Skip to main content

Data Handling and Compliance

This document summarizes how Primus modules handle data and what you should verify before production. It is not legal advice.

Scope

Primus is a platform that runs inside your infrastructure. It does not provide managed hosting. Data handling and compliance depend on how you deploy and configure the modules.

Data Types

  • PII (Personally Identifiable Information): Names, emails, phone numbers, government IDs, addresses, etc.
  • PHI (Protected Health Information): Health-related data covered by HIPAA (US) when linked to an individual.
  • PCI (Payment Card Data): Card numbers and payment authentication data governed by PCI-DSS.
  • Secrets: API keys, tokens, and credentials. Never log or commit secrets.

Regional Considerations

United States

Common compliance targets depend on industry:

  • HIPAA (healthcare, PHI)
  • PCI-DSS (payment card processing)
  • SOC 2 (security and availability controls)
  • State privacy laws (e.g., CCPA/CPRA)

India

Common compliance targets depend on industry:

  • DPDP Act (data protection obligations)
  • RBI/IRDAI guidelines (banking/insurance)
  • PCI-DSS (payment card processing)

Data Residency

If you have data residency requirements, configure your infrastructure accordingly:

  • Choose region-specific storage and databases.
  • Route data through region-specific services.
  • Avoid external calls for sensitive data unless you have agreements in place.

Logging and Telemetry

Primus logging modules support PII masking. Validate that your log sinks and retention policies meet your compliance requirements.

Compliance Targets (Guidance)

Primus modules provide tooling to help you implement controls, but they do not certify compliance.

  • Security reporting maps findings to frameworks heuristically.
  • Payment and identity modules validate events but do not replace audits.
  • Always perform your own security and compliance review.

Your Responsibilities

Before production:

  • Classify data types (PII, PHI, PCI)
  • Configure encryption and access controls
  • Validate data flows and egress
  • Document retention and deletion policies
  • Run security testing and audits

If you need help, consult your legal and compliance teams.