Isolation is verified by automated tests on a documented cadence. Isolation failures are treated as incidents under MON-07. This is the memory-layer complement to DAT-02's cross-tenant data isolation.

Embedding and vector storage systems support tamper detection or recomputation. Write access is logged and authenticated. Re-indexing procedures are documented and tested.

Embedding and vector storage systems support tamper detection or recomputation to ensure that the content an agent retrieves has not been maliciously modified. Write access is logged and authenticated under IAM-04. Re-indexing procedures are documented and tested, ensuring that the organization can recover from a compromised vector store.

Where retrieved memory influences agent output or action, the source record is logged and traceable, supporting explanation, contestability, and post-incident analysis.

When retrieved memory influences an agent's output or action, the source record is logged and traceable under MON-01. This traceability supports explanation (OUT-13), contestability (OUT-14), and post-incident analysis. Without it, an assessor cannot determine whether a given agent output was influenced by retrieved content, or which content influenced it.