Privacy-First Architecture implementation checklist

Verify that application loggers (e.g., Winston, Pino) use middleware to redact emails, physical addresses, and full names before writing to stdout or disk.

Configure reverse proxies (Nginx/Traefik) or application code to mask the last octet of IPv4 addresses and the last 80 bits of IPv6 addresses.

Review every column in the production schema; remove any fields that are not strictly required for the application's core functionality.

Set Time-To-Live (TTL) indexes on session stores and temporary caches to ensure data is automatically purged after inactivity.

Verify that sensitive data is cleared from localStorage or sessionStorage upon user logout or session expiration.

Confirm that all cloud resources (Compute, DB, Object Storage) are provisioned exclusively in EU regions (e.g., eu-central-1) to avoid Schrems II complications.

Trace every outgoing network request from the production environment to ensure no data is sent to US-based services without a valid DPA.

Ensure all fonts, icons, and JavaScript libraries are hosted on your own infrastructure rather than via third-party CDNs like Google Fonts or cdnjs.

Verify that the underlying storage for Postgres/MySQL/NoSQL instances is encrypted using AES-256 with managed or customer-provided keys.

Test backup restoration from an encrypted snapshot to ensure that backup files are not stored in cleartext on secondary storage.

Verify that Plausible, Umami, or Fathom is configured to run without generating or storing persistent browser cookies.

Validate that the analytics script or backend logic checks for the 'DNT' header and suppresses tracking if present.

Scan all custom event metadata in PostHog or Matomo to ensure no dynamic user-input strings (like search queries) contain PII.

If using session replay, verify that all input fields and sensitive text elements are masked via CSS classes before being uploaded.

Ensure that the tracking implementation does not use Canvas fingerprinting or TLS ja3 hashes to identify users across sessions.

Verify that API requests to LLM providers (e.g., OpenAI, Anthropic) include the specific flag or account setting to opt-out of data training.

Configure the application to generate vector embeddings locally (e.g., using Transformers.js or Ollama) instead of sending raw text to cloud APIs.

Implement a regex-based or NLP filter to strip names and emails from user prompts before they are sent to external AI services.

Review outgoing webhooks (e.g., to Stripe or Slack) and ensure they only send the minimum required IDs rather than full user objects.

Implement a local model fallback for processing highly sensitive data categories that cannot leave the VPC.

Verify that users can trigger a self-service download of all their personal data in a machine-readable format (JSON/CSV).

Confirm that a 'Delete Account' action triggers a hard delete across all primary databases, related tables, and object storage buckets.

Verify that the backup retention policy is set to 30 days or less to ensure that deleted user data is eventually purged from all archives.

Test that revoking consent for marketing or analytics immediately halts all associated data collection and processing activities.

Ensure that every change in user consent is logged with a timestamp and the version of the privacy policy accepted.

Verify that transactional emails are sent via privacy-respecting providers (e.g., Listmonk, Buttondown) rather than marketing-heavy platforms.

Disable open-tracking and click-tracking pixels in transactional emails to prevent leaking user IP and device data to the ESP.

Ensure that links in emails do not include identifying tokens in the URL parameters that could be leaked to third-party sites via Referer headers.

Validate that the newsletter or notification subscription process requires a confirmed double opt-in to prevent malicious signups.

Verify that email lists are segmented without exporting entire user databases to the email service provider.