Latticra

Home / Data classification and protection

Inventory, PII Review, Redaction, DLP Planning, and Non-Claims

Data classification and protection

Latticra records data inventory, classification, sensitive-data flow mapping, PII review, minimization, retention, disposal, encryption and access-control planning, backup data protection, log/report redaction, DLP planning, and exception requirements before hosted services, telemetry export, data storage services, analytics, customer-data handling, or production data-protection claims can promote. It does not collect sensitive data, collect PII, export telemetry, store customer data, run analytics, enforce retention, purge data, provide breach notification, or grant data authority.

Current Rule

Data records are not data authority.

The baseline names the evidence a future data-handling lane would need: data inventory, data owner, classification, information type categorization, sensitive-data flows, PII presence and confidentiality review, minimization, purpose, access controls, encryption decisions, retention, disposal, backup protection, redaction, secret/PII scanning, DLP planning, incident handoff, and expiring exceptions.

01

Inventory and classification

Data items, owners, information types, classifications, and sensitive-data flows must be recorded before data claims expand.

02

Minimization and PII review

PII presence, confidentiality impact, collection purpose, and minimization review are required before handling language promotes.

03

Retention and protection

Access controls, encryption decisions, retention periods, disposal processes, and backup data protection must be explicit.

04

Redaction, DLP, and exceptions

Log/report redaction, secret and PII scanning, DLP planning, incident handoff, exception owner, and exception expiration are required.

Current Snapshot

The baseline blocks customer-data claims until evidence exists.

These fields describe required records and closed behavior. They are not proof of sensitive-data collection, PII processing, telemetry export, storage services, analytics, encryption-at-rest operation, DLP, purge execution, retention enforcement, or privacy compliance.

data_classification_protection_baseline 1
data_inventory_required 1
data_classification_required 1
sensitive_data_flow_map_required 1
secret_pii_log_redaction_required 1
sensitive_data_collection_added 0
telemetry_export_added 0
customer_data_handling_claim_allowed 0

Promotion Gate

No customer-data wording can promote without data-handling evidence.

Data language affects hosted-service, telemetry, analytics, logging, backup, crypto, identity, incident, and compliance expectations. The current record keeps that language precise: source-tracked planning is present, while data collection and production data authority remain closed.

Present now

Baseline record, status record, guard script, high-assurance allocation, logging and redaction context, backup data-protection context, cryptographic sensitive-data review context, identity credential/secret context, network data-flow context, secure configuration secret-review context, and metadata-only data posture.

Required before promotion

Data inventory, data owner, data classification, information type categorization, sensitive-data flow map, PII presence review, PII confidentiality impact, minimization review, collection purpose, access controls, encryption-at-rest decision, encryption-in-transit decision, retention period, disposal process, backup data protection, log/report redaction, secret marker and PII scan, DLP plan, incident response handoff, exception owner, exception expiration, and operator-visible non-claims.

Denied now

Sensitive-data collection, PII collection, telemetry export, customer-data handling claims, data-storage service claims, analytics claims, encryption-at-rest claims, DLP claims, privacy compliance claims, breach-notification claims, retention enforcement, purge execution, and production data-protection claims.

Latticra Boundary

Data-related records remain no-effect metadata.

Latticra can record data-handling requirements and guard report boundaries. It does not collect sensitive data, collect PII, export telemetry, provide a data storage service, run DLP, purge data, enforce retention, or grant data authority.

Metadata

Data inventory

Inventory, classification, flow mapping, minimization, retention, and disposal records are planning evidence only.

Guarded

Report redaction

Report and log redaction boundaries are checked before data-handling language can expand.

Guarded

Secret material

Secret material checks support the data baseline without creating a data-processing or credential-storage service.

Closed

Data runtime

No sensitive-data collection, PII collection, telemetry export, storage service, analytics, DLP runtime, purge runtime, or data authority is added.

Local Commands

Validate data requirements without handling customer data.

These checks validate records and local guardrails. They do not collect PII, export telemetry, store data, run analytics, enforce retention, purge data, operate DLP, or send breach notifications.

Data baseline

sh scripts/test-data-classification-protection-baseline.sh

Redaction and secret guards

sh scripts/test-secret-material-guard.sh
sh scripts/test-report-redaction-boundary.sh

Security context

sh scripts/test-high-assurance-security-baseline.sh
sh scripts/test-security-logging-monitoring-baseline.sh

Source Records

Use exact records before repeating data wording.

Data classification and protection baselineData inventory, classification, sensitive-data flows, PII review, minimization, retention, disposal, redaction, DLP planning, and no customer-data claims. Data baseline statusStatus fields and expected guard output for the data classification and protection baseline. High-assurance baselineSource-tracked security posture and data classification/protection control allocation. Security logging baselineLog/report redaction, retention, disposal, telemetry blockers, and no monitoring-service claims. Backup and recovery baselineBackup data protection, recovery planning, restore testing, rollback planning, and recovery non-claims. Cryptographic assurance baselineSensitive-data handling, side-channel review, key lifecycle, randomness, and no production crypto claims. Identity and access baselineCredential/secret storage review, privileged access, MFA planning, and no hosted identity claims. Network exposure baselineNetwork data-flow mapping, remote access, RMM, DNS/TLS lifecycle, and no network-service claims. Secure configuration baselineConfiguration secret review, secure baseline records, drift planning, exceptions, and no hardening claims. C/C++ security profileUser-facing report redaction and sensitive-internals handling expectations. Security overviewSafe testing, effect gates, runtime boundary, and security non-claims. Security logging and monitoringRedaction, retention, telemetry blockers, event-source inventory, and no detection-service claims. Backup and recovery resilienceBackup protection, restore testing, recovery prioritization, rollback planning, and recovery non-claims. Cryptographic assuranceKey lifecycle, sensitive-data handling, randomness, and no production crypto authority. Identity and access managementCredential handling, privileged access, MFA planning, and hosted-access non-claims. Network exposure and remote accessData-flow mapping, internet exposure, remote access, RMM, DNS/TLS lifecycle, and no network-service claims. Secure configuration and change managementSecret review, change control, drift planning, exception records, and hardening non-claims. Evidence modelPromotion levels, public claim boundaries, and exact source records. Status indexDetailed status records and current public status navigation.