CDX-301b · Module 3

Compliance Requirements & Data Handling

4 min read

Enterprise Codex deployments must satisfy compliance requirements that go beyond technical security. SOC 2, HIPAA, GDPR, and PCI-DSS each impose specific constraints on how AI tools process data. The common thread: sensitive data (PII, PHI, financial data, credentials) must not leave the organization's control boundary. When Codex processes code containing sensitive data and sends it to the API, that data crosses a trust boundary. Compliance frameworks require you to document, control, and audit those crossings.

The practical compliance strategy has three components. First, data classification: tag files and directories that contain sensitive data. Second, access control: configure AGENTS.md rules that prevent Codex from reading classified files. Third, audit trail: log every Codex session, every file it read, and every command it ran. Together, these give compliance auditors the evidence they need: you know where sensitive data lives, you control access to it, and you can prove what happened in every session.

# Compliance Rules (SOC 2 / HIPAA)

## Data Classification
- PII data lives in src/models/customer/ — NEVER read these files
- PHI data lives in src/services/health/ — NEVER read these files
- Financial data in src/services/billing/ — read-only, never modify

## Access Restrictions
- Never display, log, or include PII fields (email, SSN, phone, address)
- Never read database migration files containing seed data
- Never access .env, .env.local, or any credentials file
- Never run commands that output environment variables

## Audit Requirements
- Log every file read and command executed (handled by session config)
- All code changes must reference a ticket number in the commit message
- Security-relevant changes require a second review comment
  1. Classify your data Walk through your codebase and tag directories containing PII, PHI, financial data, or credentials. Create a data map document that compliance can reference.
  2. Write access rules For each classified directory, add an AGENTS.md rule that prevents Codex from reading or modifying those files. Use explicit language: "NEVER read" not "avoid reading."
  3. Enable session logging Configure Codex to log every session with file access and command execution details. Store logs in a tamper-evident system that compliance can audit.