Privacy Controls

Placino enforces differential privacy, k-anonymity, and column-level access controls. Every query is audited.

Three Layers of Privacy

Layer 1: Differential Privacy

Add Laplace noise to numeric results. User cannot infer whether any one individual is in the dataset. Controlled by epsilon budget.

Layer 2: K-Anonymity

Suppress or generalize results where fewer than k records match. Default k=5. Prevents linking to individuals via quasi-identifiers.

Layer 3: Column Access Control

Users can only query columns they have explicit permission for. PII columns (email, phone, SSN) require admin grant.

Differential Privacy

Differential privacy provides mathematically rigorous privacy guarantees. The epsilon parameter (0 to infinity) controls privacy vs utility trade-off:

Epsilon	Privacy Level	Noise Magnitude	Use Case
0.1	Strict	±1000	Published research
1.0	Strong	±100	Default recommended
5.0	Moderate	±20	Internal analytics
10.0	Weak	±5	Trusted partner

Epsilon Budget Management

Each user starts with epsilon=10.0 per month. Every query consumes epsilon. Once depleted, queries rejected.

User Query 1: epsilon=1.0, remaining budget: 9.0

User Query 2: epsilon=2.0, remaining budget: 7.0

User Query 3: epsilon=8.0 requested, but only 7.0 available. Rejected.

K-Anonymity

K-anonymity prevents re-identification attacks by ensuring query results generalize to at least k records.

How It Works

If you query "COUNT(*) WHERE age_group='25-34' AND brand='BrandA'", and only 3 records match (k=5 required), the result is suppressed. Query fails with "Insufficient sample size" error.

K-Threshold Configuration

Configure per-dataset or globally:

# Set k-anonymity threshold to 10

curl -X PATCH /api/v1/datasets/ID -d "k_threshold": 10

Generalization & Suppression

When k-anonymity is violated, Placino can: (1) Suppress the cell (return NULL), (2) Generalize (e.g., "25-34" becomes "25-40"), (3) Reject the query and ask for broader filters.

Column Access Control

Fine-grained authorization on which columns users can query:

Permission Model

Unrestricted: age_group, brand, region (non-sensitive)

Restricted (PII): email, phone, ssn (requires admin grant)

Sensitive Derived: zip_code, ip_address (limited to aggregations only)

Grant Access

# Grant user access to email column

curl -X POST /api/v1/permissions -d { "user_id": "user@example.com", "column": "email", "expires": "2025-12-31" }

Audit Trail

All column access is logged with user, timestamp, and query executed. Compliance teams can export access reports quarterly.

GDPR Data Subject Rights

Placino simplifies GDPR compliance with automated data subject request (DSR) handling:

Right to Access (Article 15)

User submits DSR. Placino identifies all records with their email hash, retrieves them, and generates PDF export (encrypted).

Right to Deletion (Article 17)

Admin approves deletion. Placino removes all records matching the user's identifier and audit-logs the deletion.

Right to Rectification (Article 16)

User requests correction (e.g., wrong age group). Placino updates encrypted record and logs the change.

Data Portability (Article 20)

User can export their data as CSV or JSON. Placino decrypts, formats, and delivers via secure download link.

Audit Logging

Every query and data access is immutably logged:

What's logged: User, timestamp (UTC), action (ingest/query/export), datasets accessed, columns queried, epsilon consumed, privacy parameters, result size, approval status.

Storage: Merkle-chain in PostgreSQL. Tamper-evident: hash chain makes unauthorized modifications detectable.

Export: SOC 2 auditors and compliance teams can export full audit trail in JSON format.

Back to Encryption