Privacy is the experience of handling the personal data that flows through APIs responsibly. APIs move sensitive information constantly, and the people that data belongs to have a stake in how it is classified, stored, and shared. Respecting privacy is both a legal obligation and a foundation of the trust consumers place in an API. I pay close attention to privacy because APIs are where data protection succeeds or fails in practice. Classifying the personal data an API handles, being clear about residency and retention, and honoring consent are what turn privacy from a policy document into something real. The providers who treat privacy as a first-class part of API operations earn a durable kind of trust.
Privacy
Policies
Consent and DPA Provided
Every API that touches personal data must provide a data processing agreement and a clear record of the consent under which that data is handled. I require that the DPA be available to consumers be...
Data Ownership Respected
Require that an API respects the ownership of the data it handles, treating consumer and end-user data as belonging to them rather than to whoever stores it. Ownership shapes what a provider may do...
Data Portability Provided
Require that consumers can export their data from an API in a portable, standard format without friction or penalty. The data flowing through an API belongs to the people and organizations it descr...
Data Privacy and PII Classified
I require that every schema property carrying personally identifiable information is explicitly classified as such in the API definition, so that PII is visible to governance, tooling, and downstre...
Data Residency Enforced
I require that every API declares where the data it handles is stored and processed, and that those residency commitments are actually enforced rather than merely stated in a policy document. Consu...
Data Retention Defined
Require that every API declare a written retention policy stating how long each category of data is kept, why it is kept, and when it is destroyed. I expect this policy to be discoverable alongside...
Strategies
APIs Respect Data Privacy and Residency
I want privacy and residency to be built into how our APIs handle data, not bolted on after a regulator or a customer asks the hard question. That means we classify the PII moving through our APIs ...
APIs Support Data Portability and Ownership
The data flowing through an API belongs to the people and organizations it describes, not to whoever happens to be storing it. I believe APIs should make it genuinely possible for consumers to expo...