Automated Governance & Policy Enforcement

Governance in DataSurface isn't a document on a wiki—it's executable code. Policies defined at the Zone level are automatically enforced against every dataset and container within that zone.

Governance Zones

The ecosystem is divided into Governance Zones (e.g., "EU Zone", "Finance Zone"). A Zone acts as a federation boundary that defines ownership and applies default policies to all Teams contained within it.

Policy-Driven Data Placement

Policies control where data can live based on its classification. If a developer tries to place sensitive data in a non-compliant location, the model linting fails, blocking the change.

Geographic Restrictions

"Data classified as EU_Citizen_PII must only be stored in Infrastructure Locations tagged as 'EU'."

Prevents accidental data sovereignty violations.

Cloud Vendor Lock

"Highly Confidential IP data cannot be stored on public cloud vendors (AWS, Azure). It must reside on Private/On-Premise infrastructure."

Enforces security posture automatically.

Storage Type Constraints

"Financial Ledger data must be stored in ACID-compliant databases (Postgres, Oracle) and cannot be dumped into object storage (S3) without encryption."

Ensures technical suitability and compliance.

How It Works

  1. Define Policy: The Zone Administrator writes a policy in Python (e.g., require_eu_residency_for_pii).
  2. Classify Data: A Data Producer tags a new Dataset column as PII.
  3. Assign Infrastructure: The Producer attempts to map this dataset to an AWS bucket in us-east-1.
  4. Linting Fails: The DataSurface linter runs the policy. It sees PII data mapped to a US location. The build fails with a clear error message.

🛡️ Maps to SOC 2 Controls

These governance capabilities directly support SOC 2 Trust Service Criteria:

  • CC6.6: Data Classification Policies restrict logical access to appropriately classified data
  • CC6.3: Multi-level authorization (Ecosystem → Zone → Team) enforces segregation of duties
  • CC9.1: Location policies support data residency and disaster recovery requirements
View Full SOC 2 Compliance Framework →