koder.toml [privacy] block schema

Draft

Privacy posture schema (koder.toml [privacy])

Status

*raft v0.1.0*— written 20260522 alongside COMPL-001 Phase 1.

Scope

Defines the [privacy] block that every Koder Stack Sector that processes user data MUST declare in its koder.toml. The block is purely declarative — services/foundation/compliance aggregates these declarations into a registry without runtime impact.

Block schema

[privacy]
data_collected         = ["email", "name", "device_id", "ip"]
retention_days         = 2555     # 0 = no retention; -1 = retain forever
third_party_sharing    = false
data_residency         = "BR"     # ISO 3166-1 alpha-2; "any" for none
dsr_supported          = true     # subject access + erasure work end-to-end
privacy_policy_url     = "https://<sector>.koder.dev/privacy"
last_reviewed          = "2026-05-22"  # ISO 8601 date

Field reference (R-fields, normative)

  • *1*data_collected — array of strings, required, may be []. Each

    string identifies a category of personal data per LGPD §5/GDPR §4 (e.g. "email", "phone", "location", "biometric", "financial", "health"). Aggregator MAY validate against an allowlist of known categories — unknown categories are flagged as warnings.

  • *2*retention_days — integer ≥ -1, required. Semantics:
    • 0 — item is not retained server-side (transient processing only)
    • > 0 — items aged beyond this are subject to deletion
    • -1 — retained indefinitely (must align with data_residency

      + a legal-hold escape valve via ediscovery)

  • *3*third_party_sharing — boolean, required. If true, a

    follow-up [privacy.third_parties] table MUST list each partner (out of scope for v0.1.0; tracked in COMPL-002).

  • *4*data_residency — string, required. ISO 31661 alpha2

    country code, or "any" if Sector processes globally.

  • *5*dsr_supported — boolean, required. true means the Sector

    implements all 4 DSR types endtoend (access, rectify, erase, portability) and is subscribed to services/foundation/compliance DSR fanout. false means manual DSR handling required.

  • *6*privacy_policy_url — string, required. URL of the published

    privacy policy section covering this Sector.

  • *7*last_reviewed — string, optional. ISO 8601 date of the last

    privacy review for the block. Aggregator warns if older than 12 months.

Aggregation contract

The koder-compliance-aggregator binary walks the monorepo, reads every koder.toml that declares a [privacy] block, validates the schema, and emits:

  • meta/docs/stack/registries/privacy-postures.md — human-readable

    table indexed by Sector

  • nonzero exit code if any block fails validation (R1R7)
  • warning (nonzero exit only with `-strict) if a Sector with [sector]

    domain="products"|"services" is missing the [privacy]` block

Tests (T-suite — must pass in CI)

  • *1*Valid block passes
  • *2*Missing required field fails
  • *3*Unknown data_collected entry warns but doesn't fail
  • *4*retention_days < -1 fails
  • *5*data_residency not in ISO list fails
  • *6*Sector with user data and missing [privacy] block fails in

    --strict mode

  • *7*Aggregated registry matches golden fixture

References

  • services/foundation/compliance/docs/rfcs/RFC-001-architecture.kmd
  • meta/docs/stack/policies/multi-tenant-by-default.kmd
  • meta/docs/stack/policies/identity-data-retention.kmd
  • LGPD §5, §6, §18 / GDPR §4, §13, §15-22

Source: ../home/koder/dev/koder/meta/docs/stack/specs/privacy/posture-schema.kmd