Skip to content

Ecommerce data governance contract

This contract applies to source payloads, canonical data, mappings, Odoo readback, operations, warehouse marts, caches, queues, logs, exports, backups, and non-production fixtures.

Classification

Class Examples Minimum controls
public Published API documentation, non-sensitive schema names Integrity and release review
internal Aggregate service metrics without tenant/customer identity Workforce authentication and least privilege
confidential Tenant configuration, pseudonymous commerce facts, mapping metadata Tenant authorization, encryption, audit, controlled export
restricted Raw source payloads, customer identity/address, financial evidence, Odoo document detail Need-to-know role, strong encryption, time-bound access, detailed audit, retention policy
secret Source/Odoo API keys, webhook secrets, database/object credentials Secrets manager only; never business database, queue, logs, exports, or fixtures
prohibited CVV, full magnetic-stripe data, authentication passwords, unnecessary full PAN Must not be intentionally collected or stored

Detection of prohibited data quarantines the payload, blocks downstream use, alerts security, and follows the data-incident runbook.

Data inventory

Data product Default class System of record Allowed purpose
Connection metadata Confidential; secret references only Platform PostgreSQL Provisioning, health, audit
Raw source payload Restricted Encrypted object storage Replay, evidence, adapter repair
Ingestion envelope/hash Confidential Platform PostgreSQL Deduplication, lineage, operations
Canonical commerce Confidential/restricted by field Platform PostgreSQL Workflow, accounting policy, reconciliation
Posting intent/operation Restricted financial evidence Platform PostgreSQL Approval, idempotency, audit, recovery
Odoo readback snapshot Restricted financial evidence Platform/object storage Mutation verification, reconciliation
Warehouse facts/marts Confidential; pseudonymous Warehouse Reporting and analytics
Export Inherits highest source class Controlled object storage Approved user purpose
Logs/traces Internal/confidential Observability platform Operations; no raw payloads/secrets
Backups Inherits contained classes Backup system Disaster recovery only

Every field in executable schemas carries a classification tag, purpose, retention class, and redaction behavior. Schema CI rejects new unclassified restricted-looking fields.

Minimization

  • Select only source streams and fields required by approved workflows and metrics.
  • Do not ingest card PAN/CVV, passwords, or unrelated marketing/content/customer-history data.
  • Store customer name/address/contact fields only where invoice, tax, fulfillment, support, or evidence requirements justify them.
  • Use stable pseudonymous customer tokens in warehouse dimensions and analytics.
  • Keep source payload references out of normal UI and reporting responses.
  • Detailed Odoo records remain on demand unless a documented projection/reporting requirement exists.
  • Logs contain IDs, hashes, sizes, timing, status, and stable errors, not payload bodies.

Access model

Role Raw payload Canonical detail Financial evidence Marts Export
Client viewer No Tenant-scoped safe view Tenant-scoped safe view Tenant only Approved reports
Staff preparer/reviewer Time-bound case access Assigned tenants Assigned cases/tenants Authorized portfolio Purpose-bound
Integration engineer Time-bound support access Technical fields Redacted by default Health marts No customer export by default
Security/privacy Incident or request scope As required As required Audit views Controlled evidence
Platform service Minimum machine scope Workflow-specific Workflow-specific Serving views No interactive export

Restricted break-glass access requires step-up authentication, reason, incident/case ID, short expiry, immutable audit, and post-access review.

Encryption and key management

  • TLS is required for source, Airbyte, Odoo, API, database, object-store, queue, and observability transport.
  • Databases, object storage, exports, backups, and queue storage use managed encryption at rest.
  • Raw payloads and exports use tenant-aware envelope encryption where supported.
  • Secrets are versioned and rotated in the secrets manager; business tables store only opaque references.
  • Key rotation does not require rewriting business identity or changing operation idempotency keys.
  • Encryption/key access is separated from ordinary application database ownership.

Retention policy

Retention is effective-dated and approved by legal, privacy, security, and accounting owners. The values below are pilot operational defaults, not universal statutory advice.

Retention class Pilot default Disposition
raw_replay 90 days after successful canonicalization Delete payload; retain safe hash/lineage if permitted
webhook_delivery 30 days after terminal processing Delete body; retain delivery ID/status/hash
operational_event 400 days after terminal state Archive/delete according to policy
financial_evidence Tenant/jurisdiction policy; no automatic default Restrict/archive until approved expiry
mapping_policy_history Policy life plus approved audit period Archive; preserve versions used by retained evidence
warehouse_detail Approved reporting horizon Delete or aggregate; preserve controls where required
observability 30-90 days by signal/class Delete; security incidents may enter legal hold
export Seven days unless purpose requires less/more Delete object and revoke signed links
backup Defined backup cycle Expire cryptographically/physically under backup policy

Retention starts from the domain-defined terminal or evidence date, not ingestion time when that would prematurely delete required evidence. Legal hold and incident hold override deletion and are audited.

Data subject and correction handling

  1. Authenticate the requester and establish tenant/subject scope.
  2. Search the subject index, not unrestricted raw payload scans from a browser request.
  3. Classify each result as erasable, correctable, restrictable, or retained under an approved obligation.
  4. Apply deletion/restriction to operational stores, marts, search indexes, caches, exports, and future rebuild inputs.
  5. Preserve non-identifying operation/accounting integrity where lawful by replacing direct identifiers with restricted tokens.
  6. Record decision, legal basis/owner approval, systems affected, completion evidence, and backup propagation behavior.

Posted Odoo accounting records are corrected through approved Odoo/legal workflows, not database deletion. Accountify does not silently rewrite Odoo legal documents.

Exports

Exports are asynchronous resources with:

export_id
tenant_id and authorized scope
requester and purpose
query/filter hash
classification
row count and content hash
generated_at and expires_at
download count
revocation/deletion evidence

Signed download URLs are short-lived and single-purpose. Export generation rechecks authorization and tenant scope; a queued request does not preserve access after a user's permissions are revoked.

Non-production and fixtures

  • Production payloads and customer identity are prohibited in local development and ordinary test environments.
  • Fixtures are synthetic or irreversibly anonymized and reviewed for prohibited/restricted fields.
  • Odoo clones used for capability testing follow approved masking and access controls.
  • Debug dumps, screenshots, HAR files, SQL exports, and dead-letter payloads inherit source classification and retention.
  • Vendor/support transmission requires approved purpose, minimum necessary data, processor terms, and audit.

Offboarding

Tenant offboarding:

  1. Disable new source ingestion and Odoo mutation; revoke/rotate credentials and webhook subscriptions.
  2. Drain or safely classify in-flight operations and preserve unknown-outcome verification.
  3. Produce approved final exports and reconciliation/retention inventory. Where the client's accounting continuity is delivered through a DATEV export archive to their tax advisor, that archive is the authoritative handover record; an Odoo database dump may be offered as a courtesy copy and does not replace approved exports.
  4. Remove interactive access, caches, search indexes, temporary exports, and serving views.
  5. Retain/restrict or delete each data class under the approved policy and legal holds.
  6. Verify object storage, warehouse, queues, observability, backups, and third-party processors.
  7. Record signed completion evidence without retaining secret values.

Lineage and audit

Every reportable/postable value is traceable through:

source connection and payload hash
-> ingestion run/inbox record
-> adapter and canonical event/version
-> policy and mapping versions
-> posting intent and operation attempts
-> Odoo readback
-> reconciliation allocation
-> warehouse batch, fact, mart, metric version
-> export or dashboard query

Audit records are append-only, tenant-scoped, time-synchronized, and protected from ordinary application update/delete roles.

Acceptance criteria

  • Field-level schema inventory has classification, purpose, retention, and redaction metadata.
  • Cross-tenant and unauthorized restricted-data access tests fail across API, SQL, queue, object, cache, search, logs, marts, and exports.
  • Secrets/prohibited data scanners cover commits, logs, fixtures, dead letters, exports, and object storage.
  • Retention jobs are idempotent, hold-aware, audited, and tested against mart rebuilds and backups.
  • Data-subject restriction and tenant offboarding tabletop tests cover every storage/processor class.
  • A deleted raw payload cannot reappear through a later mart rebuild; retained lineage remains non-identifying where required.