Data Governance

Policies, Ownership, and Compliance Frameworks for ComplyAI Data Assets

📋 Table of Contents

Data Governance Framework
Data Ownership Model
Data Classification
Data Quality Standards
Privacy & Compliance
Data Retention Policies
Access Control
Change Management
Incident Response
Audit & Monitoring

Data Governance Framework

Governance Principles

Principle	Description
Accountability	Every data asset has a designated owner responsible for its quality and security
Transparency	Data definitions, lineage, and policies are documented and accessible
Integrity	Data is accurate, complete, and consistent across systems
Security	Data is protected according to its classification level
Compliance	Data handling meets regulatory and contractual requirements
Stewardship	Data is treated as a valuable organizational asset

Governance Structure

┌─────────────────────────────────────────────────────────────────┐
│                    DATA GOVERNANCE COUNCIL                       │
│         (Executive Sponsor + Domain Leads + Compliance)          │
└─────────────────────────────────────────────────────────────────┘
                                │
        ┌───────────────────────┼───────────────────────┐
        ▼                       ▼                       ▼
┌───────────────┐       ┌───────────────┐       ┌───────────────┐
│ DATA OWNERS   │       │ DATA STEWARDS │       │ DATA CUSTODIANS│
│               │       │               │       │               │
│ Business      │       │ Quality &     │       │ Technical     │
│ Accountability│       │ Standards     │       │ Implementation│
│ for domains   │       │ Enforcement   │       │ & Operations  │
└───────────────┘       └───────────────┘       └───────────────┘

Roles & Responsibilities

Data Governance Council

Meets: Monthly (or as needed for urgent matters)
Members: CEO/CTO (Sponsor), Engineering Lead, Product Lead, Compliance Lead
Responsibilities:
- Set data governance strategy and priorities
- Approve major policy changes
- Resolve cross-domain data conflicts
- Allocate resources for governance initiatives

Data Owners (by Domain)

Domain	Owner Role	Responsibilities
Customer Domain	Head of Product	Users, Organizations, Subscriptions
Ad Content Domain	Head of Engineering	Ad Accounts, Ads, Media Assets
Compliance Domain	Head of Compliance	Reviews, Policies, Violations
Operational Domain	Head of Engineering	Activity Events, Notifications

Data Stewards

Role: Cross-functional team members who ensure data quality
Responsibilities:
- Monitor data quality metrics
- Enforce naming conventions
- Review data change requests
- Maintain documentation accuracy

Data Custodians

Role: Engineering/DevOps team members
Responsibilities:
- Implement technical controls
- Manage database access
- Execute backup/recovery
- Monitor system health

Data Ownership Model

Domain Ownership Matrix

Data Entity	Domain	Owner	Steward	Primary System
`users`	Customer	Product	Engineering	complyai-core
`organizations`	Customer	Product	Engineering	complyai-core
`subscriptions`	Customer	Finance	Engineering	complyai-core
`roles`	Customer	Product	Engineering	complyai-core
`org_business_accounts`	Ad Content	Engineering	Engineering	complyai-core
`org_ad_accounts`	Ad Content	Engineering	Engineering	complyai-core
`org_ads`	Ad Content	Engineering	Engineering	complyai-api
`org_ads_score`	Compliance	Compliance	Engineering	complyai-violin
`facebook_ad_status`	Compliance	Compliance	Engineering	complyai-maestro
`activity_events`	Operational	Engineering	Engineering	complyai-core
`notifications`	Operational	Product	Engineering	complyai-triangle

Ownership Responsibilities

Data Owners Must:

Define business rules for their data
Approve access requests
Review data quality reports monthly
Sign off on schema changes
Ensure compliance with regulations

System of Record (SOR)

Entity	System of Record	Rationale
User Profile	complyai-core	Central authentication/identity
Organization Details	complyai-core	Central customer management
Ad Account Metadata	Meta Graph API	External authoritative source
Ad Content/Creative	Meta Graph API	External authoritative source
Compliance Scores	complyai-violin	ComplyAI's proprietary analysis
Billing/Subscription	Stripe	External payment processor

Data Classification

Classification Levels

Level	Label	Description	Examples
1	🔴 Restricted	Highly sensitive, regulatory impact	Access tokens, passwords, SSN, payment data
2	🟠 Confidential	Business-sensitive, limited access	User PII, organization financials, contracts
3	🟡 Internal	Internal use only	Internal metrics, employee data, system configs
4	🟢 Public	Can be shared externally	Marketing content, public documentation

Data Classification by Table

Table	Classification	Rationale
`users.password`	🔴 Restricted	Authentication credential
`users.access_token`	🔴 Restricted	Meta API authentication
`org_business_accounts.system_user_access_token`	🔴 Restricted	Service authentication
`subscriptions.stripe_customer_id`	🔴 Restricted	Payment reference
`users.email`	🟠 Confidential	Personal identifiable information
`users.first_name`, `users.last_name`	🟠 Confidential	Personal identifiable information
`organizations.name`	🟠 Confidential	Business information
`org_ads.*`	🟠 Confidential	Client advertising data
`activity_events.*`	🟡 Internal	Audit/operational data
`notifications.*`	🟡 Internal	System messages
`policies.*` (CMS)	🟢 Public	Published compliance guidance

Handling Requirements by Classification

Classification	Storage	Transmission	Access	Logging
🔴 Restricted	Encrypted at rest (AES-256)	TLS 1.2+ required	Role-based, MFA required	Full audit trail
🟠 Confidential	Encrypted at rest	TLS 1.2+ required	Role-based	Access logged
🟡 Internal	Standard database	TLS recommended	Team-based	Standard logging
🟢 Public	Standard	Any	Open	Minimal

Data Quality Standards

Data Quality Dimensions

Dimension	Definition	Target	Measurement
Accuracy	Data correctly represents reality	99%+	Comparison with source systems
Completeness	Required fields are populated	98%+	NULL/empty field counts
Consistency	Data agrees across systems	99%+	Cross-system reconciliation
Timeliness	Data is up-to-date	Per SLA	Lag time monitoring
Uniqueness	No unintended duplicates	100%	Duplicate detection queries
Validity	Data conforms to business rules	99%+	Constraint violation counts

Quality Rules by Entity

Users Table

Field	Rule	Validation
`email`	Must be valid email format	Regex validation
`email`	Must be unique	Unique constraint
`auth0_user_id`	Must match Auth0 record	Periodic sync check
`created_at`	Must not be future date	Check constraint

Organizations Table

Field	Rule	Validation
`name`	Required, non-empty	NOT NULL constraint
`stripe_customer_id`	Must exist in Stripe (if set)	API verification
`subscription_status`	Must be valid enum	Check constraint

Ad Accounts Table

Field	Rule	Validation
`meta_id`	Must be valid Meta ID format	Format validation
`meta_id`	Must be unique per organization	Unique constraint
`status`	Must match Meta current status	15-min sync check

Data Quality Monitoring

Automated Checks (Run Daily)

NULL field analysis across critical tables
Orphan record detection (FKs pointing to deleted records)
Duplicate detection on unique business keys
Cross-system reconciliation (Meta ↔ Local counts)
Stale data detection (records not updated per expected cadence)

Quality Dashboards

Daily quality score by domain
Trend analysis (week over week)
Alert thresholds for quality degradation

Quality Issue Resolution Process

Automated alert triggers on threshold breach
Data Steward triages and assigns to owner
Root cause analysis performed
Fix implemented and validated
Post-mortem for systemic issues

Privacy & Compliance

Regulatory Framework

Regulation	Applicability	Key Requirements
GDPR	EU users/customers	Consent, right to erasure, data portability
CCPA/CPRA	California residents	Disclosure, opt-out, deletion rights
SOC 2	All operations	Security, availability, confidentiality
Meta Platform Terms	Ad data	Data use restrictions, retention limits

Personal Data Inventory

Data Element	Legal Basis	Retention	Subject Rights
User email	Contract performance	Account lifetime + 30 days	Access, Rectification, Erasure
User name	Contract performance	Account lifetime + 30 days	Access, Rectification, Erasure
Activity logs	Legitimate interest	2 years	Access
Ad account data	Contract performance	Account lifetime + 90 days	Access, Portability
Payment info	Contract/Legal	7 years (financial records)	Access

Data Subject Rights Procedures

Right to Access

User submits request via Settings or email
Identity verification performed
Data export generated within 30 days
Delivered securely to verified email

Right to Erasure ("Right to be Forgotten")

User submits deletion request
Verify no legal hold requirements
Soft delete user record (anonymize PII)
Cascade to related records per retention policy
Confirm deletion to user within 30 days

Erasure Exceptions:

Active subscription with outstanding balance
Legal hold or regulatory requirement
Data required for legal defense

Right to Rectification

User updates profile in-app, or
Submits correction request
Data steward reviews and applies
Confirmation sent to user

Purpose	Consent Type	Collection Point	Withdrawal Method
Account creation	Explicit	Registration	Account deletion
Email notifications	Explicit	Onboarding	Settings toggle
Marketing emails	Opt-in	Registration/Dashboard	Unsubscribe link
Analytics cookies	Opt-in	Cookie banner	Cookie settings
Data sharing (Meta)	Explicit	OAuth flow	Disconnect account

Data Retention Policies

Retention Schedule

Data Category	Retention Period	Archive Policy	Deletion Method
User Accounts	Account lifetime + 30 days	N/A	Hard delete after anonymization
Organization Data	Account lifetime + 90 days	Archive to cold storage	Hard delete
Ad Data (org_ads)	2 years from creation	Archive after 1 year	Hard delete
Compliance Scores	2 years from creation	Archive after 1 year	Hard delete
Activity Logs	2 years	Archive after 6 months	Hard delete
Webhook Events	90 days	N/A	Hard delete
Session Data	30 days	N/A	Auto-expire
Backup Data	30 days (daily), 1 year (monthly)	Encrypted S3	Lifecycle policy
Financial Records	7 years	Required for compliance	Legal hold

Retention Triggers

Trigger Event	Action	Timeline
User requests account deletion	Begin deletion workflow	Within 30 days
Organization churns	Mark for retention countdown	90-day countdown
Subscription expires (no renewal)	Mark inactive	After 30-day grace
Retention period expires	Automated deletion job	Nightly job

Archive Process

Identify records meeting archive criteria
Export to compressed, encrypted format
Upload to S3 Glacier
Verify archive integrity
Remove from production database
Update audit log

Legal Hold Process

Legal/Compliance issues hold request
Tag affected records with hold flag
Exclude from automated deletion
Maintain until hold released
Document hold duration and reason

Access Control

Access Control Model

ComplyAI uses Role-Based Access Control (RBAC) with the following hierarchy:

┌─────────────────────────────────────────────┐
│              PLATFORM ADMIN                  │
│    (ComplyAI Staff - Full System Access)     │
└─────────────────────────────────────────────┘
                      │
┌─────────────────────────────────────────────┐
│           ORGANIZATION OWNER                 │
│   (Customer Admin - Full Org Access)         │
└─────────────────────────────────────────────┘
                      │
        ┌─────────────┴─────────────┐
        ▼                           ▼
┌───────────────┐           ┌───────────────┐
│     ADMIN     │           │    MEMBER     │
│               │           │               │
│ Manage Users  │           │ View/Edit Ads │
│ Manage Accts  │           │ View Reports  │
│ View Reports  │           │               │
└───────────────┘           └───────────────┘

Permission Matrix

Action	Platform Admin	Org Owner	Admin	Member
View organization data	✅	✅	✅	✅
Edit organization settings	✅	✅	✅	❌
Add/remove users	✅	✅	✅	❌
Connect ad accounts	✅	✅	✅	❌
View ads	✅	✅	✅	✅
Edit ads/feedback	✅	✅	✅	✅
View billing	✅	✅	❌	❌
Change subscription	✅	✅	❌	❌
Access other organizations	✅	❌	❌	❌
Access admin dashboard	✅	❌	❌	❌

Database Access Control

Access Level	Who	Access Method	Audit
Production Read/Write	Designated DBAs only	Bastion host + MFA	Full query logging
Production Read-Only	Senior Engineers (approved)	Bastion host + MFA	Full query logging
Staging Full Access	Engineering team	VPN + credentials	Standard logging
Local Development	All developers	Local containers	N/A

Access Request Process

Submit access request via internal tool
Manager approval
Data Owner approval (for sensitive data)
IT provisions access
Access reviewed quarterly

Service-to-Service Authentication

Internal services use API keys stored in AWS Secrets Manager
Service mesh validates service identity
All inter-service calls logged

Change Management

Schema Change Process

┌──────────────┐    ┌──────────────┐    ┌──────────────┐    ┌──────────────┐
│   Request    │───▶│    Review    │───▶│    Test      │───▶│   Deploy     │
│              │    │              │    │              │    │              │
│ RFC Document │    │ Data Owner   │    │ Staging      │    │ Production   │
│ Impact       │    │ DBA Review   │    │ Integration  │    │ Rollback     │
│ Analysis     │    │ Security     │    │ Tests        │    │ Plan Ready   │
└──────────────┘    └──────────────┘    └──────────────┘    └──────────────┘

Change Categories

Category	Examples	Approval Required	Lead Time
Emergency	Security patches, critical bugs	Post-hoc approval	Immediate
Standard	New columns (nullable), new indexes	Team lead	1 sprint
Significant	New tables, column type changes	Data Owner + DBA	2 sprints
Major	Schema redesign, migrations	Governance Council	1 quarter

Schema Change Checklist

Before Change:

During Change:

Change window communicated
Monitoring in place
Rollback ready to execute

After Change:

Verification tests passed
Performance validated
Documentation finalized
Change logged in changelog

API Change Management

Change Type	Versioning	Deprecation Notice
Breaking changes	New version (v2, v3)	6 months minimum
Additive changes	Same version	N/A
Bug fixes	Same version	N/A
Deprecations	Mark deprecated	3 months minimum

Incident Response

Data Incident Classification

Severity	Description	Response Time	Escalation
P1 - Critical	Data breach, mass data loss	Immediate	CEO, Legal, All Hands
P2 - High	Data corruption, unauthorized access	< 1 hour	CTO, Security Lead
P3 - Medium	Data quality issues, minor exposure	< 4 hours	Data Owner, Engineering
P4 - Low	Documentation gaps, minor inconsistencies	< 24 hours	Data Steward

Incident Response Procedure

Phase 1: Detection & Triage

Incident detected (monitoring, user report, audit)
On-call engineer triages
Severity assigned
Incident channel created (#incident-YYYYMMDD)

Phase 2: Containment

Isolate affected systems if needed
Preserve evidence (logs, snapshots)
Stop ongoing data exposure
Notify affected parties (if P1/P2)

Phase 3: Investigation

Root cause analysis
Scope determination (what data, how many records)
Timeline reconstruction
Document findings

Phase 4: Remediation

Fix vulnerability/issue
Restore data if needed
Verify fix effectiveness
Update monitoring/alerts

Phase 5: Post-Incident

Blameless post-mortem
Update runbooks/procedures
Regulatory notifications (if required)
Customer communications (if required)

Breach Notification Requirements

Regulation	Notification Timeline	Who to Notify
GDPR	72 hours	Supervisory authority + affected users
CCPA	"Without unreasonable delay"	Affected California residents
Contractual	Per agreement	Affected customers

Audit & Monitoring

Audit Logging Requirements

Event Type	Logged Fields	Retention
User login	user_id, timestamp, IP, success/fail	2 years
Data access (sensitive)	user_id, table, record_id, timestamp	2 years
Data modification	user_id, table, record_id, old/new values, timestamp	2 years
Admin actions	user_id, action, target, timestamp	2 years
API calls	endpoint, user/service, params, response_code	90 days
System events	service, event_type, details, timestamp	90 days

Audit Log Structure

{
  "timestamp": "2024-12-08T14:30:00Z",
  "event_type": "data_access",
  "actor": {
    "type": "user",
    "id": "user_123",
    "ip": "192.168.1.1"
  },
  "resource": {
    "type": "table",
    "name": "users",
    "record_id": "456"
  },
  "action": "read",
  "outcome": "success",
  "metadata": {
    "fields_accessed": ["email", "first_name"],
    "query_context": "user_profile_view"
  }
}

Monitoring Dashboards

Data Quality Dashboard

Completeness scores by table
Freshness (time since last update)
Anomaly detection alerts
Cross-system reconciliation status

Security Dashboard

Failed login attempts
Unusual access patterns
Privilege escalations
API rate limit breaches

Compliance Dashboard

Data subject requests (pending/completed)
Consent status distribution
Retention policy compliance
Encryption status

Periodic Reviews

Review Type	Frequency	Participants	Output
Access review	Quarterly	Data Owners, IT	Access adjustments
Quality review	Monthly	Data Stewards	Quality improvement plan
Policy review	Annually	Governance Council	Policy updates
Compliance audit	Annually	External auditor	Audit report
Penetration test	Annually	Security firm	Remediation plan

Governance Metrics & KPIs

Metric	Target	Current	Trend
Data quality score (overall)	>95%	TBD	—
Critical field completeness	>99%	TBD	—
Data subject request SLA	100% within 30 days	TBD	—
Incident response SLA	100% within target	TBD	—
Documentation coverage	100% of tables	TBD	—
Access review completion	100% quarterly	TBD	—

Data Dictionary - Field-level definitions
Data Lineage - Data flow documentation
Service Architecture - System design
Quick Reference - Common lookups

Changelog

Version	Date	Author	Changes
1.0	2024-12	Data Team	Initial governance framework

Last Updated: December 2024

📋 Table of Contents​

Data Governance Framework​

Governance Principles​

Governance Structure​

Roles & Responsibilities​

Data Governance Council​

Data Owners (by Domain)​

Data Stewards​

Data Custodians​

Data Ownership Model​

Domain Ownership Matrix​

Ownership Responsibilities​

Data Classification​

Classification Levels​

Data Classification by Table​

Handling Requirements by Classification​

Data Quality Standards​

Data Quality Dimensions​

Quality Rules by Entity​

Users Table​

Organizations Table​

Ad Accounts Table​

Data Quality Monitoring​

Privacy & Compliance​

Regulatory Framework​

Personal Data Inventory​

Data Subject Rights Procedures​

Right to Access​

Right to Erasure ("Right to be Forgotten")​

Right to Rectification​

Consent Management​

Data Retention Policies​

Retention Schedule​

Retention Triggers​

Archive Process​

Legal Hold Process​

Access Control​

Access Control Model​

Permission Matrix​

Database Access Control​

Access Request Process​

Service-to-Service Authentication​

Change Management​

Schema Change Process​

Change Categories​

Schema Change Checklist​

API Change Management​

Incident Response​

Data Incident Classification​

Incident Response Procedure​

Breach Notification Requirements​

Audit & Monitoring​

Audit Logging Requirements​

Audit Log Structure​

Monitoring Dashboards​

Periodic Reviews​

Governance Metrics & KPIs​

Related Documents​

Changelog​