SOC 2 & PII Implementation

Set up Azure Key Vault for encryption key management

Create encrypt_pii() and decrypt_pii() utility functions (AES-256)

Add encrypted columns to database (ssn_encrypted, account_number_encrypted, routing_number_encrypted)

Migrate existing plain text PII data to encrypted format

Create mask_ssn() helper function (returns *--6789)

Create mask_account_number() helper function (returns ******7890)

Add PII_ACCESS activity type to audit logging

Create log_pii_access() function to track who views PII (user_id, merchant_id, fields, timestamp, IP)

Create log_pii_edit() function to track PII modifications

Update all GET endpoints to decrypt PII internally before returning

Return masked PII by default in API responses

Add show_full_pii permission check for viewing unmasked data

Update all POST/PATCH endpoints to encrypt PII before saving to database

Create verify_recent_auth() function for re-authentication

Add re-authentication requirement before showing full SSN/bank accounts

Define role-based PII access rules (merchant: full, owner: full with re-auth, sales rep: masked only)

Create can_view_full_pii() permission check function

Document data retention policy (e.g., delete PII 7 years after account closure)

Create scheduled job to delete expired PII automatically

Implement secure PII deletion (overwrite with nulls, log deletion)

Create incident response plan document (breach detection, notification, recovery)

Set up alerts for unusual PII access patterns

Create PII access audit log dashboard for compliance reviews

Add consent tracking for PII collection

Document encryption approach and key management procedures

Write unit tests for encryption/decryption functions

Write integration tests for PII access logging

Verify encrypted data is unreadable in database dumps

Migration job to backfill existing mer

Twill Brain