Docs
[IAM]

Data Policy

Data Policy defines how identity data is stored, processed, and governed within IAM across both internal PLTFRMS usage and customer-managed Realms.

It ensures that identity data handling is consistent, secure, and aligned with compliance and privacy requirements.

What is Data Policy?

Data Policy is a configurable and enforceable set of rules that governs:

  • What identity data is stored
  • How long data is retained
  • How data is processed and accessed
  • What data can be exported or integrated
  • How user and organisation data is isolated

It applies at Realm level and can be extended per Organisation.

Scope of data

IAM handles multiple categories of identity-related data, including:

  • User profiles (identities, credentials, metadata)
  • Organisations and membership structures
  • Groups, roles, and permission mappings
  • OAuth2 and OpenID Connect session data
  • Audit logs related to identity actions

Data Policy defines how each of these categories is treated.

Realm-based data isolation

All data policies are enforced within the context of a Realm.

This ensures:

  • No data leakage between realms
  • Strict tenant-level separation
  • Independent retention and compliance rules per customer
  • Isolated encryption and access boundaries

Each realm acts as its own data governance boundary.

Organisation-level policies

Within a realm, Data Policy can be refined per organisation.

This allows:

  • Different retention rules per organisation
  • Scoped access to identity data
  • Segmented auditing and reporting
  • Custom compliance configurations per business unit

Data retention

IAM supports configurable retention rules for identity data, including:

  • User lifecycle data
  • Session and token history
  • Audit logs
  • Authentication events

Retention policies define how long data is stored before being anonymised or deleted, depending on configuration and compliance requirements.

Access control to data

Data access is strictly controlled through IAM’s core model:

  • Roles define access to identity data
  • Permissions define allowed data operations
  • Access is always scoped to realm and organisation context
  • All access is audited and traceable

No identity data is accessible without explicit authorization.

Data portability

Data Policy also governs how data can be:

  • Exported by customers
  • Migrated between systems
  • Integrated with external tools
  • Accessed via APIs

This ensures controlled and compliant data movement across the platform.

Privacy and compliance alignment

IAM Data Policy is designed to support alignment with:

  • GDPR principles (data minimisation and control)
  • Auditability and traceability requirements
  • Enterprise data governance models
  • Security-first identity management practices

Customers remain responsible for their own configuration within their realms, while PLTFRMS provides the infrastructure and enforcement layer.

Why Data Policy matters

Data Policy ensures that IAM:

  • Handles identity data consistently across all realms
  • Provides strong isolation between customers
  • Supports compliance and regulatory requirements
  • Enables controlled and auditable data access
  • Scales securely across multi-tenant environments

It is a foundational component of trust within the PLTFRMS IAM system.