Back to the Atlas
Platform Foundation

PII & Privacy

Encrypted private profile, approval-gated change workflow, multi-country national ID framework, and DSAR-ready data export.

Why this matters for enterprise procurement

Employee SIN, SSN, dates of birth, emergency contacts, banking details — this data needs special handling. FrontLine keeps it in a separate encrypted store, behind a change-request workflow (no direct mutations), with every read and write captured in the audit trail. DSAR fulfillment is a single export, not a forensic project.

How it's implemented

Approval-gated, encrypted at rest, exportable when a DSAR arrives

Private profile data lives in a separate table with field-level encryption at rest (AWS KMS-backed envelope encryption). Reads of PII columns require an explicit `pii.read` permission and emit a separate audit event. Writes are not direct: an HR Admin submits a change request, an approver reviews and approves, and the system applies the change. National identifiers are stored via a country-aware framework (SIN for Canada, SSN for US, etc.) so adding a new country is a configuration change, not a schema migration.

Capabilities

What's covered out of the box

Field-level encryption at rest for PII columns
PII reads require explicit permission and emit dedicated audit events
Approval-gated change requests (no direct mutations)
Multi-country national identifier framework
DSAR (data subject access request) export in machine-readable format
Right-to-erasure / anonymization workflow
PII anomaly detection in the Compliance Dashboard
Configurable retention policies per data category
Standards & compliance

Audit-ready artifacts your reviewers can lean on

  • PIPEDA — fair information principles, accountability, safeguards
  • CCPA / CPRA — DSAR fulfillment, right to delete
  • GDPR readiness — Articles 15, 17, 20 workflows
  • SOC 2 Type II — confidentiality controls
Procurement FAQ

What security and compliance reviewers actually ask

Can an HR admin directly edit an employee's SIN?+
No. PII fields require a change-request workflow: an HR admin proposes the change, a second approver reviews and approves, and the system applies it. Both the proposal and the approval are audited.
How quickly can we fulfill a DSAR?+
A subject-access request export runs as a background job and typically completes within minutes for a single employee. The export is a structured JSON+CSV package suitable for delivery to the data subject.
What about right-to-erasure?+
The right-to-erasure workflow runs an anonymization pass that nulls or hashes personal identifiers across all tables, while preserving aggregate operational records (schedules, QA evaluations) with anonymized references.
Who can read PII?+
Only users with the explicit `pii.read` permission, which is not granted by default to any role except HR Admin and Tenant Admin. Each read emits an audit event with the specific fields touched.

Run this past your security team

We share security overviews, RLS policy DDL, audit-event schemas, and SOC 2 progress on request. Book a 30-minute security review with the founders.

Book a security reviewBack to the Atlas
Request Early Access
PII & Privacy — FrontLine Platform | FrontLine