# Privacy & Compliance Spec

Status: draft
Owners: Compliance, Security

Scope
- GDPR: data subject rights, consent, DSR workflows, data minimization.
- HIPAA: PHI handling, access controls, audit logging, BAAs, breach response.

Data classes
- Public, PII, PHI — document per‑field classification in `data-model.md`.

Controls
- Encryption in transit (TLS 1.3) and at rest (AES‑256). Key mgmt with rotation.
- RBAC/ABAC for sensitive actions; least privilege; admin action audit.
- Logging with redaction; no PHI/PII in logs/traces.

DSR & retention
- Defined SLAs and automated workflows for export/delete; retention policies per entity.

3rd‑party
- Subprocessors inventory; data flow diagrams; DPAs/BAAs tracked.

Validation
- Privacy & security review is a gate on every proposal that touches user data.