Recipe

Data classification

Tag every field with a sensitivity tier so Nimbus knows exactly what to protect, audit, or redact before it ever leaves your machine.

Tiers

Public

Safe anywhere — logs, dashboards, CDN caches.

Internal

Team-only. Never leaves the vault unencrypted.

Restricted

Keys, tokens, PII. Redacted by default.

Field annotation

Field	Tier	Rule
user.email	Restricted	Hash before log; never plaintext
user.display_name	Public	Safe for UI rendering
session.token	Restricted	Zero-out after 300 s idle
device.fingerprint	Internal	Encrypt at rest; audit on read

Enforcement

The Nimbus loader validates classification tags at injection time. Fields marked Restricted are stripped from ETW telemetry and never serialized into crash dumps. Internal fields require an active license heartbeat before decryption.

← Back to docs Next: License heartbeat →