Compliance Tags
Taxonomy of supported compliance tags
Compliance tags are metadata labels applied to fields in your Data Contracts. Today, the CLI validates that tagged fields conform to the ODCS schema. In the future, these tags will trigger governance workflows and feed into risk scoring.
For an overview of the standards that ChooChoo builds upon, see the Standards Reference. For the formal schema definitions, see Schema Definitions.
Tag Taxonomy
Privacy & Data Protection
| Tag | Description | Risk Weight | Triggers Approval? |
|---|---|---|---|
pii | Personally Identifiable Information (name, email, phone, etc.) | 3 | ✅ Yes |
gdpr-article-6 | Data processed under GDPR legal basis (Article 6) | 3 | ✅ Yes |
gdpr-article-9 | Special categories: health, biometric, genetic, religious data | 4 (Highest) | ✅ Yes (High Risk) |
ccpa | California Consumer Privacy Act — consumer data subject to access/deletion rights | 3 | ✅ Yes |
Healthcare & Finance
| Tag | Description | Risk Weight | Triggers Approval? |
|---|---|---|---|
hipaa | Protected Health Information under HIPAA | 4 (Highest) | ✅ Yes |
pci-dss | Payment Card Industry Data Security Standard — cardholder data | 4 (Highest) | ✅ Yes |
financial | Financial reporting data (revenue, transactions, etc.) | 3 | ⚠️ Policy Dependent |
sox | Sarbanes-Oxley Act — financial controls and audit requirements | 2 | ⚠️ Policy Dependent |
Data Classification
| Tag | Description | Risk Weight | Triggers Approval? |
|---|---|---|---|
public | Data intended for public consumption | 0 | ❌ No |
internal | Internal company data — not for external sharing | 1 | ❌ No |
confidential | Confidential data requiring restricted access | 2 | ⚠️ Policy Dependent |
restricted | Highest classification — need-to-know basis only | 4 | ✅ Yes |
Risk Weight in Scoring
The risk weight assigned to each tag directly influences the Compliance Sensitivity (C) factor in the Risk Scoring algorithm. This factor carries a 30% weight in the overall score — the highest of all five factors.
When multiple tags are present on a single field, ChooChoo uses the highest risk weight among them. For example, a field tagged with both pii (weight 3) and gdpr-article-9 (weight 4) contributes a weight of 4 to the compliance sensitivity calculation.
See Risk Scoring for the full algorithm and score interpretation table.
Usage in Contracts
Tags are applied to individual fields in your Data Contracts using the complianceTags array:
models:
- name: Customer
type: table
fields:
- name: email
type: string
pii: true
complianceTags: ["pii", "gdpr-article-6"]
classification: confidential
- name: health_status
type: string
complianceTags: ["pii", "gdpr-article-9", "hipaa"]
classification: restrictedThe pii: true flag is a shorthand that's equivalent to including pii in complianceTags. Both mechanisms trigger the same governance workflows.
Security Implications
Tags drive Security Considerations enforcement:
- Fields tagged with
piior higher are masked for agents with ano-piiboundary. - Access to tagged fields is logged in the Audit Trail.
- Encryption requirements escalate with classification level — see Security Considerations for the encryption matrix.
Configuring Tag-Based Policies
Use the governance.requireApproval setting in .choochoorc to specify which tags always trigger mandatory human approval:
{
"governance": {
"requireApproval": ["pii", "hipaa", "gdpr-article-9", "restricted"]
}
}For more granular policies (e.g., requiring specific teams or SLAs), define them in .choochoo/approval-policies.yaml. See Approval Workflows for the full policy schema.
Compliance Reporting
Tags determine which artifacts appear in Compliance Reports. When you generate a report for a specific framework (e.g., --framework gdpr), ChooChoo filters the Audit Trail to include only changes that affected fields tagged with relevant compliance tags.
Related
Risk Scoring
How compliance tags and their weights feed into the risk calculation algorithm.
Contracts (ODCS)
Apply compliance tags to contract fields to trigger governance workflows.
Approval Workflows
The policy gates triggered when tagged fields are modified.
Security Considerations
Encryption and access control requirements driven by compliance tags.
Compliance Reporting
Generate framework-specific reports based on compliance tag coverage.
Configuration
Configure which tags trigger mandatory approval in .choochoorc.