STD-GOV-131: Data Classification Enforcement
| Field |
Value |
| Standard |
STD-GOV-131 |
| Title |
Data Classification Enforcement |
| Status |
Draft |
| Owner |
Security Lead |
| Created |
2026-04-03 |
| Review |
Quarterly |
Purpose
Automate the enforcement of data classification across Simpaisa's payment gateway. Handling PII, financial data and payment credentials for 270M+ transactions across PK, BD, NP, IQ and EG demands that data classification is not just a policy document but an actively enforced control with automated detection, access enforcement and edge-level protection.
Scope
All data processed, stored or transmitted by Simpaisa services. Applies to application code, API responses, logs, databases, analytics pipelines and third-party integrations. Covers all classification levels defined in PII-HANDLING-STANDARD.md.
Classification Levels
| Level |
Definition |
Examples |
| Restricted |
Highly sensitive; regulatory-controlled |
PAN, CVV, bank account numbers, CNIC, NID |
| Confidential |
Business-sensitive; internal only |
Transaction amounts, merchant IDs, API keys |
| Internal |
Non-public but low sensitivity |
Service logs, system metrics, config |
| Public |
Intended for external consumption |
API documentation, public pricing |
Current State
- Data classification policy exists in
PII-HANDLING-STANDARD.md.
- PII masking applied in logging pipeline but not verified automatically.
- No CI-time scanning for PII patterns in code.
- Cloudflare WAF rules exist but no DLP-specific configuration.
- Access controls per classification level not formally enforced.
Gaps
- No automated detection of PII in code (hard-coded test data, log statements).
- No CI pipeline scan for classification violations.
- No DLP rules at Cloudflare edge to prevent Restricted data leakage.
- Access controls not differentiated by classification level.
- No regular audit of classification accuracy.
Target State
- CI pipeline automatically scans code for PII patterns and blocks violations.
- Cloudflare DLP rules prevent Restricted data in unencrypted responses.
- Access controls enforced per classification level in all data stores.
- Quarterly audit verifies classification accuracy and enforcement.
Automated CI Scanning
Detection Patterns
| Pattern |
Classification |
Regex / Rule |
| Pakistan CNIC |
Restricted |
\b\d{5}-\d{7}-\d{1}\b |
| Bangladesh NID |
Restricted |
\b\d{10,17}\b (context-aware) |
| Card PAN |
Restricted |
\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b |
| Email address |
Confidential |
Standard email regex |
| Phone number |
Confidential |
\b\+?\d{10,14}\b (context-aware) |
| API key / secret |
Restricted |
(?i)(api[_-]?key|secret|password)\s*[:=] |
CI Pipeline Integration
- Scanner runs as a step in every Bitbucket Pipeline build.
- Block: PRs with Restricted data patterns in code, logs or test fixtures.
- Warn: PRs with Confidential data patterns (may be legitimate; requires justification).
- Allowlist: Managed in
.classification-allowlist.yml per repository (reviewed quarterly).
Cloudflare DLP Rules
- Rule 1: Block any API response body containing Restricted patterns (PAN, CNIC, NID) unless the endpoint is explicitly allowlisted (e.g., tokenisation service responses).
- Rule 2: Log and alert on Confidential patterns in responses to external IPs.
- Rule 3: Enforce TLS 1.2+ for all data in transit (already in place via Cloudflare).
- Rules managed via Cloudflare API with infrastructure-as-code in the platform repository.
Access Controls by Classification
| Level |
Database Access |
API Access |
Logging |
| Restricted |
Named individuals only |
mTLS + OAuth2 + audit trail |
Never logged in clear |
| Confidential |
Team-level access |
OAuth2 + audit trail |
Masked in logs |
| Internal |
Service account access |
Internal network only |
Standard logging |
| Public |
Read-only, no auth needed |
Public API |
Standard logging |
Quarterly Audit
- Scope: Sample 20% of services per quarter (full coverage annually).
- Method: Automated scan + manual review of data stores, API responses and logs.
- Output: Classification accuracy report. Violations tracked in Beads with tag
data-classification.
- Escalation: Persistent violations reported to ARB.
Actions
| # |
Action |
Owner |
Deadline |
| 1 |
Build CI scanner for PII patterns |
Platform Team |
2026-Q2 |
| 2 |
Configure Cloudflare DLP rules for Restricted data |
Security Lead |
2026-Q2 |
| 3 |
Define access control matrix per data store |
Security Lead |
2026-Q2 |
| 4 |
Create .classification-allowlist.yml per repo |
Service Owners |
2026-Q2 |
| 5 |
Conduct first quarterly classification audit |
Security Lead |
2026-Q3 |
References
PII-HANDLING-STANDARD.mdSECRET-MANAGEMENT-STANDARD.mdSECURITY-ARCHITECTURE.mdLOGGING-STANDARD.md