Assigns data to a sensitivity tier so handling rules and access controls follow from the label.
Data classification assigns data to sensitivity tiers, typically public, internal, confidential, and restricted, so that handling rules follow from the label. It sits under access control and compliance, which apply controls according to how sensitive the data has been judged to be.
The tiered model has military and governmental roots in information classification, and the commercial sector settled on a four-level scheme that most organisations now recognise. Public data carries minimal riskRiskComplianceA risk to the product or businessView reference →, such as press releasesPress ReleaseMarketingA press releaseView reference → and marketing material. Internal data is limited to staff and trusted partners. Confidential data is business-sensitive, covering customer lists and financial reports, with controlled access. Restricted data is the highest tier, holding things like payment-card numbers, medical records, and trade secrets, and it demands the strongest safeguards.
The label is not decorative. Classification levels directly determine which controls apply: permissions, encryption, monitoring, and retention. Regulatory regimes lean on it too, since GDPR, HIPAA, and CCPA all assume an organisation knows where its personally identifiable information (PII) and protected health information (PHI) live before it can claim to handle them lawfully.
A health-tech product audits its data stores. The marketing blog is tagged public. Internal runbooksRunbookDevOps & PlatformA runbook for incident responseView reference → are internal. The customer table holds names and emails, tagged confidential. One column holds diagnosis codes, which is PHI, so the whole table inherits restricted. That single classification cascades into policy: the restricted store gets field-level encryption, access is limited to a named on-call group, every read is logged, and the data is excluded from the analytics warehouse copy by default. The label did the deciding; the controls just followed it.
In the Unified Product Graph, Data Classification sits in the security region. The product applies it through Productclassifies data withData Classificationhierarchy, a security policy gives it force through product_classifies_data_with_data_classificationSecurity PolicyestablishesData Classificationhierarchy, and it attaches to the things it governs through security_policy_establishes_data_classificationData Classificationapplies toData Sourcecross-domain. Modelling it as its own node, rather than a property on a source, lets one tier link to many sources and to the policy that defines it, which mirrors how classification actually works: a single scheme governing the whole estate.data_classification_applies_to_data_source
Confidential Sensitive; restricted to a need-to-know basis.
Type-specific fields on BaseNode
levelenumSensitivity level
handling_requirementsstringHandling rules
examplesstring[]Example data covered
retention_periodstringRetention period
encryption_requiredbooleanWhether encryption is mandatory
idstringrequiredUnique identifier (UUID)
typeNodeTyperequiredDiscriminator for the entity type
titlestringrequiredDisplay name
descriptionstringOptional detailed description
statusstringLifecycle status
tagsstring[]Freeform tags for filtering
4 edge types connected to this entity.
product_classifies_data_with_data_classificationsecurity_policy_establishes_data_classificationdata_classification_applies_to_data_sourcedata_classification_governed_by_privacy_policy