Data Map
Two engines + four agents that answer where is the regulated data?, how sensitive is each asset?, and which stores should we harden first?.
Engines
@regunav/engines/data-classification-engine
Applies the canonical data-classification dictionary (public / internal / confidential / restricted / regulated) to a single asset. Returns the sensitivity tier, the GDPR Art. 9 special-category flag, minimum retention floor per regulatory regime, recommended lawful basis, and an issue list for configurations that violate the floor (e.g. retention below HIPAA 6-year minimum, marketing on special-category data).
import { classifyAsset } from "@regunav/engines/data-classification-engine";
const result = classifyAsset({
id: "asset-1",
name: "customers.identity",
kind: "table",
storeId: "pg-prod-eu",
residency: "eu",
dataClasses: ["pii", "financial"],
purpose: "service_provision",
lawfulBasis: "contract",
recordCount: 124_000,
});
// → sensitivity: "restricted", minimumRetentionDays: 2555, ...@regunav/engines/data-concentration-map
Aggregates a list of classified assets into per-bucket concentration scores keyed by (sensitivity × dataClass × store × residency × purpose). Surfaces the top-N hotspots by risk-weight, per-store totals, per-class totals, per-residency totals, and inferred store-to-store flow edges.
import { buildConcentrationMap } from "@regunav/engines/data-concentration-map";
const map = buildConcentrationMap(classifiedAssets);
// → { buckets, topBuckets, storeTotals, classTotals,
// residencyTotals, flowEdges, summary }Agents (4 new in V2.x)
- Risk Officer — ingests AI systems + vendors + findings + drift, computes ISO 31000 5×5 residual risk, drafts treatment plans per ISO 27005.
- Data Classifier — applies the classification dictionary to every declared asset. Cites GDPR Art. 4 + 9, HIPAA §164.514, PCI DSS §3.2, ISO 27001 A.5.12.
- Data Mapper — builds the concentration map. Cites GDPR Art. 30, ISO 27001 A.5.12, NIST SP 800-60.
- DSAR Handler — uses the map to enumerate every store a subject's records sit in when an access / deletion / portability request arrives. Cites GDPR Art. 15 / 16 / 17 / 20, CCPA §1798.110, LGPD Art. 18.
Endpoints
| Method | Path | Purpose |
|---|---|---|
GET | /v1/data-map?tenantId= | Full ConcentrationMap response |
POST | /v1/data-map/classify | Live classify a single asset (no persistence) |
UI surfaces
app.regunav.com/data-map— customer dashboard.<DataConcentrationWidget />— embeddable widget for partners, consultants, trainers. See SDKs for the import path.
Audit posture
Every engine output emits an audit-trail entry into the WORM chain (Principle #45). The Data Mapper agent persists its hotspot list to the evidence-pack at the end of each run so an auditor can reconstruct the state of the map at any prior timestamp via the replay engine.