Privacy + AI + Plaid controls
Data Classification
Classification rules for BellPathOS data, client-owned AI keys, local storage, and bank/brokerage connector data.
SOC 2 readinessLocal-first privacyClient-owned secretsCloudflare hardened
Data classification
Know what BellPathOS is handling
This is the operating rulebook for privacy, AI prompts, Plaid, export/delete, and future SOC 2 evidence.
| Class | Examples | Storage rule | AI rule |
|---|---|---|---|
| Public | marketing copy, pricing pages, blog posts | public site | allowed if non-sensitive |
| Local Only | setup profile, demo mode, preferences | browser local storage | only if user submits |
| Sensitive | debt balances, paycheck notes, workplace issue logs, family stability data | local first; exportable by client | user consent required |
| Confidential | AI API key vault metadata, license backup, private contact details | encrypted or local only | do not send unless necessary |
| Restricted | Plaid secret, Plaid access token, bank routing/account data, raw brokerage account tokens | never in public browser JavaScript; Worker secret/KV/D1 only | never send by default |
| AI Shared | prompts sent to client selected model provider | provider dependent | explicit notice and client-owned key |
| Plaid Connected | account names, balances, transactions, holdings | client-owned Worker; least necessary data | summarized only with consent |
Restricted data rule
Never put Plaid secrets in public browser code
Client-owned Plaid is supported, but the Plaid secret belongs in a Cloudflare Worker secret or other backend secret manager. BellPathOS should store only the client-owned Worker URL and non-secret connector preferences in the browser.