Data handling standards
Classification answers what a record is. Handling standards answer what you are allowed to do with it. The rules below are not aspirational. Every storage system, ETL job, and DSAR workflow at Bizzi is built against them.
Context
Section titled “Context”Three forces shape these standards. Decree 13/2023 on personal data protection. The Vietnam Accounting Law’s retention requirements. Customer contracts specifying residency and erasure rights. Where these conflict, and they sometimes do around retention floors, the framework defaults to the strictest applicable rule and escalates the conflict to legal review rather than letting an engineer make an ad-hoc call.
Encryption
Section titled “Encryption”- At rest. AES-256 for any storage holding Level 3 to 4 data. Keys are managed through HSM or managed KMS. Enterprise customers elect BYOK (bring your own key).
- In transit. TLS 1.3+ for all external traffic. mTLS for service-to-service traffic inside our infrastructure. HSTS is mandatory on public domains.
- Field-level. PII fields in the OLTP database are encrypted with a separate key from the database master key. Decryption happens only in application memory when serving an authorized user. Decrypted values are never logged.
Retention
Section titled “Retention”Retention is bounded by classification, but the actual ceiling comes from the customer contract or the legal floor (Accounting Law, Decree 13), whichever is stricter.
| Level | Default retention | Shorten? | Extend? |
|---|---|---|---|
| Public | Unlimited | Yes | n/a |
| Internal | 5 years | Yes | With approval |
| Confidential | Per customer contract (5 to 10 years) | Per contract | Per contract |
| PII | Legal floor (Decree 13, Accounting Law). 10 years maximum | Yes (early termination) | Requires justification plus DPO approval |
Audit trail retention runs on its own schedule. Hot 90 days, warm 1 year, cold 7 years.
Deletion
Section titled “Deletion”When retention expires or a customer requests erasure (DSAR), deletion runs as a five-step process. Never a single DELETE.
- Soft delete. Set
deleted_at. The record disappears from queries but remains recoverable. - Grace period. 30 days, during which the record is restored if the deletion was a mistake.
- Hard delete. Physical removal from the OLTP database.
- Cascade. CDC propagates the deletion to OLAP and Vector DB.
- Backup expiry. Backups carry their own retention. When a backup ages out, any record it contained is gone with it.
The audit log entry recording the deletion is itself never deleted.
DSAR, Data Subject Access Request
Section titled “DSAR, Data Subject Access Request”Decree 13 grants data subjects the right to access, correct, delete, and opt out. Our DSAR flow.
- Receive through a defined channel (security@ or the customer portal).
- Verify identity. Confirm the request is from the actual data subject, not an impersonator.
- Identify scope. Find every record belonging to the subject across OLTP, OLAP, Vector DB, and backups.
- Act. Generate a data report (access), update the record (correction), trigger the deletion pipeline (erasure), or flag for exclusion from future training data (opt-out).
- Respond within 30 working days, as required by Decree 13.
- Document the DSAR record for audit.
Backups and cross-border transfer
Section titled “Backups and cross-border transfer”Backups are encrypted at the same level as primary storage. Kept for 30 days (replication), 90 days (backup files), or 1 year (monthly archives). Restoration is tested monthly against a sample backup. Backup region must be compatible with each tenant’s residency configuration.
Level 3 to 4 data does not cross borders unless the tenant has explicitly enabled multi-region in their DPA, a Standard Contractual Clause equivalent is in place, and the receiving country offers equivalent protection.