# Privacy & Knowledge Security ## Overview Privacy and security in RAG systems are not optional—they're fundamental. When your AI agents access sensitive business data, customer information, or regulated content, you must ensure that data is protected at every stage: ingestion, storage, retrieval, and generation. Privacy violations can lead to regulatory fines, security breaches, and catastrophic loss of customer trust. ## Why Privacy & Security Matter Proper privacy controls ensure: * **Regulatory compliance** - Meet GDPR, HIPAA, SOC 2, and other requirements * **Data protection** - Prevent unauthorized access to sensitive information * **Customer trust** - Demonstrate responsible data handling * **Legal protection** - Avoid liability from data breaches or misuse * **Multi-tenant isolation** - Keep different customers' data separate Privacy failures lead to: * **PII leakage** - Personally identifiable information exposed in responses * **Compliance violations** - Fines, legal action, loss of certifications * **Data breaches** - Sensitive information accessed by unauthorized parties * **Cross-tenant contamination** - One customer's data visible to another * **Audit failures** - Inability to demonstrate compliance or track data usage ## Common Privacy Challenges ### Data Protection * **PII leaking in retrieved context** - Sensitive data appears in responses * **Embedding data residency** - Embeddings stored in non-compliant locations * **Vector DB encryption** - Unencrypted vectors expose sensitive content * **Cross-agent knowledge leakage** - Multi-tenant data isolation failures ### Compliance * **HIPAA compliance** - Healthcare data handling requirements * **GDPR compliance** - Right to be forgotten, data erasure * **Data residency requirements** - Geographic storage constraints * **Audit trail gaps** - Insufficient query logging and tracking ### Access Control * **Agent-level data isolation** - Ensuring agents only access permitted data * **Permission inheritance** - Maintaining source system permissions * **Query audit logging** - Who accessed what, when ### Data Lifecycle * **Right to erasure** - Removing data from vector indices * **Knowledge retention vs deletion** - Balancing utility with privacy * **Embedding service privacy** - Third-party processor compliance ## Solutions in This Section Browse these guides to secure your RAG system: * [PII Leaking in Retrieved Context](/rag-scenarios-and-solutions/privacy/pii-detection.md) * [HIPAA-Compliant Knowledge Base](/rag-scenarios-and-solutions/privacy/hipaa-setup.md) * [GDPR Right to Forget in Vector DB](/rag-scenarios-and-solutions/privacy/gdpr-compliance.md) * [Private LLM for Sensitive Data](/rag-scenarios-and-solutions/privacy/private-models.md) * [Embedding Data Residency](/rag-scenarios-and-solutions/privacy/data-residency.md) * [Agent-Level Data Isolation](/rag-scenarios-and-solutions/privacy/data-isolation.md) * [Query Audit Trail Gaps](/rag-scenarios-and-solutions/privacy/audit-gaps.md) * [Cross-Agent Knowledge Leakage](/rag-scenarios-and-solutions/privacy/tenant-leakage.md) * [Vector DB Encryption](/rag-scenarios-and-solutions/privacy/key-rotation.md) * [Knowledge Retention vs Deletion](/rag-scenarios-and-solutions/privacy/retention-conflicts.md) * [Embedding Service Privacy](/rag-scenarios-and-solutions/privacy/processor-compliance.md) * [Erasure from Vector Index](/rag-scenarios-and-solutions/privacy/right-to-erasure.md) ## Privacy by Design Principles Build privacy into your architecture from the start: ### 1. Data Minimization * Only ingest and store data that's necessary * Redact or anonymize PII before processing * Set retention policies and auto-delete old data ### 2. Access Control * Implement role-based access control (RBAC) * Maintain source system permissions in RAG system * Audit all data access with detailed logs ### 3. Encryption Everywhere * **At rest**: Encrypt vector databases, document stores * **In transit**: Use TLS for all data transfers * **In use**: Consider homomorphic encryption for sensitive operations ### 4. Isolation * **Multi-tenant**: Strict logical or physical separation * **Agent-level**: Scope data access per agent/use case * **Environment**: Separate dev/staging/prod data ### 5. Auditability * Log all queries, retrievals, and generations * Track data lineage from source to response * Enable compliance reporting and investigations ## Regulatory Compliance Guide ### GDPR (General Data Protection Regulation) **Key requirements:** * Right to erasure ("right to be forgotten") * Data minimization and purpose limitation * Consent for processing personal data * Data portability * Privacy by design and by default **RAG-specific challenges:** * Deleting embeddings when source deleted * Tracking which chunks contain personal data * Providing data export for individuals **Implementation:** * Tag chunks with PII indicators * Build deletion workflows for vectors * Maintain mapping of person → documents → chunks → vectors ### HIPAA (Health Insurance Portability and Accountability Act) **Key requirements:** * Protected Health Information (PHI) must be encrypted * Access controls and audit logs * Business Associate Agreements (BAAs) with vendors * Physical and technical safeguards **RAG-specific challenges:** * Embedding services often don't sign BAAs * Vector databases must be HIPAA-compliant * LLM providers must have PHI handling capabilities **Implementation:** * Use self-hosted or HIPAA-compliant embedding models * Choose BAA-ready vector database (Pinecone Enterprise, Postgres with encryption) * Use LLM providers with BAA (Azure OpenAI, AWS Bedrock, not public OpenAI) ### SOC 2 (System and Organization Controls) **Key requirements:** * Security policies and procedures * Access controls and monitoring * Data encryption and protection * Incident response procedures **RAG-specific focus:** * Secure data ingestion pipelines * Encrypted vector storage * Comprehensive audit logging * Regular security assessments ## Best Practices ### Data Ingestion 1. **Pre-process for privacy** - Detect and redact PII before embedding 2. **Classify sensitivity** - Tag data with classification levels 3. **Respect source permissions** - Inherit access controls from origin systems 4. **Document lineage** - Track data from source through transformations ### Storage & Embeddings 1. **Encrypt at rest** - All vector databases and document stores 2. **Isolate tenants** - Physical or logical separation of customer data 3. **Choose privacy-aware providers** - Embedding and LLM vendors with compliance 4. **Monitor data residency** - Ensure data stays in approved regions ### Retrieval & Generation 1. **Filter by permissions** - Only retrieve documents user is allowed to see 2. **Detect PII in output** - Scan responses for sensitive information 3. **Redact when necessary** - Mask PII in generated responses 4. **Log all access** - Who queried what, when, with what results ### Data Deletion 1. **Implement right to erasure** - Delete all representations of data 2. **Cascade deletes** - Remove vectors, chunks, and metadata together 3. **Verify deletion** - Confirm data no longer retrievable 4. **Document deletion** - Maintain audit trail of erasure requests ### Audit & Monitoring 1. **Comprehensive logging** - Queries, retrievals, generations, errors 2. **Anomaly detection** - Unusual access patterns or volume 3. **Regular audits** - Review access logs and compliance 4. **Incident response plan** - Procedure for privacy breaches ## Architecture Patterns for Privacy ### Pattern 1: Multi-Tenant Isolation **Namespace-based:** ``` - Shared vector DB with tenant namespaces - Filter all queries by tenant_id - Pros: Cost-efficient, simple - Cons: Risk of cross-tenant leakage, shared infrastructure ``` **Database-per-tenant:** ``` - Separate vector DB instance per tenant - Complete isolation - Pros: Maximum security, compliance-friendly - Cons: Higher cost, operational complexity ``` ### Pattern 2: Private LLM Stack **Fully self-hosted:** ``` Embeddings: Sentence Transformers (self-hosted) Vector DB: PostgreSQL with pgvector (self-hosted) LLM: Llama 3 / Mistral (self-hosted) ``` **Pros:** Complete control, no data leaves infrastructure **Cons:** Higher infrastructure cost, maintenance burden **Hybrid (privacy + performance):** ``` Embeddings: Azure OpenAI (BAA available) Vector DB: Pinecone Enterprise (SOC 2, HIPAA) LLM: AWS Bedrock (BAA, HIPAA) ``` **Pros:** Managed services, compliance certifications **Cons:** Vendor lock-in, some data sharing with providers ### Pattern 3: PII Detection & Redaction **Pre-embedding:** ``` Document → PII Detection → Redaction → Chunking → Embedding ``` **Post-generation:** ``` LLM Response → PII Detection → Redaction → User ``` **Real-time filtering:** ``` Retrieval → Check user permissions → Filter chunks → LLM ``` ## Privacy Impact Assessment Evaluate your RAG system's privacy risks: | Risk Category | Questions to Ask | Mitigation Strategies | | -------------------- | ----------------------------------------------- | ---------------------------------------------- | | **Data Exposure** | What sensitive data is in the knowledge base? | Classification, encryption, access controls | | **PII Leakage** | Can user queries surface others' personal info? | PII detection, filtering, anonymization | | **Tenant Isolation** | Can one customer access another's data? | Namespace isolation, separate databases | | **Audit Gaps** | Can you prove compliance and track access? | Comprehensive logging, audit reports | | **Third-party Risk** | Do embedding/LLM providers meet compliance? | BAAs, data processing agreements, self-hosting | | **Data Retention** | How long is data kept? Can it be deleted? | Retention policies, deletion workflows | ## Quick Diagnostics **Signs your privacy controls need attention:** * ✗ Personal information appears in responses for wrong users * ✗ Cannot delete user data from vector index * ✗ Embedding or LLM provider lacks compliance certifications * ✗ No audit trail of who accessed what data * ✗ Multi-tenant data stored without isolation * ✗ PII flowing through third-party APIs without agreements * ✗ Cannot answer "where is this user's data stored?" **Signs your privacy controls are working:** * ✓ Users only see data they're authorized to access * ✓ PII detected and redacted before/after generation * ✓ Complete audit logs of all data access * ✓ Vendors have necessary compliance certifications * ✓ Data can be deleted across all systems * ✓ Multi-tenant isolation enforced and tested * ✓ Regular privacy audits passing ## Monitoring & Metrics Track these privacy metrics: ### Compliance Metrics * **Data erasure SLA** - Time to complete deletion requests * **Audit completeness** - % of operations logged * **PII detection rate** - Accuracy of PII identification * **Access violation attempts** - Unauthorized access blocked ### Operational Metrics * **Encryption coverage** - % of data encrypted * **Tenant isolation** - Zero cross-tenant data leaks * **Vendor compliance** - All providers certified and under agreement * **Incident response time** - Time to detect and respond to breaches ### Risk Metrics * **Sensitive data exposure** - PII in retrievals/responses * **Permission inheritance failures** - Access control bypasses * **Audit trail gaps** - Missing or incomplete logs * **Compliance certification** - Currency of SOC 2, ISO 27001, etc. **Bottom line**: Privacy isn't a feature you add later—it's a foundational requirement. Build it into your architecture from day one, or face regulatory, legal, and reputational consequences that can destroy your business. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.twig.so/rag-scenarios-and-solutions/privacy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.