HomeSecurity & Governance › PII & data handling

PII & data handling

Purpose: Keep personal data out of the places AEM makes it easy to leak: logs, caches, analytics, repositories and lower environments.

Who this page is for

AudienceWhy it matters to you
All engineersThe rules
Tech leadsThe classification decisions

The fictional-but-instructive frame

Our running example is a health insurer's plan page — the plan content (premiums, benefits) is public marketing data; a member's details (name, member number, health selections in a quote form) are personal — for a real health insurer, among the most sensitive PII categories there are. The academy example is fictional; the discipline it illustrates is not.

Classify, then place

ClassExamples (fictional)Allowed locations
Public contentPlan pages, premiums/content, caches, CDN — everywhere
Operational dataSync states, rate tables/var, logs (values ok, no persons)
Personal dataQuote form entries, member identifiersPurpose-built stores with retention; transient in AEM at most
Sensitive personalHealth-related selectionsIdeally never rests in AEM — straight through to the system of record

The leak surfaces, and the rules

SurfaceRule
LogsNo PII, ever (logging); IDs yes, identity no; scrubber at the shipper as backstop
Dispatcher/CDN cachesPersonalised responses are never cacheable (no-store + excluded paths); a member's quote cached and served to the next visitor is the nightmare scenario (session 8 rules)
URLsNo PII in query strings/paths (they land in access logs, referrers, analytics automatically)
Analytics/tag dataLayerReviewed schema; no free-form fields fed from user input (third-party governance)
Repository (/var form dumps)Form submissions forward to the system of record; any AEM-side buffer has retention + purge + ACLs (service-user scoped)
Lower environmentsProd content refreshes scrub/mask personal data (environments) — dev with real member data is a breach with extra steps
Backups & exportsInherit the classification of what they contain; access accordingly (backup)

Rights & retention plumbing

Deletion/access requests (whatever the applicable regime calls them) need an inventory: where could personal data be in this platform? — the table above is that inventory's skeleton. Keep it current per feature (security checklist data section), and retention automated (archiving & housekeeping), because a policy without a purge job is a liability list.

Quick navigation