I require that every schema property carrying personally identifiable information is explicitly classified as such in the API definition, so that PII is visible to governance, tooling, and downstream consumers rather than hidden inside an ordinary-looking field. Classifying PII at design time is how we make privacy enforceable instead of aspirational, because you cannot protect, redact, or account for data you have not first identified. I insist on this because privacy obligations follow the data wherever it flows, and an unlabeled PII field is a compliance incident waiting to be discovered by someone other than us. Every API that touches personal data must classify it in the contract.
Data Privacy and PII Classified
Rules
OpenAPI Schema Property PII Info
Schema properties whose names suggest personally identifiable information such as email, ssn, phone, dob, birth, or address should carry an x-pii marker so privacy tooling, governance, and consumer...
Strategies
APIs Respect Data Privacy and Residency
I want privacy and residency to be built into how our APIs handle data, not bolted on after a regulator or a customer asks the hard question. That means we classify the PII moving through our APIs ...
Experiences
Privacy
Privacy is the experience of handling the personal data that flows through APIs responsibly. APIs move sensitive information constantly, and the people that data belongs to have a stake in how it i...
Compliance
Compliance is the experience of meeting the legal, regulatory, and internal obligations that come with operating an API. For many teams it feels like a burden bolted on at the end, but the reality ...
Security
API security is a top priority for any enterprise, with even higher standards for externally available APIs. However, security doesn’t end with the APIs an enterprise produces—it also applies to co...
Lifecycle
security Security Production
Security runs through every stop on this lifecycle, but it also deserves its own attention. OWASP alignment, vulnerability scanning, and defense in depth protect both the provider and the consumer....