Data and Privacy

• Defines PII handling policies, encryption in transit and at rest, retention, and deletion processes.
• TODO: add GDPR-specific requirements and regional compliance notes.