# Sensitive Data Classification

Data in the as4-411 directory is classified into tiers. Storage, access control, and encryption must follow these tiers. See [ADR-004](../adr/004-sensitive-data-classification.md).

## Tiers

| Tier | Name            | Examples                                      | Storage / access |
|------|-----------------|-----------------------------------------------|------------------|
| **0** | Public          | BIC, LEI, public BIN range metadata           | No encryption required; may be shared across tenants where applicable |
| **1** | Internal        | PartyId, endpoint URL, participant name       | Access-controlled; tenant-scoped; encrypt in transit |
| **2** | Confidential    | MID, TID, contract routing, DTC participant/account IDs | Field-level encryption at rest; strict RBAC/ABAC; per-tenant keys preferred |
| **3** | Regulated/secrets | Tokens, key refs, PII-like attributes       | Strongest controls; vault refs only; immutable audit; never log in plaintext |

## Mapping: tables and fields

- **identifiers:** `value` is Tier 0 when type is BIC/LEI/public; Tier 2 when type is mid, tid, dtc.participantId, dtc.accountId, or other contract-scoped IDs. `identifier_type` and `scope` are Tier 1.
- **endpoints:** `address` and `profile` are Tier 1 (internal). If they encode tenant-specific routes, treat as Tier 2 in policy.
- **credentials:** Only references (vault_ref, fingerprint)—Tier 3 for the ref; no private material in DB.
- **routing_artifacts:** Payload content may include Tier 2 (e.g. BIN table overrides with tenant/MID). Encrypt payload or use per-tenant encryption for Tier 2 content.
- **participants / tenants:** Names and IDs are Tier 1; tenant-private participant data is Tier 1 or Tier 2 depending on protocol (see protocol docs).
- **policies / audit_log:** Tier 1; audit_log must be immutable and optionally hash-chained.

## Enforcement

- **Field-level encryption:** Tier 2+ fields must be encrypted at rest (application-level or TDE with per-tenant keys where required). Tier 3: store only references; material in vault/KMS.
- **RBAC/ABAC:** Strict role- and attribute-based access; resolution and admin APIs enforce tenant scope and policy. See [tenant-model](../architecture/tenant-model.md) and [ADR-003](../adr/003-multi-tenancy-and-rls.md).
- **Audit:** All access to Tier 2+ and all mutations must be logged in audit_log; logs must not contain Tier 3 material in plaintext.
- **Allowed storage and access:** Document per table in operations runbooks; new fields must be assigned a tier before merge.

## Trust model for resolve consumers

Who may call resolve, what they can see, and how to prevent endpoint enumeration are described in [trust-model.md](trust-model.md).