Compliance
The Data Catalog governance framework supports regulatory compliance through dedicated compliance policies, enforcement actions, and audit capabilities. Compliance policies ensure data handling practices meet requirements from regulations such as GDPR, HIPAA, SOC 2, and PCI DSS.
Compliance Policy Types
| Policy Type | Regulation | Focus Area |
|---|---|---|
COMPLIANCE | General | Regulatory compliance rules |
RETENTION | GDPR, HIPAA | Data lifecycle and deletion |
MASKING | PCI DSS, GDPR | Data protection through masking |
AUDIT | SOC 2, HIPAA | Access logging and monitoring |
ENCRYPTION | PCI DSS | Data encryption requirements |
Retention Policies
Retention policies manage data lifecycle and ensure data is archived or deleted according to regulatory requirements.
| Rule Type | Description |
|---|---|
MAX_AGE | Data must not exceed a maximum age |
ARCHIVE_AFTER | Data must be archived after a specified period |
DELETE_AFTER | Data must be deleted after a specified period |
Example Retention Policy
{
"name": "GDPR Data Retention",
"policyType": "RETENTION",
"scopeType": "CLASSIFICATION",
"scopeEntities": ["PII"],
"enforcementMode": "HARD_ENFORCE",
"rules": [
{
"name": "Max PII Age",
"ruleType": "MAX_AGE",
"parameters": {
"maxAgeMinutes": 525960,
"description": "PII data must be deleted after 365 days"
},
"enabled": true,
"order": 1
},
{
"name": "Archive After 180 Days",
"ruleType": "ARCHIVE_AFTER",
"parameters": {
"archiveAfterMinutes": 259200,
"archiveDestination": "cold-storage"
},
"enabled": true,
"order": 2
}
],
"enforcementActions": [
{
"actionType": "WORKFLOW",
"parameters": {
"workflowName": "data-deletion-review"
},
"order": 1
}
]
}Usage Restriction Policies
Usage restriction policies control how data can be exported, downloaded, or queried.
| Rule Type | Description |
|---|---|
QUERY_LIMIT | Maximum number of rows a query can return |
EXPORT_RESTRICTION | Allowed export formats for the data |
DOWNLOAD_RESTRICTION | Controls on data download operations |
Example Usage Policy
{
"name": "PCI Export Restrictions",
"policyType": "USAGE",
"scopeType": "CLASSIFICATION",
"scopeEntities": ["PCI"],
"enforcementMode": "HARD_ENFORCE",
"rules": [
{
"name": "Row Limit",
"ruleType": "QUERY_LIMIT",
"parameters": {
"maxRows": 1000
},
"enabled": true,
"order": 1
},
{
"name": "Export Format Restriction",
"ruleType": "EXPORT_RESTRICTION",
"parameters": {
"allowedFormats": ["csv"]
},
"enabled": true,
"order": 2
}
]
}Policy Lifecycle for Compliance
Compliance policies follow an approval workflow to ensure proper review before activation.
| Status | Description |
|---|---|
DRAFT | Policy is being authored |
PENDING_APPROVAL | Submitted for approval by a governance admin |
ACTIVE | Approved and actively enforced |
SUSPENDED | Temporarily disabled for review |
DEPRECATED | Being phased out in favor of a replacement |
ARCHIVED | No longer in use, retained for historical record |
Approval Workflow
| Step | Action | Required Role |
|---|---|---|
| 1 | Create policy | DATA_STEWARD or GOVERNANCE_ADMIN |
| 2 | Submit for approval | DATA_STEWARD or GOVERNANCE_ADMIN |
| 3 | Approve or reject | GOVERNANCE_ADMIN |
| 4 | Activate | GOVERNANCE_ADMIN |
| 5 | Suspend (if needed) | GOVERNANCE_ADMIN |
Governance Statistics
The governance API provides statistics for compliance reporting.
| Statistic | Description |
|---|---|
| Total policies | Count of all governance policies for the tenant |
| Active policies | Count of currently enforced policies |
| Recent violations | Count of violations in the reporting period |
| Violation by type | Breakdown of violations by policy type |
| Compliance score | Percentage of policies passing without violations |
Compliance Reporting
Compliance reports are generated from the governance statistics and violation data. The /v1/governance/policies/statistics endpoint provides aggregate data for building compliance dashboards and audit reports.
| Report Area | Data Source |
|---|---|
| Access control | ABAC policy evaluations and violations |
| Data classification | Classification policy compliance |
| Data retention | Retention policy violation tracking |
| Audit trail | Audit policy log entries |
| Masking coverage | Masking policy application reports |