Data Protection
| Field | Value |
|---|---|
| Document ID | ASCEND-SEC-007 |
| Version | 1.0.0 |
| Last Updated | December 19, 2025 |
| Author | Ascend Engineering Team |
| Publisher | OW-KAI Technologies Inc. |
| Classification | Enterprise Client Documentation |
| Compliance | SOC 2 CC6.1/CC6.2, PCI-DSS 7.1/8.3, HIPAA 164.312, NIST 800-53 AC-2/SI-4 |
Reading Time: 8 minutes | Skill Level: Intermediate
Overview
ASCEND implements comprehensive data protection including field-level masking, tokenization for sensitive data, and privacy controls for regulatory compliance (GDPR, CCPA, HIPAA).
Data Protection Layers
+---------------------------------------------------------------------------------+
| DATA PROTECTION LAYERS |
+---------------------------------------------------------------------------------+
| |
| LAYER 1: ACCESS CONTROL |
| +-------------------------------------------------------------------------+ |
| | - RBAC permissions | |
| | - Multi-tenant isolation | |
| | - API key scoping | |
| +-------------------------------------------------------------------------+ |
| |
| LAYER 2: DATA MASKING |
| +-------------------------------------------------------------------------+ |
| | - PII field masking | |
| | - Role-based field visibility | |
| | - Log redaction | |
| +-------------------------------------------------------------------------+ |
| |
| LAYER 3: TOKENIZATION |
| +-------------------------------------------------------------------------+ |
| | - Sensitive value replacement | |
| | - Secure token vault | |
| | - Reversible mapping | |
| +-------------------------------------------------------------------------+ |
| |
| LAYER 4: ENCRYPTION |
| +-------------------------------------------------------------------------+ |
| | - AES-256 at rest | |
| | - TLS 1.3 in transit | |
| | - Field-level encryption | |
| +-------------------------------------------------------------------------+ |
| |
+---------------------------------------------------------------------------------+
Data Classification
Classification Levels
| Level | Classification | Examples | Protection |
|---|---|---|---|
| 1 | Public | Documentation, marketing | None |
| 2 | Internal | Agent names, action types | Access control |
| 3 | Confidential | Business data, analytics | Encryption |
| 4 | Restricted | PII, credentials | Encryption + masking |
| 5 | Secret | API keys, passwords | Hashing + vault |
Automatic Classification
# Risk assessment includes data classification
{
"pii_weights": {
"high_sensitivity": 30, # SSN, health, financial
"medium_sensitivity": 20, # Email, phone, address
"low_sensitivity": 10, # Name, general PII
"none": 0 # Non-PII data
}
}
Data Masking
Field Masking Rules
| Field Type | Masking Pattern | Example |
|---|---|---|
***@domain.com | j***@company.com | |
| Phone | ***-***-1234 | ***-***-5678 |
| SSN | ***-**-1234 | ***-**-6789 |
| Credit Card | ****-****-****-1234 | ****-****-****-5678 |
| API Key | owkai_...**** | owkai_admin_a1b2... |
Token Masking for Logs
# Source: security/enterprise_security.py:513
def mask_token_for_logging(token: str) -> str:
"""Mask token for safe logging - only show first/last 4 chars."""
if not token or len(token) < 12:
return "***"
return f"{token[:4]}...{token[-4:]}"
# Example: "owkai_admin_a1b2c3d4e5f6" -> "owka...e5f6"
Error Response Sanitization
# Source: security/enterprise_security.py:475
def sanitize_error_response(error: Exception, context: str = "") -> Dict:
"""Sanitize error responses to prevent token/secret leakage."""
sensitive_patterns = [
'token', 'jwt', 'bearer', 'password', 'secret', 'key',
'authorization', 'credential', 'access_token'
]
error_str = str(error).lower()
contains_sensitive = any(p in error_str for p in sensitive_patterns)
if contains_sensitive:
return {
"error": "authentication_error",
"message": "An authentication error occurred. Please try again.",
"code": "AUTH_ERROR"
}
return {"error": type(error).__name__, "message": str(error)}
Tokenization
Sensitive Value Tokenization
# Tokenize sensitive values before storage
def tokenize_value(sensitive_value: str, value_type: str) -> str:
"""Replace sensitive value with secure token."""
# Generate unique token
token = f"tok_{value_type}_{secrets.token_urlsafe(16)}"
# Store mapping in secure vault
vault.store(token, sensitive_value)
return token
# Example:
# tokenize_value("123-45-6789", "ssn") -> "tok_ssn_a1b2c3d4e5f6"
Detokenization
def detokenize_value(token: str, authorized: bool = False) -> str:
"""Retrieve original value from token (requires authorization)."""
if not authorized:
raise PermissionError("Detokenization not authorized")
return vault.retrieve(token)
Privacy Controls
GDPR Compliance
| Right | Implementation |
|---|---|
| Right to Access | Data export API |
| Right to Rectification | User data update |
| Right to Erasure | Data deletion API |
| Right to Portability | Standard export formats |
| Right to Object | Processing opt-out |
Data Subject Requests
# Export user data (GDPR Article 15)
curl "https://pilot.owkai.app/api/data-rights/export" \
-H "Authorization: Bearer <jwt_token>"
Response:
{
"export_id": "exp_123456",
"status": "processing",
"format": "json",
"estimated_completion": "2025-12-15T11:00:00Z"
}
Data Deletion (Right to Erasure)
curl -X POST "https://pilot.owkai.app/api/data-rights/delete" \
-H "Authorization: Bearer <jwt_token>" \
-d '{
"confirmation": "DELETE_MY_DATA",
"retain_audit_logs": true
}'
Retention Policies
Compliance-Based Retention
# Source: services/immutable_audit_service.py:173
RETENTION_PERIODS = {
'SOX': 2555, # 7 years
'HIPAA': 2190, # 6 years
'PCI': 365, # 1 year
'GDPR': 2190, # 6 years
'CCPA': 1095, # 3 years
}
Automatic Retention
{
"compliance_tags": ["SOX", "HIPAA"],
"retention_until": "2032-12-15T10:30:00Z"
}
Audit Trail Protection
Immutable Logging
# Source: models_audit.py:14
class ImmutableAuditLog(Base):
"""WORM audit log with hash-chaining."""
# Immutability and integrity
content_hash = Column(String(64)) # SHA-256 of content
previous_hash = Column(String(64)) # Hash of previous entry
chain_hash = Column(String(64)) # Combined chain hash
# Evidence and retention
legal_hold = Column(Boolean)
retention_until = Column(DateTime)
Legal Hold
# Apply legal hold (prevents deletion)
curl -X PUT "https://pilot.owkai.app/api/audit/logs/12345/legal-hold" \
-H "Authorization: Bearer <admin_jwt>" \
-d '{
"legal_hold": true,
"reason": "Litigation hold - Case #2025-001"
}'
PII Detection
Automatic PII Classification
# PII detection in action parameters
PII_PATTERNS = {
"ssn": r"\d{3}-\d{2}-\d{4}",
"email": r"[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}",
"phone": r"\d{3}[-.\s]?\d{3}[-.\s]?\d{4}",
"credit_card": r"\d{4}[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}"
}
def detect_pii(text: str) -> List[str]:
"""Detect PII patterns in text."""
detected = []
for pii_type, pattern in PII_PATTERNS.items():
if re.search(pattern, text):
detected.append(pii_type)
return detected
Risk Scoring Impact
# PII detection affects risk score
if "high_pii" in detected_pii:
risk_score += PII_WEIGHTS["high_sensitivity"] # +30
elif "medium_pii" in detected_pii:
risk_score += PII_WEIGHTS["medium_sensitivity"] # +20
Compliance Mapping
| Standard | Requirement | Implementation |
|---|---|---|
| GDPR Art. 17 | Right to erasure | Data deletion API |
| GDPR Art. 20 | Data portability | Export formats |
| GDPR Art. 32 | Data protection | Encryption + masking |
| CCPA 1798.105 | Right to delete | Deletion workflow |
| HIPAA 164.312(c) | Integrity | Hash-chaining |
| PCI-DSS 3.4 | Data masking | Field masking |
Best Practices
1. Classify Data at Ingestion
# Classify data when received
action.data_classification = classify_data(action.parameters)
2. Mask Logs Automatically
# Always mask sensitive data in logs
logger.info(f"API key used: {mask_token_for_logging(api_key)}")
3. Tokenize Before Storage
# Tokenize PII before database storage
user.ssn = tokenize_value(user.ssn, "ssn")
4. Honor Retention Policies
# Apply longest applicable retention
retention_days = max(
RETENTION_PERIODS.get(tag, 365)
for tag in compliance_tags
)
Next Steps
- Encryption — Encryption details
- Multi-Tenancy — Data isolation
- Audit Compliance — Compliance audit
Document Version: 1.0.0 | Last Updated: December 2025