FP&A Platform — Data Classification Matrix

Version: 1.0
Last Updated: 2026-02-03
Document ID: GOV-001
Classification: Confidential

1. Overview

This document defines the data classification framework for the FP&A Platform, mapping all data elements to classification levels and specifying handling requirements for each level.

Classification Levels

Level	Label	Color Code	Description
1	PUBLIC	🟢 Green	Information that can be freely shared externally
2	INTERNAL	🔵 Blue	Business information for internal use only
3	CONFIDENTIAL	🟡 Yellow	Sensitive business information requiring protection
4	RESTRICTED	🔴 Red	Highly sensitive data with regulatory requirements

2. Data Classification by Domain

2.1 User Data

Data Element	Table.Column	Classification	Regulatory Tags	Justification
User ID	`users.id`	INTERNAL	-	Internal identifier
Email Address	`users.email`	RESTRICTED	PII, GDPR, LGPD	Personal identifier
First Name	`users.first_name`	RESTRICTED	PII, GDPR, LGPD	Personal identifier
Last Name	`users.last_name`	RESTRICTED	PII, GDPR, LGPD	Personal identifier
Phone Number	`users.phone`	RESTRICTED	PII, GDPR, LGPD	Personal contact
Password Hash	`users.password_hash`	RESTRICTED	Security	Authentication credential
MFA Secret	`users.mfa_secret`	RESTRICTED	Security	Authentication credential
Avatar URL	`users.avatar_url`	INTERNAL	-	Non-sensitive
Timezone	`users.timezone`	INTERNAL	-	Preference
Last Login	`users.last_login_at`	INTERNAL	-	Operational
Role Assignments	`user_roles.*`	CONFIDENTIAL	SOX	Access control
Session Tokens	`sessions.token`	RESTRICTED	Security	Authentication

2.2 Tenant & Entity Data

Data Element	Table.Column	Classification	Regulatory Tags	Justification
Tenant ID	`tenants.id`	INTERNAL	-	Internal identifier
Tenant Name	`tenants.name`	INTERNAL	-	Business name
Subscription Tier	`tenants.plan_tier`	CONFIDENTIAL	-	Commercial terms
Entity ID	`legal_entities.id`	INTERNAL	-	Internal identifier
Legal Entity Name	`legal_entities.name`	INTERNAL	SOX	Legal name
Tax ID (EIN/CNPJ)	`legal_entities.tax_id`	RESTRICTED	PII, Tax	Government identifier
Bank Account Number	`bank_accounts.account_number`	RESTRICTED	PCI, SOX	Financial account
Routing Number	`bank_accounts.routing_number`	CONFIDENTIAL	PCI	Banking info
SWIFT Code	`bank_accounts.swift_code`	INTERNAL	-	Public banking info

2.3 Financial Data

Data Element	Table.Column	Classification	Regulatory Tags	Justification
Account Number	`accounts.account_number`	INTERNAL	SOX	Chart of accounts
Account Name	`accounts.name`	INTERNAL	SOX	Account description
Account Balance	`accounts.balance`	CONFIDENTIAL	SOX, SEC	Financial state
Journal Entry ID	`journal_entries.id`	INTERNAL	SOX	Transaction reference
Journal Entry Amount	`journal_lines.debit/credit`	CONFIDENTIAL	SOX, SEC	Financial transaction
Journal Description	`journal_entries.description`	CONFIDENTIAL	SOX	Business context
Period Status	`periods.status`	INTERNAL	SOX	Operational
Trial Balance	Computed	CONFIDENTIAL	SOX, SEC	Financial summary
Financial Statements	Computed	CONFIDENTIAL	SOX, SEC, GAAP	Reportable financials
Budget Amounts	`budget_lines.amount`	CONFIDENTIAL	-	Planning data
Forecast Values	`forecasts.*`	CONFIDENTIAL	-	Projections

2.4 Bank & Transaction Data

Data Element	Table.Column	Classification	Regulatory Tags	Justification
Bank Transaction ID	`bank_transactions.id`	INTERNAL	-	Internal reference
Transaction Amount	`bank_transactions.amount`	CONFIDENTIAL	SOX	Financial data
Transaction Date	`bank_transactions.transaction_date`	INTERNAL	-	Temporal data
Transaction Description	`bank_transactions.description`	CONFIDENTIAL	-	May contain PII
Payee Name	`bank_transactions.payee`	CONFIDENTIAL	PII	Third party identity
Check Number	`bank_transactions.check_number`	INTERNAL	-	Reference
Plaid Account ID	`bank_accounts.plaid_account_id`	RESTRICTED	Security	Integration credential

2.5 Integration & Credentials

Data Element	Table.Column	Classification	Regulatory Tags	Justification
Connection ID	`connections.id`	INTERNAL	-	Internal reference
Connector Type	`connections.connector_type`	INTERNAL	-	Configuration
OAuth Tokens	`credentials.oauth_token`	RESTRICTED	Security	Authentication
API Keys	`credentials.api_key`	RESTRICTED	Security	Authentication
Refresh Tokens	`credentials.refresh_token`	RESTRICTED	Security	Authentication
Sync Logs	`sync_logs.*`	INTERNAL	-	Operational

2.6 AI/Agent Data

Data Element	Table.Column	Classification	Regulatory Tags	Justification
Agent Session ID	`agent_sessions.id`	INTERNAL	-	Internal reference
User Input	`agent_sessions.input`	CONFIDENTIAL	-	May contain sensitive queries
Agent Output	`agent_sessions.output`	CONFIDENTIAL	-	May contain financial data
Tool Calls	`agent_actions.tool_calls`	CONFIDENTIAL	-	Operational details
Model Predictions	`agent_actions.predictions`	CONFIDENTIAL	-	Business insights
Confidence Scores	`agent_actions.confidence`	INTERNAL	-	Quality metric
Checkpoint State	`agent_checkpoints.state`	CONFIDENTIAL	-	Session context
Human Feedback	`agent_feedback.*`	INTERNAL	-	Training data

2.7 Compliance & Audit Data

Data Element	Table.Column	Classification	Regulatory Tags	Justification
Control ID	`compliance_controls.id`	INTERNAL	-	Reference
Control Definition	`compliance_controls.description`	INTERNAL	SOX, HIPAA, FDA	Control documentation
Test Results	`control_tests.result`	CONFIDENTIAL	SOX, HIPAA, FDA	Compliance evidence
Finding Details	`findings.*`	CONFIDENTIAL	SOX, HIPAA, FDA	Compliance gaps
Evidence Files	`evidence.file_path`	CONFIDENTIAL	SOX, HIPAA, FDA	Audit artifacts
Audit Log Entry	`audit_events.*`	RESTRICTED	SOX, FDA, HIPAA	Immutable record
User Actions	`audit_events.action`	RESTRICTED	SOX, FDA	Activity tracking
IP Address	`audit_events.ip_address`	RESTRICTED	PII, Security	Access tracking

2.8 System & Operational Data

Data Element	Table.Column	Classification	Regulatory Tags	Justification
Application Logs	Log files	INTERNAL	-	Operational
Error Messages	Log files	INTERNAL	-	Debugging
Performance Metrics	Prometheus	INTERNAL	-	Monitoring
Configuration	ConfigMaps	CONFIDENTIAL	Security	System settings
Infrastructure State	Terraform	CONFIDENTIAL	Security	Architecture details

3. Handling Requirements by Classification Level

3.1 PUBLIC (Level 1)

Requirement	Specification
Storage	No restrictions
Encryption at Rest	Not required
Encryption in Transit	HTTPS recommended
Access Control	None required
Retention	Business discretion
Disposal	Standard deletion
Logging	Not required
Masking (Non-Prod)	Not required

Examples: Marketing materials, public documentation, published financial reports

3.2 INTERNAL (Level 2)

Requirement	Specification
Storage	Company-managed systems only
Encryption at Rest	Volume-level (AES-256)
Encryption in Transit	TLS 1.2+ required
Access Control	Authentication required
Retention	Per retention policy (typically 3 years)
Disposal	Secure deletion
Logging	Access logging recommended
Masking (Non-Prod)	Not required

Examples: Internal reports, operational data, system configurations

3.3 CONFIDENTIAL (Level 3)

Requirement	Specification
Storage	Encrypted storage only
Encryption at Rest	AES-256 (CMEK)
Encryption in Transit	TLS 1.3 required
Access Control	Role-based access (RBAC)
Retention	Per regulatory requirements (7 years for financial)
Disposal	Cryptographic erasure or physical destruction
Logging	All access logged
Masking (Non-Prod)	Required - anonymization or synthetic data

Examples: Financial statements, budgets, forecasts, business strategies

3.4 RESTRICTED (Level 4)

Requirement	Specification
Storage	Encrypted, isolated storage
Encryption at Rest	Field-level AES-256-GCM
Encryption in Transit	TLS 1.3 + mTLS for internal
Access Control	Need-to-know, explicit authorization
Retention	Regulatory minimum (varies: 7 years SOX, 6 years HIPAA)
Disposal	Certified destruction with audit trail
Logging	All access logged to immutable audit trail
Masking (Non-Prod)	Required - full anonymization
Additional	DLP monitoring, breach notification

Examples: PII, PHI, credentials, audit logs, tax IDs

4. Regulatory Mappings

4.1 PII Fields (GDPR/CCPA/LGPD)

Field	Data Subject Rights	Consent Required	Portability
Email	Access, Rectification, Erasure	Yes (marketing)	Yes
Name	Access, Rectification, Erasure	No (legitimate interest)	Yes
Phone	Access, Rectification, Erasure	Yes	Yes
IP Address	Access, Erasure	No (legitimate interest)	No
Location	Access, Erasure	Yes	Yes

Implementation:

Right to Access: GET /api/data-subject/{id}/export
Right to Erasure: DELETE /api/data-subject/{id} (with cascading anonymization)
Data Portability: JSON export of all user data

4.2 PHI Fields (HIPAA)

Field	Covered	Minimum Necessary	De-identification
Patient Name	Yes	Role-based	Safe Harbor: Remove
Medical Record #	Yes	Role-based	Safe Harbor: Remove
Diagnosis Codes	Yes	Treatment purpose	Expert Determination
Provider Notes	Yes	Treatment purpose	Expert Determination

Note: FP&A Platform handles PHI only for healthcare customers' financial data that may include aggregate health metrics. Full PHI handling requires dedicated healthcare module.

4.3 SOX-Relevant Data

Data Category	Control Requirement	Retention
Journal Entries	Segregation of duties, approval workflow	7 years
Period Close Records	Documented procedures, sign-off	7 years
Access Logs	User activity tracking	7 years
Financial Reports	Version control, approval chain	7 years

4.4 FDA 21 CFR Part 11

Data Category	Requirement	Implementation
Electronic Records	Tamper-evident	immudb immutable storage
Audit Trails	Who, what, when, why	Comprehensive event logging
Electronic Signatures	Unique, verifiable, meaning	Digital signature with meaning field
System Validation	Documented validation	IQ/OQ/PQ documentation

5. Access Control Matrix

5.1 Role-Based Access by Classification

Role	PUBLIC	INTERNAL	CONFIDENTIAL	RESTRICTED
Viewer	✅ Read	✅ Read	❌	❌
FP&A Analyst	✅ Read	✅ Read	✅ Read (own entity)	❌
Finance Manager	✅ Read	✅ Read/Write	✅ Read/Write	⚠️ Limited
Controller	✅ Read	✅ Read/Write	✅ Read/Write	✅ Read
CFO	✅ Read	✅ Read/Write	✅ Read/Write	✅ Read
Admin	✅ Read	✅ Read/Write	✅ Read/Write	✅ Read/Write
Auditor	✅ Read	✅ Read	✅ Read	✅ Read
System Service	-	✅ As needed	✅ As needed	✅ As needed

5.2 Sensitive Operations Requiring MFA

Operation	MFA Required	Additional Approval
Access RESTRICTED data	Yes	-
Export user data	Yes	Manager approval
Bulk data download	Yes	Manager approval
Change security settings	Yes	Admin approval
Access audit logs	Yes	-
View credentials	Yes	System-only

6. Data Labeling Standards

6.1 Database Column Tags

-- PostgreSQL column comments for classification
COMMENT ON COLUMN users.email IS 'CLASSIFICATION:RESTRICTED;REGULATORY:PII,GDPR,LGPD';
COMMENT ON COLUMN users.first_name IS 'CLASSIFICATION:RESTRICTED;REGULATORY:PII';
COMMENT ON COLUMN journal_lines.debit IS 'CLASSIFICATION:CONFIDENTIAL;REGULATORY:SOX';
COMMENT ON COLUMN audit_events.action IS 'CLASSIFICATION:RESTRICTED;REGULATORY:SOX,FDA';

6.2 API Response Headers

HTTP/1.1 200 OK
Content-Type: application/json
X-Data-Classification: CONFIDENTIAL
X-Contains-PII: false
X-Audit-Required: true

6.3 Log Redaction Rules

REDACTION_RULES = {
    'RESTRICTED': {
        'email': lambda x: hash_email(x),
        'ssn': lambda x: 'XXX-XX-' + x[-4:],
        'account_number': lambda x: '*' * (len(x)-4) + x[-4:],
        'api_key': lambda x: x[:4] + '***' + x[-4:],
    },
    'CONFIDENTIAL': {
        'amount': lambda x: x,  # Keep for debugging
        'description': lambda x: x[:50] + '...' if len(x) > 50 else x,
    }
}

7. Data Flow Classification

7.1 External Data Flows

Flow	Source	Destination	Classification	Controls
Bank Feed Import	Plaid/Banks	Platform	CONFIDENTIAL	TLS 1.3, OAuth2
ERP Sync	QuickBooks/NetSuite	Platform	CONFIDENTIAL	TLS 1.3, OAuth2
Report Export	Platform	User Download	CONFIDENTIAL	Encrypted, watermarked
API Integration	Platform	Customer Systems	CONFIDENTIAL	TLS 1.3, API Key
Audit Export	Platform	Auditor Systems	RESTRICTED	Encrypted, signed

7.2 Cross-Boundary Requirements

Boundary	Requirement
Internet ↔ Platform	TLS 1.3, WAF, rate limiting
Platform ↔ Database	Private network, TLS, IAM
Platform ↔ AI Models	Private endpoint, auth token
Production ↔ Non-Prod	No RESTRICTED data transfer
US ↔ Brazil	LGPD compliance for transfers

8. Compliance Checklist

8.1 New Data Element Checklist

8.2 Periodic Review

Review	Frequency	Owner
Classification audit	Quarterly	Data Governance
Access review	Quarterly	Security
Retention compliance	Annually	Compliance
Data inventory update	Monthly	Data Governance

Data Classification Matrix v1.0 — FP&A Platform Document ID: GOV-001 Classification: Confidential

1. Overview​

Classification Levels​

2. Data Classification by Domain​

2.1 User Data​

2.2 Tenant & Entity Data​

2.3 Financial Data​

2.4 Bank & Transaction Data​

2.5 Integration & Credentials​

2.6 AI/Agent Data​

2.7 Compliance & Audit Data​

2.8 System & Operational Data​

3. Handling Requirements by Classification Level​

3.1 PUBLIC (Level 1)​

3.2 INTERNAL (Level 2)​

3.3 CONFIDENTIAL (Level 3)​

3.4 RESTRICTED (Level 4)​

4. Regulatory Mappings​

4.1 PII Fields (GDPR/CCPA/LGPD)​

4.2 PHI Fields (HIPAA)​

4.3 SOX-Relevant Data​

4.4 FDA 21 CFR Part 11​

5. Access Control Matrix​

5.1 Role-Based Access by Classification​

5.2 Sensitive Operations Requiring MFA​

6. Data Labeling Standards​

6.1 Database Column Tags​

6.2 API Response Headers​

6.3 Log Redaction Rules​

7. Data Flow Classification​

7.1 External Data Flows​

7.2 Cross-Boundary Requirements​

8. Compliance Checklist​

8.1 New Data Element Checklist​

8.2 Periodic Review​