docs/security/data-classification.md

# Sensitive Data Classification

Data in the as4-411 directory is classified into tiers. Storage, access control, and encryption must follow these tiers. See [ADR-004](../adr/004-sensitive-data-classification.md).

## Tiers

| Tier | Name            | Examples                                      | Storage / access |
|------|-----------------|-----------------------------------------------|------------------|
| **0** | Public          | BIC, LEI, public BIN range metadata           | No encryption required; may be shared across tenants where applicable |
| **1** | Internal        | PartyId, endpoint URL, participant name       | Access-controlled; tenant-scoped; encrypt in transit |
| **2** | Confidential    | MID, TID, contract routing, DTC participant/account IDs | Field-level encryption at rest; strict RBAC/ABAC; per-tenant keys preferred |
| **3** | Regulated/secrets | Tokens, key refs, PII-like attributes       | Strongest controls; vault refs only; immutable audit; never log in plaintext |

## Mapping: tables and fields

- **identifiers:** `value` is Tier 0 when type is BIC/LEI/public; Tier 2 when type is mid, tid, dtc.participantId, dtc.accountId, or other contract-scoped IDs. `identifier_type` and `scope` are Tier 1.
- **endpoints:** `address` and `profile` are Tier 1 (internal). If they encode tenant-specific routes, treat as Tier 2 in policy.
- **credentials:** Only references (vault_ref, fingerprint)—Tier 3 for the ref; no private material in DB.
- **routing_artifacts:** Payload content may include Tier 2 (e.g. BIN table overrides with tenant/MID). Encrypt payload or use per-tenant encryption for Tier 2 content.
- **participants / tenants:** Names and IDs are Tier 1; tenant-private participant data is Tier 1 or Tier 2 depending on protocol (see protocol docs).
- **policies / audit_log:** Tier 1; audit_log must be immutable and optionally hash-chained.

## Enforcement

- **Field-level encryption:** Tier 2+ fields must be encrypted at rest (application-level or TDE with per-tenant keys where required). Tier 3: store only references; material in vault/KMS.
- **RBAC/ABAC:** Strict role- and attribute-based access; resolution and admin APIs enforce tenant scope and policy. See [tenant-model](../architecture/tenant-model.md) and [ADR-003](../adr/003-multi-tenancy-and-rls.md).
- **Audit:** All access to Tier 2+ and all mutations must be logged in audit_log; logs must not contain Tier 3 material in plaintext.
- **Allowed storage and access:** Document per table in operations runbooks; new fields must be assigned a tier before merge.

## Trust model for resolve consumers

Who may call resolve, what they can see, and how to prevent endpoint enumeration are described in [trust-model.md](trust-model.md).
Initial commit: AS4/411 directory and discovery service for Sankofa Marketplace Co-authored-by: Cursor <cursoragent@cursor.com> 2026-02-08 08:44:20 -08:00			`# Sensitive Data Classification`

			`Data in the as4-411 directory is classified into tiers. Storage, access control, and encryption must follow these tiers. See [ADR-004](../adr/004-sensitive-data-classification.md).`

			`## Tiers`

			`\| Tier \| Name \| Examples \| Storage / access \|`
			`\|------\|-----------------\|-----------------------------------------------\|------------------\|`
			`\| 0 \| Public \| BIC, LEI, public BIN range metadata \| No encryption required; may be shared across tenants where applicable \|`
			`\| 1 \| Internal \| PartyId, endpoint URL, participant name \| Access-controlled; tenant-scoped; encrypt in transit \|`
			`\| 2 \| Confidential \| MID, TID, contract routing, DTC participant/account IDs \| Field-level encryption at rest; strict RBAC/ABAC; per-tenant keys preferred \|`
			`\| 3 \| Regulated/secrets \| Tokens, key refs, PII-like attributes \| Strongest controls; vault refs only; immutable audit; never log in plaintext \|`

			`## Mapping: tables and fields`

			- identifiers: `value` is Tier 0 when type is BIC/LEI/public; Tier 2 when type is mid, tid, dtc.participantId, dtc.accountId, or other contract-scoped IDs. `identifier_type` and `scope` are Tier 1.
			- endpoints: `address` and `profile` are Tier 1 (internal). If they encode tenant-specific routes, treat as Tier 2 in policy.
			`- credentials: Only references (vault_ref, fingerprint)—Tier 3 for the ref; no private material in DB.`
			`- routing_artifacts: Payload content may include Tier 2 (e.g. BIN table overrides with tenant/MID). Encrypt payload or use per-tenant encryption for Tier 2 content.`
			`- participants / tenants: Names and IDs are Tier 1; tenant-private participant data is Tier 1 or Tier 2 depending on protocol (see protocol docs).`
			`- policies / audit_log: Tier 1; audit_log must be immutable and optionally hash-chained.`

			`## Enforcement`

			`- Field-level encryption: Tier 2+ fields must be encrypted at rest (application-level or TDE with per-tenant keys where required). Tier 3: store only references; material in vault/KMS.`
			`- RBAC/ABAC: Strict role- and attribute-based access; resolution and admin APIs enforce tenant scope and policy. See [tenant-model](../architecture/tenant-model.md) and [ADR-003](../adr/003-multi-tenancy-and-rls.md).`
			`- Audit: All access to Tier 2+ and all mutations must be logged in audit_log; logs must not contain Tier 3 material in plaintext.`
			`- Allowed storage and access: Document per table in operations runbooks; new fields must be assigned a tier before merge.`

			`## Trust model for resolve consumers`

			`Who may call resolve, what they can see, and how to prevent endpoint enumeration are described in [trust-model.md](trust-model.md).`