Skip to content

docs(security): add data privacy & compliance section#347

Open
HMAKT99 wants to merge 2 commits into
addyosmani:mainfrom
HMAKT99:feat/data-privacy
Open

docs(security): add data privacy & compliance section#347
HMAKT99 wants to merge 2 commits into
addyosmani:mainfrom
HMAKT99:feat/data-privacy

Conversation

@HMAKT99

@HMAKT99 HMAKT99 commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

What this adds

A ## Data Privacy & Compliance section in skills/security-and-hardening/SKILL.md, covering PII classification, data minimisation, retention/deletion policy, consent, cross-border transfer, and breach response.

The gap it fills

security-and-hardening covers authentication, injection prevention, supply-chain hygiene, and secrets management well. It has no guidance on data privacy or compliance — a separate discipline that's increasingly a first-class engineering concern (GDPR, CCPA, HIPAA). Engineers making decisions about what to log, how long to store it, and when to delete it have nowhere in the skill pack to look.

Why here

Privacy is a dimension of hardening: minimising what data you hold reduces your attack surface. The PII classification table mirrors the threat-model framing the skill already uses, so it fits naturally.

Non-duplication check

observability-and-instrumentation covers what to log for debugging, not what to avoid logging for compliance. The privacy section cross-links it to flag the PII-in-logs failure mode without duplicating the instrumentation guidance.

Checklist

  • Fully additive — no edits to existing prose
  • node scripts/validate-skills.js → 0 errors, 0 warnings
  • All cross-refs resolve to existing skills
  • Touches only skills/security-and-hardening/SKILL.md
  • Rationalization rows, red flags, and verification checkboxes added in host skill's style

Adds a Data Privacy & Compliance section to security-and-hardening: PII/sensitive
classification, data minimization + purpose, retention/deletion paths (incl. backups),
data-subject rights (GDPR/CCPA), consent for third-party/vendor sharing, and data
residency. Complements the hardening content (can an attacker read it) with the
privacy question (should we hold it, and for how long).
@HMAKT99 HMAKT99 force-pushed the feat/data-privacy branch from 406c643 to e3431b5 Compare July 5, 2026 14:00
@addyosmani

Copy link
Copy Markdown
Owner

The content here is excellent. The privacy-is-not-security framing and the PII classification table are exactly right and I want them in. One fix first: broadening the security description with "data / storing / sharing" language pulled its routing rank down two points in the evals, because those generic words now over-trigger security for other skills' prompts. Trim the frontmatter addition back to the essentials and leave the body as-is, then it's a clean merge.

…ression

The privacy trigger phrase used generic verbs (collecting, storing, retaining,
deleting, sharing) that pulled the security skill's routing rank above other
skills on unrelated prompts. Replacing with a tight 'personal data or privacy
compliance' phrase preserves discoverability without over-triggering.
@HMAKT99

HMAKT99 commented Jul 10, 2026

Copy link
Copy Markdown
Contributor Author

Glad the content landed right. Fixed the frontmatter — replaced the long verb list (collecting, storing, retaining, deleting, sharing) with a tight trigger: Use when personal data or privacy compliance (GDPR, CCPA) is involved. Same intent, no generic words that bleed into unrelated routing. Body is untouched. Validator passes 0/0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants