docs(security): add data privacy & compliance section#347
Conversation
Adds a Data Privacy & Compliance section to security-and-hardening: PII/sensitive classification, data minimization + purpose, retention/deletion paths (incl. backups), data-subject rights (GDPR/CCPA), consent for third-party/vendor sharing, and data residency. Complements the hardening content (can an attacker read it) with the privacy question (should we hold it, and for how long).
406c643 to
e3431b5
Compare
|
The content here is excellent. The privacy-is-not-security framing and the PII classification table are exactly right and I want them in. One fix first: broadening the security description with "data / storing / sharing" language pulled its routing rank down two points in the evals, because those generic words now over-trigger security for other skills' prompts. Trim the frontmatter addition back to the essentials and leave the body as-is, then it's a clean merge. |
…ression The privacy trigger phrase used generic verbs (collecting, storing, retaining, deleting, sharing) that pulled the security skill's routing rank above other skills on unrelated prompts. Replacing with a tight 'personal data or privacy compliance' phrase preserves discoverability without over-triggering.
|
Glad the content landed right. Fixed the frontmatter — replaced the long verb list ( |
What this adds
A
## Data Privacy & Compliancesection inskills/security-and-hardening/SKILL.md, covering PII classification, data minimisation, retention/deletion policy, consent, cross-border transfer, and breach response.The gap it fills
security-and-hardeningcovers authentication, injection prevention, supply-chain hygiene, and secrets management well. It has no guidance on data privacy or compliance — a separate discipline that's increasingly a first-class engineering concern (GDPR, CCPA, HIPAA). Engineers making decisions about what to log, how long to store it, and when to delete it have nowhere in the skill pack to look.Why here
Privacy is a dimension of hardening: minimising what data you hold reduces your attack surface. The PII classification table mirrors the threat-model framing the skill already uses, so it fits naturally.
Non-duplication check
observability-and-instrumentationcovers what to log for debugging, not what to avoid logging for compliance. The privacy section cross-links it to flag the PII-in-logs failure mode without duplicating the instrumentation guidance.Checklist
node scripts/validate-skills.js→ 0 errors, 0 warningsskills/security-and-hardening/SKILL.md