Skip to content

Security Capability

The Security capability exposes four independent sub-capabilities for data protection.

Sub-Capabilities

Sub-Capability Purpose Operations
Classification Identify and label sensitive data classify, tag, score_risk
Encryption Encrypt/decrypt data at field level encrypt, decrypt, rotate_keys
Tokenisation Replace sensitive values with tokens tokenise, detokenise, validate
Secret Management Resolve and manage secrets resolve_secret, rotate_secret, validate_access

Classification Contract

public interface ClassificationContract extends BaseProviderContract {
    ClassificationResult classify(String fieldId, Object value);
    void tag(String fieldId, String classification);
    RiskScore scoreRisk(String fieldId);
}

Returns: field identifier, classification label, confidence score (0.0–1.0), applicable policy references.

Encryption Contract

public interface EncryptionContract extends BaseProviderContract {
    EncryptionResult encrypt(byte[] data, String keyReference);
    byte[] decrypt(byte[] ciphertext, String keyReference);
    void rotateKeys(String keyReference);
}

Supports field-level encryption with different keys per classification level.

Tokenisation Contract

public interface TokenisationContract extends BaseProviderContract {
    String tokenise(String sensitiveValue);
    String detokenise(String token);
    boolean validate(String token);
}

Replaces sensitive values with tokens; persists the token-to-value mapping.

Secret Management Contract

public interface SecretManagementContract extends BaseProviderContract {
    String resolveSecret(String secretId);
    void rotateSecret(String secretId);
    boolean validateAccess(String secretId, String principal);
}

Secret values are never exposed in logs, metrics, or event payloads

Pipeline Configuration

- name: protect-sensitive-data
  type: security
  capability: security
  timeout: PT3M

Safety Guarantees

  • If any security operation fails, the affected stage is halted
  • Data never proceeds downstream in an unsecured state
  • All security operations are recorded as audit events through Echo within 5 seconds

Example Providers

Provider Sub-Capability
HashiCorp Vault Secret Management, Encryption
AWS KMS Encryption, Secret Management
Protegrity Tokenisation, Classification
Azure Key Vault Secret Management, Encryption
Custom ML Classifier Classification (PII detection)