The Data Privacy Act of 2012 (Republic Act No. 10173) establishes the framework for personal information processing in the Philippines. This section maps each data processing activity within the Agrifinance platform to its corresponding controller/processor designation under the law.
| Data Processing Activity | Data Controller | Data Processor | Joint Controller? | Rationale |
|---|---|---|---|---|
| KYC data collection & verification | Government program sponsor | Platform | No | Government defines purpose (program eligibility), platform processes on behalf. Per NPC Advisory No. 2017-01, the entity determining the purpose and means of processing is the personal information controller. |
| Transaction processing & settlement | Platform (operational) | Platform | N/A | Platform operates payment infrastructure, determines processing methods. Platform acts as controller for operational aspects of payment processing as an obligated institution under AMLA. |
| Disbursement scheduling | Government program sponsor | Platform | No | Government decides who gets paid, when, and how much. Government exercises control over the purpose and scope of disbursement processing. |
| Voucher policy configuration | Government program sponsor | Platform | No | Government defines spending categories, limits, program rules. Platform implements but does not determine policy parameters. |
| Analytics & BI reporting | Government program sponsor | Platform | Analysis required | Government uses for policy decisions; platform may have legitimate interest in aggregated operational metrics. Joint controller analysis per NPC Circular 2024-01 required. |
| AMLC/CFT compliance reporting | AMLC | Platform | No | AMLC is independent regulator; platform files as obligated institution under RA 9160 as amended by RA 10365. Platform has independent legal obligation. |
| Platform operational telemetry | Platform | Platform | N/A | Platform's own operational data, not personal data of beneficiaries. System metrics, performance counters, and infrastructure data fall outside personal information scope. |
| PhilSys identity verification | PSA/National ID System | Platform | No | PSA is the data controller for national identity data. Platform queries verification endpoint and receives match/no-match result without accessing raw identity data. |
| Vendor/merchant onboarding | Platform | Platform | N/A | Platform determines criteria for vendor accreditation and processes vendor applications as controller of vendor personal data. |
| Customer support interactions | Platform | Platform | N/A | Platform collects and processes support communications as controller. Government receives anonymized support metrics only. |
Key Regulatory References:
- RA 10173 Section 3(g): Definition of Personal Information Controller
- RA 10173 Section 3(f): Definition of Personal Information Processor
- NPC Circular 2016-01: Registration of Personal Information Processing Systems
- NPC Advisory No. 2017-01: Guidance on the Designation of Data Protection Officers
- NPC Circular 2024-01: Guidelines on Personal Information Processing Outsourcing
Each government-administered program on the platform operates under a formal Data Processing Agreement executed between the Government Controller and the Platform Processor.
DPA Structure:
- DPA executed between Government Controller and Platform Processor for each program
- DPA specifies: processing purposes, data categories, retention periods, security measures, sub-processor list, audit rights, data subject rights cooperation
- DPA reviewed and updated annually or upon material change to processing activities, organizational structure, or applicable law
- Sub-processors (cloud providers, screening vendors, identity verification providers) listed with opt-out right for Controller
- DPA template approved by platform DPO, reviewed by government legal counsel
- DPA executed under Philippine law with venue in Manila for dispute resolution
- DPA references NPC-issued templates and follows NPC Circular 2024-01 outsourcing guidelines
Standard DPA Clauses:
| Clause | Description | Reference |
|---|---|---|
| Purpose Limitation | Processing limited to purposes specified in Annex A of DPA | RA 10173 Sec. 11 |
| Data Minimization | Only data necessary for specified purposes collected and processed | RA 10173 Sec. 11 |
| Processing Instructions | Platform processes data only on documented instructions from Controller | RA 10173 Sec. 20 |
| Confidentiality | All personnel with data access bound by confidentiality obligations | RA 10173 Sec. 20 |
| Security Measures | Technical and organizational measures per Annex B of DPA | RA 10173 Sec. 20 |
| Sub-processing | Prior written authorization required; Controller may object | NPC Circular 2024-01 |
| Data Subject Rights | Platform assists Controller in fulfilling data subject rights within SLA | RA 10173 Sec. 16 |
| Breach Notification | Platform notifies Controller within 24 hours of breach awareness | NPC Circular 2016-03 |
| Audit & Inspection | Controller may audit Platform with 30 days notice, annually | RA 10173 Sec. 20 |
| Data Return/Deletion | Upon termination, Platform returns or deletes all personal data | RA 10173 Sec. 20 |
| Cross-border Transfer | Data transfers outside Philippines require Controller authorization | RA 10173 Sec. 12 |
| Records of Processing | Platform maintains processing records available for Controller inspection | RA 10173 Sec. 20 |
DPA Amendment Process:
- Material change identified (new data category, new sub-processor, new processing purpose)
- DPO assesses impact on existing DPA
- Amendment drafted with specific clause references
- Amendment reviewed by government legal counsel
- Amendment executed by authorized signatories of both parties
- Amendment logged in DPA version registry with effective date
- Affected operational teams notified of changes
- DPA training updated for new requirements
This section establishes clear ownership and governance principles for all data categories processed by the platform.
| Data Category | Data Subject Rights | Controller | Processor | Governance Rules |
|---|---|---|---|---|
| Beneficiary personal data (PhilSys-linked) | Full rights under RA 10173 Sec. 16 (access, rectification, erasure, portability, lodging complaints) | Government program sponsor | Platform | Beneficiary retains ownership of their personal data. Government controls purpose and means. Platform processes under DPA instructions. No secondary use without consent. |
| Beneficiary personal data (platform-collected operational data) | Full rights under RA 10173 Sec. 16 | Platform | Platform | Platform collects device data, session data, and usage telemetry for operational purposes. Governed by platform privacy policy. Government receives only anonymized aggregates. |
| Transaction data (personal identifiers linked) | Full rights under RA 10173 Sec. 16 | Government program sponsor | Platform | Transaction data with personal linkage governed by DPA. Government controls access to beneficiary-linked transaction records. |
| Transaction data (Stellar on-chain) | Limited (pseudonymous public ledger) | N/A | N/A | Stellar blockchain transactions are pseudonymous public records. Not personal data under RA 10173 when viewed on-chain. Linkage to identity exists only in platform's off-chain Obligation Ledger. |
| Obligation Ledger entries | Platform governance (operational record) | Platform | Platform | Platform retains ownership as operational record of system state. Provides access to Government and regulators under API access controls. |
| Voucher policy configurations | Government intellectual property | Government program sponsor | Platform | Policy rules, spending categories, and program parameters are government-defined. Platform stores and executes but does not claim ownership. |
| Aggregated/anonymized data | N/A (not personal data) | Platform | N/A | Platform may retain aggregated and anonymized data for operational improvement, benchmarking, and product development. Irreversible anonymization verified. No re-identification permitted under any circumstance. |
| Audit logs | Platform operational record with regulator access | Platform | Platform | Platform retains ownership as operational record. Provides access to Government, COA, BSP, and NPC under regulated access controls. 7-year minimum retention. |
| KYC screening results (watchlist matches) | Platform operational record | Platform (for AMLA compliance) | Screening vendor | Platform maintains screening results as obligated institution under RA 9160. Shared with AMLC per legal obligation. |
| Consent records | Full rights under RA 10173 Sec. 16 | Platform (for consent management) | Platform | Consent records document the data subject's choices. Platform manages consent infrastructure. Government receives consent status via API. |
| Device/IP profiling | Full rights under RA 10173 Sec. 16 | Platform | Platform | Short-retention operational data for fraud detection and security. 1-year maximum retention. Not shared with Government unless required for fraud investigation. |
| Data lineage records | Platform operational record | Platform | Platform | Records tracking data origin, transformations, and transfers. Platform retains for accountability and audit purposes. |
Stellar On-Chain Data Clarification: Stellar network transactions produce public, pseudonymous records on the distributed ledger. These records contain:
- Source and destination public keys (Ed25519)
- Asset types and amounts
- Transaction hashes and signatures
- Memo fields (may contain platform-specific identifiers)
These on-chain records are not personal data under RA 10173 because:
- Public keys are pseudonymous and do not directly identify individuals
- No personal information is stored on-chain
- The linkage between public keys and beneficiary identity exists only in the platform's off-chain Obligation Ledger
- The platform's obligation ledger is the system of record for regulatory purposes
The platform does not process, store, or have control over Stellar network data. Stellar network data governance is determined by the Stellar Development Foundation and the broader Stellar network consensus mechanism.
Republic Act No. 10173 Section 12 establishes the criteria for lawful processing of personal information. The following table maps each processing activity to its lawful basis.
| Processing Purpose | Lawful Basis | DPA Section | Consent Required? | Regulatory Reference |
|---|---|---|---|---|
| KYC/Identity verification | Legal obligation (AMLA RA 9160 as amended) + Contract performance | Section 1 (Purpose) | No (legal obligation), but consent captured for transparency | BSP Manual of Regulations for Banks, AMLC Covered Institution rules |
| Transaction processing | Contract performance | Section 1 (Purpose) | No (inherent to service delivery) | RA 10173 Sec. 12(b) - processing necessary for contract performance |
| AMLC/CFT screening | Legal obligation (AMLA RA 9160) | Section 1 (Purpose) | No (mandatory by law) | RA 9160 Section 9, AMLC Council regulations |
| Disbursement execution | Contract performance + Legal obligation | Section 1 (Purpose) | No (program enrollment implies consent) | RA 10173 Sec. 12(b), GAA provisions for government program |
| Fraud detection & prevention | Legitimate interest + Legal obligation | Section 2 (Security) | No (legitimate interest overriding data subject rights) | RA 10173 Sec. 12(f), BSP cybersecurity requirements |
| Analytics/BI (anonymized) | Legitimate interest | Section 4 (Analytics) | No (anonymized data not subject to RA 10173) | NPC guidance on anonymization standards |
| Marketing communications | Consent | Separate consent form | Yes, explicit opt-in | RA 10173 Sec. 12(a), NPC guidelines on direct marketing |
| DSR handling | Legal obligation (DPA RA 10173) | Section 5 (Data Subject Rights) | N/A | RA 10173 Sec. 16 - data subject rights |
| System security monitoring | Legitimate interest | Section 2 (Security) | No (security operations necessity) | RA 10173 Sec. 12(f), BSP Circular 1071 |
| Regulatory reporting | Legal obligation | Section 3 (Compliance) | No (mandatory by law) | BSP regulations, AMLC rules, SEC requirements |
| Cross-border data transfer | Consent or adequacy finding | Section 6 (Data Transfers) | Yes (if not to adequate jurisdiction) | RA 10173 Sec. 12, NPC cross-border transfer guidelines |
| Research & development (anonymized) | Legitimate interest | Section 4 (Analytics) | No (anonymized, public interest) | RA 10173 Sec. 12(f), NPC research guidelines |
Consent Management Framework:
- Consent captured via digital interface with clear affirmative action (no pre-ticked boxes)
- Consent recorded with: timestamp, consent text version, user ID, consent scope, withdrawal mechanism
- Consent versioning: each material change to processing purposes requires renewed consent
- Consent withdrawal: available at any time via platform settings or DPO contact, processed within 24 hours
- Consent granularity: separate consent for each distinct processing purpose
- Consent records retained for duration of processing + 3 years
- Consent audit trail: immutable record of all consent events (given, withdrawn, renewed, expired)
All data protection measures comply with BSP Circular No. 1071 (Cybersecurity Framework) and NPC guidelines on security measures.
| Data State | Standard | Key Management | Review Frequency | Regulatory Reference |
|---|---|---|---|---|
| Data at rest (database) | AES-256-GCM | HSM-backed KMS (AWS CloudHSM or equivalent), key rotation every 12 months, dual-control key access | Annual | BSP Circular 1071 Sec. 6.2, NIST SP 800-57 |
| Data at rest (backup) | AES-256-GCM | Separate encryption key from production, geographically separate KMS, key rotation every 12 months | Annual | BSP Circular 1071 Sec. 6.2, NIST SP 800-34 |
| Data in transit | TLS 1.3 (minimum TLS 1.2 with approved cipher suites) | Internal CA + trusted public CA certificates, auto-renewal via ACME protocol, certificate pinning for mobile | Continuous monitoring | BSP Circular 1071 Sec. 6.1, OWASP TLS Cheat Sheet |
| API payload signing | HMAC-SHA256 (symmetric) or Ed25519 (asymmetric) | API keys rotated every 90 days, Ed25519 private keys stored in HSM | Per rotation schedule | BSP Circular 1071 Sec. 6.3 |
| Stellar signing keys | Ed25519 (Stellar network standard) | HSM-backed, multi-signature for issuer accounts (M-of-N threshold signing) | Continuous monitoring | Stellar Development Foundation guidelines |
| Database credentials | N/A (no encryption of credentials, access-controlled) | Vault-backed secret management, automatic rotation every 30 days, no shared credentials | Monthly | BSP Circular 1071 Sec. 5.2 |
| Backup encryption | AES-256-GCM + RSA-4096 for envelope encryption | Separate key hierarchy from production, off-site key escrow | Annual | NIST SP 800-34, BSP Circular 1071 |
| Mobile app data | SQLCipher (SQLite encryption) or platform secure enclave | Device-bound keys, no server-side key escrow for local data | Per release cycle | OWASP MASVS |
| Log encryption | AES-256-GCM for archived logs | Separate KMS key, access logged | Annual | BSP Circular 1071 Sec. 6.2 |
Key Management Principles:
- All cryptographic keys generated using NIST-approved random number generators
- Key generation, storage, rotation, and destruction logged in immutable audit trail
- HSM access requires dual authorization (split knowledge principle)
- Key compromise incident response: immediate key rotation, affected data re-encrypted, breach assessment initiated
- Annual cryptographic key management review by independent security auditor
- Post-quantum cryptography readiness assessment conducted annually (monitoring NIST PQC standardization)
Retention periods comply with RA 10173 Section 20 (data retention limitation), AMLA record-keeping requirements, and BSP regulations.
| Data Category | Retention Period | Trigger for Deletion | Legal Hold Override | Regulatory Reference |
|---|---|---|---|---|
| KYC identity records (MDM golden record) | 5 years from account closure | Account closed + 5 years | AMLC investigation, litigation, NPC inquiry | AMLA RA 9160 Sec. 9(f), BSP MOR retention requirements |
| KYC supporting documents (IDs, photos, biometrics) | 5 years from account closure | Account closed + 5 years | AMLC investigation, litigation | AMLA RA 9160 Sec. 9(f) |
| Transaction records (Obligation Ledger) | 5 years from transaction | Transaction date + 5 years | AMLC investigation, litigation, COA audit | AMLA RA 9160 Sec. 9(f), PD 1445 (Gov't auditing) |
| Consent records | Duration of processing + 3 years | Processing purpose ends + 3 years | DPA investigation, litigation, NPC inquiry | RA 10173 Sec. 20 |
| AMLC screening results (hit/non-hit) | 5 years from screening | Screening date + 5 years | AMLC investigation | AMLC regulations |
| STR/CTR filed with AMLC | 5 years from filing | Filing date + 5 years | AMLC investigation (extended) | RA 9160 Sec. 9 |
| Audit logs (event-sourced) | 7 years | Log entry date + 7 years | Investigation (extended to investigation duration + 5 years) | BSP Circular 1071, COA regulations |
| Device/IP profiling | 1 year from collection | Collection date + 1 year | Investigation (extended) | RA 10173 Sec. 20 (proportionality principle) |
| Data lineage records | 5 years from last change | Last change + 5 years | Investigation | RA 10173 Sec. 20 |
| Aggregated/anonymized data | Indefinite | N/A (not personal data) | N/A | N/A (outside RA 10173 scope) |
| Sub-processor audit reports | 5 years from report date | Report date + 5 years | Investigation | NPC Circular 2024-01 |
| Incident response records | 10 years from incident closure | Incident closed + 10 years | Ongoing litigation | BSP Circular 1071, NPC breach notification guidelines |
| DPO correspondence (NPC, data subjects) | 5 years from correspondence | Correspondence date + 5 years | Investigation, litigation | RA 10173 Sec. 20 |
| Privacy Impact Assessment records | 5 years from assessment | Assessment date + 5 years | Investigation | NPC PIA guidelines |
| Training records (data privacy) | 3 years from training completion | Training date + 3 years | Investigation | RA 10173 Sec. 26, NPC training guidelines |
Retention Schedule Review:
- Retention schedules reviewed annually by DPO
- Review considers: changes in applicable law, regulatory guidance, business requirements, data minimization principles
- Shorter retention periods adopted where legally permissible
- Retention extensions require DPO approval with documented justification
- Automated lifecycle management system enforces retention schedules
The data deletion workflow ensures secure, verifiable, and auditable destruction of personal data at end of retention.
┌─────────────────────────────────────────────────────────────────────┐
│ DATA DELETION WORKFLOW │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ 1. RETENTION EXPIRY DETECTION │
│ Automated lifecycle management system identifies records │
│ exceeding retention period (daily scan at 02:00 UTC) │
│ │
│ 2. LEGAL HOLD CHECK │
│ Query legal hold registry for active holds on identified │
│ records. If hold exists: skip deletion, log check, requeue │
│ for next cycle. If no hold: proceed to Step 3. │
│ │
│ 3. DELETION SCHEDULING │
│ Records queued for deletion with 30-day grace period │
│ Deletion job created with: record IDs, data categories, │
│ scheduled deletion date, authorization reference │
│ │
│ 4. GRACE PERIOD NOTIFICATION │
│ DPO receives deletion queue report for review │
│ Report includes: record counts, data categories, age, │
│ associated data subjects, related consent status │
│ 30-day window for DPO to flag records for retention extension │
│ │
│ 5. DPO REVIEW & CONFIRMATION │
│ DPO reviews deletion queue, checks for: │
│ - Pending data subject requests (DSRs) │
│ - Upcoming regulatory examinations │
│ - Business justification for retention extension │
│ DPO confirms deletion or extends retention with justification │
│ │
│ 6. DELETION EXECUTION │
│ Database records: NIST SP 800-88 Purge (overwrite, crypto erase)│
│ Backup records: Overwritten at next backup cycle (max 90 days) │
│ Files: Cryptographic shredding (encryption key destroyed) │
│ Stellar off-chain linkage: Obligation Ledger entry marked │
│ as deletion-completed, personal identifiers replaced with hash │
│ │
│ 7. DELETION CONFIRMATION │
│ Confirmation logged in immutable audit trail with: │
│ - event_type: data.deletion_completed │
│ - record_ids (hashed, no personal data in log) │
│ - deletion_method (NIST SP 800-88 reference) │
│ - operator_id (automated system identifier) │
│ - timestamp (ISO-8601) │
│ - signature (Ed25519) │
│ │
│ 8. MONTHLY DELETION REPORT │
│ DPO receives monthly report: │
│ - Total records deleted by category │
│ - Deletion method verification │
│ - Failed deletions and root cause │
│ - Legal hold overrides applied │
│ - Retention extensions granted │
│ Report retained for 5 years │
│ │
└─────────────────────────────────────────────────────────────────────┘
Deletion Methods by Data Store:
| Data Store | Deletion Method | Standard | Verification |
|---|---|---|---|
| PostgreSQL (production) | Secure DELETE + VACUUM, crypto-shred for encrypted columns | NIST SP 800-88 Purge | Post-deletion SELECT verification, audit log |
| Redis (cache) | FLUSHDB for targeted keys, data overwritten by eviction | NIST SP 800-88 Clear | Cache miss verification |
| S3-compatible (backups) | Object deletion, bucket versioning creates delete marker, lifecycle policy purges old versions | NIST SP 800-88 Purge | S3 object listing, lifecycle log |
| Elasticsearch (search index) | Document DELETE by query, index refresh | NIST SP 800-88 Clear | Search query returns no results |
| HSM (keys) | Cryptographic key destruction via HSM command | NIST SP 800-88 Destroy | HSM key listing, no key found |
| File system (exports, logs) | Secure delete (shred, srm) or cryptographic shredding | NIST SP 800-88 Purge | File listing, entropy analysis of disk sectors |
The legal hold process ensures data subject to investigation, litigation, or regulatory inquiry is preserved beyond standard retention periods.
┌─────────────────────────────────────────────────────────────────────┐
│ LEGAL HOLD PROCESS │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ 1. LEGAL HOLD REQUEST │
│ Request received from: Legal team, external authority (AMLC, │
│ NPC, COA, court order), or internal investigation │
│ Request format: Legal hold form with required fields │
│ Requestor: Authorized legal counsel or regulator │
│ │
│ 2. DPO VALIDATION │
│ DPO validates: │
│ - Requestor authority (credentials, mandate) │
│ - Scope specificity (data categories, date ranges, individuals) │
│ - Justification (case reference, investigation number) │
│ - Duration (defined period or "until further notice") │
│ Invalid requests returned to requestor with correction request │
│ Valid requests proceed to Step 3 │
│ │
│ 3. LEGAL HOLD APPLICATION │
│ Legal hold applied in legal hold management system │
│ Hold record created with: │
│ - hold_id (UUID) │
│ - requestor (name, organization, contact) │
│ - scope (data categories, individual identifiers hashed) │
│ - justification (case reference, authority citation) │
│ - effective_date (ISO-8601) │
│ - expiry_date (if applicable, otherwise "indefinite") │
│ - status (active) │
│ Automated deletion systems notified of hold │
│ │
│ 4. DELETION SUSPENSION │
│ Lifecycle management system excludes held records from │
│ deletion queues │
│ Daily legal hold check: all records scheduled for deletion │
│ cross-referenced against active legal holds │
│ Conflicts resolved in favor of preservation │
│ │
│ 5. NOTIFICATION & LOGGING │
│ Legal hold logged in immutable audit trail │
│ Relevant system administrators notified (need-to-know basis) │
│ Data Protection Team records hold in DPO case management system │
│ │
│ 6. QUARTERLY LEGAL HOLD REVIEW │
│ Legal team reviews all active legal holds quarterly │
│ Each hold assessed for: │
│ - Continued necessity │
│ - Scope accuracy │
│ - Duration reasonableness │
│ - Cost impact (storage, management overhead) │
│ Holds no longer necessary are recommended for release │
│ │
│ 7. LEGAL HOLD RELEASE │
│ Release initiated by: │
│ - Requestor (formal release notice) │
│ - DPO (quarterly review recommendation, approved by Legal) │
│ - Automatic (expiry date reached) │
│ Release logged with: release_date, reason, releasing_party │
│ Records return to standard retention schedule │
│ Deletion eligibility reassessed at next lifecycle scan │
│ │
│ 8. NORMAL RETENTION RESUMPTION │
│ Upon hold release, affected records evaluated against │
│ standard retention schedule │
│ Records exceeding retention + grace period queued for deletion │
│ Records within retention period continue normal lifecycle │
│ │
└─────────────────────────────────────────────────────────────────────┘
Legal Hold Registry Schema:
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Legal Hold Registry Entry",
"type": "object",
"required": ["hold_id", "requestor", "scope", "justification", "effective_date", "status"],
"properties": {
"hold_id": {
"type": "string",
"format": "uuid",
"description": "Unique identifier for the legal hold"
},
"requestor": {
"type": "object",
"required": ["name", "organization", "contact", "authority"],
"properties": {
"name": { "type": "string", "description": "Full name of requesting party" },
"organization": { "type": "string", "description": "Organization or authority" },
"contact": { "type": "string", "format": "email" },
"authority": { "type": "string", "description": "Legal authority or mandate reference" }
}
},
"scope": {
"type": "object",
"required": ["data_categories", "identifiers"],
"properties": {
"data_categories": {
"type": "array",
"items": { "type": "string", "enum": ["kyc_records", "transaction_records", "consent_records", "audit_logs", "screening_results", "device_profiles", "communications", "all"] },
"description": "Categories of data covered by the hold"
},
"identifiers": {
"type": "array",
"items": { "type": "string" },
"description": "Hashed identifiers of affected individuals or entities"
},
"date_range": {
"type": "object",
"properties": {
"from": { "type": "string", "format": "date-time" },
"to": { "type": "string", "format": "date-time" }
}
},
"programs": {
"type": "array",
"items": { "type": "string" },
"description": "Program IDs affected by the hold"
}
}
},
"justification": {
"type": "object",
"required": ["case_reference", "authority_citation"],
"properties": {
"case_reference": { "type": "string", "description": "Internal case or investigation reference" },
"authority_citation": { "type": "string", "description": "Legal authority cited in hold request" },
"description": { "type": "string", "description": "Brief description of matter" }
}
},
"effective_date": { "type": "string", "format": "date-time" },
"expiry_date": { "type": ["string", "null"], "format": "date-time", "description": "null for indefinite holds" },
"status": { "type": "string", "enum": ["active", "released", "expired"] },
"release_info": {
"type": ["object", "null"],
"properties": {
"release_date": { "type": "string", "format": "date-time" },
"released_by": { "type": "string" },
"reason": { "type": "string" }
}
},
"quarterly_reviews": {
"type": "array",
"items": {
"type": "object",
"properties": {
"review_date": { "type": "string", "format": "date-time" },
"reviewer": { "type": "string" },
"recommendation": { "type": "string", "enum": ["continue", "release", "modify"] },
"notes": { "type": "string" }
}
}
},
"audit_trail": {
"type": "array",
"items": {
"type": "object",
"properties": {
"timestamp": { "type": "string", "format": "date-time" },
"action": { "type": "string" },
"actor": { "type": "string" },
"details": { "type": "string" }
}
}
}
}
}Government agencies access program data through a governed API layer designed for security, auditability, and regulatory compliance.
| Agency | Access Type | Data Scope | Authentication | Authorization | Rate Limit | Data Format |
|---|---|---|---|---|---|---|
| Department of Agriculture (DA) | REST + GraphQL | All program data for DA-administered programs | OAuth 2.0 + government SSO (SAML 2.0) | Role-based, program-scoped | 1,000 req/hour | JSON |
| Philippine Statistics Authority (PSA) | REST | PhilSys verification status, identity match results, aggregate demographic data | OAuth 2.0 + mutual TLS | Service account, read-only | 500 req/hour | JSON |
| Local Government Units (LGU) | REST | Program data for LGU-administered programs in their jurisdiction only | OAuth 2.0 + role-based access | Role-based, geographic-scoped | 200 req/hour | JSON |
| Commission on Audit (COA) | REST + GraphQL | Full audit log access, transaction history, reconciliation reports, Obligation Ledger | Dedicated auditor credentials, time-bounded tokens | Auditor role, full read | 200 req/hour | JSON, JSONL, PDF |
| BSP | REST | Aggregate program metrics, NAV reports, reserve attestation, anchor SLA compliance | Dedicated regulator credentials, mTLS | Regulator role, full read | Unlimited (regulated) | JSON, CSV |
| AMLC | REST | STR/CTR filing status, screening results, compliance reports | Dedicated regulator credentials, mTLS | Regulator role, compliance-scoped | Unlimited (regulated) | JSON, XML |
| NPC (National Privacy Commission) | REST | Privacy compliance data, consent records, DSR processing status, breach reports | Dedicated regulator credentials | Regulator role, privacy-scoped | Unlimited (regulated) | JSON |
| Department of Social Welfare (DSWD) | REST + GraphQL | Social program beneficiary data, disbursement records, redemption analytics | OAuth 2.0 + government SSO | Role-based, program-scoped | 500 req/hour | JSON |
API Versioning Strategy:
- API version included in URL path:
/api/v1/government/... - Major version increments for breaking changes
- Minor version increments for new features (backward compatible)
- Deprecation notice: 6 months minimum before version sunset
- Sunset header included in responses for deprecated versions
- Migration guide published for each major version
List beneficiaries for a program (paginated, role-scoped).
Query Parameters:
| Parameter | Type | Required | Description | Example |
|---|---|---|---|---|
| page | integer | No | Page number (1-indexed) | page=1 |
| page_size | integer | No | Records per page (max 100) | page_size=50 |
| kyc_tier | string | No | Filter by KYC tier (tier_0, tier_1, tier_2, tier_3) | kyc_tier=tier_2 |
| status | string | No | Filter by status (active, suspended, closed) | status=active |
| geo_filter | string | No | Filter by geographic area (barangay, municipality, province) | geo_filter=province:palawan |
| date_from | date | No | Filter by enrollment date (from) | date_from=2025-01-01 |
| date_to | date | No | Filter by enrollment date (to) | date_to=2025-03-31 |
| sort_by | string | No | Sort field (enrollment_date, status, kyc_tier) | sort_by=enrollment_date |
| sort_order | string | No | Sort direction (asc, desc) | sort_order=desc |
Response:
{
"data": [
{
"beneficiary_id": "sha256:a1b2c3d4...",
"kyc_tier": "tier_2",
"status": "active",
"geographic": {
"barangay": "San Roque",
"municipality": "Puerto Princesa",
"province": "Palawan",
"region": "MIMAROPA"
},
"enrollment_date": "2025-01-15T08:30:00Z",
"last_activity_date": "2025-04-01T14:22:00Z",
"voucher_statistics": {
"total_vouchers_issued": 12,
"total_vouchers_redeemed": 10,
"total_vouchers_expired": 2,
"total_value_issued": "12000.00",
"total_value_redeemed": "10000.00",
"currency": "PHP"
}
}
],
"pagination": {
"page": 1,
"page_size": 50,
"total_records": 1547,
"total_pages": 31,
"has_next": true,
"has_prev": false
},
"metadata": {
"program_id": "prog_abc123",
"program_name": "Rice Subsidy Program - Palawan",
"generated_at": "2025-04-07T10:00:00Z",
"consent_verified": true,
"data_classification": "restricted"
}
}List transactions for a program (paginated, role-scoped).
Query Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
| page | integer | No | Page number (1-indexed) |
| page_size | integer | No | Records per page (max 100) |
| date_from | date-time | No | Filter by transaction date (from) |
| date_to | date-time | No | Filter by transaction date (to) |
| beneficiary_id | string | No | Filter by hashed beneficiary ID |
| vendor_id | string | No | Filter by vendor ID |
| status | string | No | Filter by status (initiated, completed, failed, reversed) |
| transaction_type | string | No | Filter by type (disbursement, redemption, claim, burn, clawback) |
| asset_type | string | No | Filter by asset (PHP_stablecoin, rice_voucher, corn_voucher) |
| sort_by | string | No | Sort field (timestamp, amount, status) |
| sort_order | string | No | Sort direction (asc, desc) |
Aggregate program summary dashboard.
Response:
{
"program_id": "prog_abc123",
"program_name": "Rice Subsidy Program - Palawan",
"period": {
"from": "2025-01-01T00:00:00Z",
"to": "2025-04-07T23:59:59Z"
},
"beneficiaries": {
"total_enrolled": 1547,
"active": 1423,
"suspended": 84,
"closed": 40,
"by_kyc_tier": {
"tier_0": 12,
"tier_1": 156,
"tier_2": 890,
"tier_3": 489
},
"by_geographic_area": {
"municipalities_covered": 8,
"barangays_covered": 142,
"top_municipality": "Puerto Princesa City"
}
},
"financials": {
"total_disbursed": "15470000.00",
"total_redeemed": "14230000.00",
"total_outstanding": "1240000.00",
"redemption_rate": 0.92,
"currency": "PHP"
},
"vouchers": {
"total_issued": 15470,
"total_redeemed": 14230,
"total_expired": 890,
"total_burned": 350
},
"vendors": {
"total_accredited": 234,
"active_vendors": 198,
"top_vendor_categories": [
{ "category": "Rice Retailers", "count": 89, "volume": "8900000.00" },
{ "category": "Agricultural Supply", "count": 67, "volume": "3200000.00" },
{ "category": "General Merchandise", "count": 42, "volume": "2130000.00" }
]
},
"compliance": {
"kyc_compliance_rate": 0.97,
"aml_screening_pass_rate": 0.998,
"flags_raised": 23,
"flags_resolved": 21,
"flags_pending": 2
},
"generated_at": "2025-04-07T10:00:00Z"
}Reconciliation status report.
Response:
{
"program_id": "prog_abc123",
"nav_ratio": 1.0002,
"nav_status": "healthy",
"nav_threshold_warning": 1.005,
"nav_threshold_critical": 1.01,
"last_reconciliation_at": "2025-04-07T06:00:00Z",
"variance_percent": 0.02,
"variance_amount": "3094.00",
"currency": "PHP",
"investigation_cases": {
"open": 1,
"resolved": 45,
"oldest_open_case_date": "2025-04-05T14:30:00Z"
},
"obligation_ledger_summary": {
"total_entries": 89234,
"total_obligations_issued": "15470000.00",
"total_obligations_settled": "14230000.00",
"total_obligations_pending": "1240000.00",
"last_entry_at": "2025-04-07T09:55:00Z"
},
"stellar_network_status": {
"last_ledger_synced": 52341892,
"sync_lag_seconds": 3,
"pending_on_chain_transactions": 2,
"failed_on_chain_transactions_24h": 0
}
}Audit log access (Auditor roles only).
Query Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
| date_from | date-time | Yes | Start of audit log range |
| date_to | date-time | Yes | End of audit log range |
| event_type | string | No | Filter by event type |
| user_id | string | No | Filter by actor ID (hashed) |
| resource_type | string | No | Filter by resource type (beneficiary, transaction, voucher, policy) |
| page | integer | No | Page number |
| page_size | integer | No | Records per page (max 1000 for audit logs) |
Generate data export.
Path Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
| export_type | string | Yes | One of: beneficiaries_csv, transactions_csv, reconciliation_csv, audit_log_json, program_report_pdf, full_program_json |
Response:
{
"export_id": "exp_xyz789",
"program_id": "prog_abc123",
"export_type": "transactions_csv",
"status": "pending",
"requested_at": "2025-04-07T10:00:00Z",
"requested_by": "user_hashed_abc",
"estimated_completion": "2025-04-07T10:05:00Z",
"download_url": null,
"expires_at": null,
"file_size_bytes": null,
"record_count": null,
"parameters": {
"date_from": "2025-01-01T00:00:00Z",
"date_to": "2025-04-07T23:59:59Z",
"include_fields": ["transaction_id", "beneficiary_id_hash", "amount", "timestamp", "status", "vendor_id", "asset_type"]
}
}Export Completion Webhook:
{
"event": "export.completed",
"export_id": "exp_xyz789",
"status": "ready",
"completed_at": "2025-04-07T10:04:32Z",
"download_url": "https://api.agrifinance.gov/exports/exp_xyz789/download?token=<presigned_url>",
"expires_at": "2025-04-14T10:04:32Z",
"file_size_bytes": 52428800,
"record_count": 89234,
"checksum_sha256": "a1b2c3d4e5f6..."
}For government agencies with legacy systems that cannot integrate via real-time API, a batch ingestion pipeline supports file-based data exchange.
| Ingestion Type | Format | Frequency | Processing SLA | Validation Steps | Error Handling |
|---|---|---|---|---|---|
| Beneficiary enrollment list | CSV (UTF-8, SFTP/S3 upload) | Per disbursement cycle | 4 hours from receipt | Schema validation, duplicate check against MDM golden record, KYC tier assessment, sanctions screening | Reject file on schema error, per-row rejection on validation failure, error report returned within SLA |
| Budget tranche allocation | CSV/JSON | Per budget cycle | 2 hours from receipt | Amount validation against program budget ceiling, arithmetic verification, authorization check | Reject on amount exceeds budget, error report with line numbers |
| Merchant accreditation list | CSV | Monthly | 8 hours from receipt | Vendor identity verification, TIN validation, business permit check, whitelist update | Per-row rejection for vendors failing verification |
| LGU beneficiary updates | CSV/S3 | Quarterly | 24 hours from receipt | Cross-reference with MDM golden record, conflict resolution per hierarchy rules, change tracking | Per-row conflict flagged for manual review |
| Disaster relief beneficiary list | CSV (emergency channel) | As needed | 1 hour from receipt (expedited) | Minimal validation: identity presence, duplicate check, Tier 0 onboarding, deferred full KYC within 30 days | Expedited error handling, program activation on partial data with flag |
| Reconciliation data from anchor bank | CSV/MT940 | Daily | 2 hours from receipt | Transaction matching, balance verification, NAV calculation, variance detection | Variance investigation triggered, automated alert to finance team |
| PhilSys verification results | XML/SOAP (PSA integration) | Per KYC submission | Real-time (sync) / 1 hour (async) | Response validation, match score assessment, confidence threshold check | Retry on timeout, fallback to manual verification queue |
Batch Ingestion Pipeline Architecture:
┌──────────────────────────────────────────────────────────────────────┐
│ BATCH INGESTION PIPELINE │
├──────────────────────────────────────────────────────────────────────┤
│ │
│ Ingestion Point │
│ ├── SFTP Server (government agency push) │
│ ├── S3 Bucket Upload (presigned URL, time-limited) │
│ └── API POST endpoint (for JSON payloads) │
│ │
│ Processing Stages │
│ ┌────────────────────────────────────────────────────────────────┐ │
│ │ Stage 1: Receipt & Validation │ │
│ │ ├── File integrity check (SHA-256 checksum verification) │ │
│ │ ├── Schema validation (header, column types, required fields) │ │
│ │ ├── Encoding verification (UTF-8, no BOM) │ │
│ │ └── Size validation (max 500MB per file) │ │
│ └────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ┌────────────────────────────────────────────────────────────────┐ │
│ │ Stage 2: Data Processing │ │
│ │ ├── Row-by-row parsing and type coercion │ │
│ │ ├── MDM golden record deduplication (fuzzy matching + exact) │ │
│ │ ├── Business rule validation (KYC tier, eligibility criteria) │ │
│ │ ├── AMLC sanctions screening (real-time API) │ │
│ │ └── Conflict resolution (last-write-wins or manual queue) │ │
│ └────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ┌────────────────────────────────────────────────────────────────┐ │
│ │ Stage 3: Commit & Notification │ │
│ │ ├── Atomic commit of validated records │ │
│ │ ├── Audit log entries for all changes │ │
│ │ ├── Obligation Ledger updates (for budget/disbursement data) │ │
│ │ ├── Notification webhook to submitting agency │ │
│ │ └── Error report generation (per-row failures with reasons) │ │
│ └────────────────────────────────────────────────────────────────┘ │
│ │
│ Monitoring & Alerting │
│ ├── Pipeline health dashboard (Grafana) │
│ ├── SLA breach alerts (PagerDuty) │
│ ├── Data quality metrics (Great Expectations) │
│ └── Dead letter queue for unprocessable records │
│ │
└──────────────────────────────────────────────────────────────────────┘
Batch File Schema (Beneficiary Enrollment CSV):
beneficiary_id,last_name,first_name,middle_name,birth_date,sex,philsys_id,barangay,municipality,province,region,program_tier,kyc_documents,contact_phone,enrollment_date,disbursement_amount,disbursement_frequency
BEN-2025-00001,Dela Cruz,Juan,Santos,1985-03-15,M,1234-5678-9012-3456,San Roque,Puerto Princesa,Palawan,MIMAROPA,2,birth_certificate,marriage_certificate,09171234567,2025-01-15,1000.00,monthlyColumn Specifications:
| Column | Type | Required | Format | Notes |
|---|---|---|---|---|
| beneficiary_id | string | Yes | BEN-YYYY-NNNNN | Unique within program. If absent, auto-generated. |
| last_name | string | Yes | Alphabetic + space, hyphen | Filipino naming conventions supported |
| first_name | string | Yes | Alphabetic + space, hyphen | |
| middle_name | string | No | Alphabetic + space, hyphen | Mother's maiden surname per Filipino convention |
| birth_date | date | Yes | YYYY-MM-DD | Must be valid date, age >= 18 |
| sex | string | Yes | M/F/X | |
| philsys_id | string | No | 16-digit numeric | PhilSys National ID number |
| barangay | string | Yes | Alphabetic | |
| municipality | string | Yes | Alphabetic | City/municipality |
| province | string | Yes | Alphabetic | PSA standard province names |
| region | string | Yes | PSA region code | MIMAROPA, Region VI, etc. |
| program_tier | integer | Yes | 0-3 | KYC tier level for program |
| kyc_documents | string | Yes | Comma-separated document codes | List of submitted KYC documents |
| contact_phone | string | No | Philippine mobile format | 09XX-XXX-XXXX |
| enrollment_date | date | Yes | YYYY-MM-DD | Date of program enrollment |
| disbursement_amount | decimal | Yes | PHP, 2 decimal places | Amount per disbursement cycle |
| disbursement_frequency | string | Yes | monthly/quarterly/one-time | Disbursement schedule |
Manual override workflows address edge cases where automated processing cannot accommodate operational realities specific to Philippine government programs.
| Workflow | Description | Trigger Conditions | Authorization | Audit Trail | SLA |
|---|---|---|---|---|---|
| TESDA-style exception queue | Beneficiaries with incomplete documentation flagged for deferred verification. Allows program participation while KYC documentation is being completed. Common in rural areas where document procurement requires travel to municipal centers. | KYC tier assessment fails to reach minimum required tier due to missing secondary documents (secondary ID, proof of billing, barangay clearance). Beneficiary has at least primary identity document (PhilSys, birth certificate, passport). | Enrollment Officer (creates exception) + DPO (approves data risk). Exception requires documented reason and 48-hour resolution target. | Logged with: exception_id, beneficiary_id_hash, reason, authorizing_officer, timestamp, resolution_deadline, resolution_status. Exception status visible in beneficiary record. | 48-hour resolution SLA. If not resolved: automatic escalation to Program Administrator. 72-hour maximum: automatic suspension if no resolution. |
| Disaster relief adjustment | Emergency program activation for typhoon, drought, volcanic eruption, or other disaster-affected areas. Expedited enrollment and disbursement to affected populations. | PAGASA weather advisory, NDRRMC declaration, or DA Secretary determination of disaster-affected area. Program scope expanded to include disaster-affected geographic areas. | Program Administrator + DA Secretary (or delegated authority). Emergency declaration triggers pre-authorized workflow with reduced approval chain. | Logged with: emergency_id, disaster_type, affected_areas, authorization_chain, timestamp, Obligation Ledger tagged with emergency_program flag. All emergency transactions separately auditable. |
4-hour program activation target from disaster declaration. Enrollment within 24 hours of beneficiary registration. |
| LGU data correction | LGU submits corrected beneficiary data to override stale records in MDM golden record. Addresses data quality issues from outdated LGU civil registry records. | LGU identifies discrepancy between platform records and current LGU records (address change, name correction, death registration, new household members). | LGU Officer (submits correction) + MDM conflict resolution engine (automated). Conflicts exceeding automated resolution routed to Enrollment Officer for manual decision. | Logged with: correction_id, original_values, corrected_values, source_lgu, authorizing_officer, timestamp, conflict_resolution_method. Full data lineage chain preserved. Data lineage queryable via audit API. | 24-hour correction processing for non-conflicting data. 72-hour for conflicts requiring manual resolution. |
| Emergency enrollment | Rapid enrollment during crisis situations where standard KYC cannot be completed. Used for immediate relief distribution. | Crisis situation requiring immediate beneficiary enrollment. Standard KYC processing would create unacceptable delay in relief distribution. | Enrollment Officer (expedited authority). Emergency enrollment requires supervisor notification within 4 hours and full KYC completion within 30 days. | Logged with: emergency_enrollment_id, beneficiary_id_hash, enrollment_officer, timestamp, kyc_deferral_reason, full_kyc_deadline (30 days from enrollment). Separate emergency enrollment registry monitored by DPO. | Enrollment within 1 hour. Full KYC completion within 30 days. If KYC not completed: automatic account suspension with 7-day grace period. |
| Budget override | Emergency budget increase for program when disbursement needs exceed allocated tranche. Used during disaster response or program expansion. | Program disbursement requests exceed available budget tranche. Emergency need identified by program administrator. | Program Administrator + DA Finance Service + DBM representative (for national programs). LGU programs require LGU budget officer authorization. | Logged with: override_id, original_budget, increased_budget, increase_amount, authorization_chain, timestamp, justification. Obligation Ledger updated with new budget ceiling. | 24-hour processing for emergency increases. 72-hour for standard increases. |
| Vendor emergency accreditation | Expedited vendor onboarding during disaster relief or emergency program expansion. Allows vendors to accept program payments before full accreditation. | Disaster area lacks sufficient accredited vendors. Emergency vendor needed to serve beneficiary population. Standard accreditation timeline would create access gap. | Program Administrator + Vendor Management Officer. Minimum verification: business registration, location verification, tax identification. Full accreditation deferred within 30 days. | Logged with: emergency_vendor_id, vendor_id, location, authorizing_officer, timestamp, full_accreditation_deadline. Emergency vendors flagged in vendor registry. | 2-hour emergency accreditation. Full accreditation within 30 days. |
Authentication Model:
┌──────────────────────────────────────────────────────────────────────┐
│ API AUTHENTICATION FLOW │
├──────────────────────────────────────────────────────────────────────┤
│ │
│ Government User / System │
│ │ │
│ │ 1. Auth request to /oauth/authorize │
│ ▼ │
│ ┌────────────────────────┐ │
│ │ OAuth 2.0 Server │ │
│ │ (Keycloak / Okta) │ │
│ └────────────────────────┘ │
│ │ │
│ │ 2. Redirect to Government SSO │
│ ▼ │
│ ┌────────────────────────┐ │
│ │ Government SSO │ │
│ │ (SAML 2.0 / OIDC) │ │
│ │ DepEd SSO / DSWD SSO │ │
│ │ LGU Active Directory │ │
│ └────────────────────────┘ │
│ │ │
│ │ 3. SAML assertion / OIDC tokens │
│ ▼ │
│ ┌────────────────────────┐ │
│ │ OAuth 2.0 Server │ │
│ │ (token exchange) │ │
│ └────────────────────────┘ │
│ │ │
│ │ 4. Access token + refresh token │
│ ▼ │
│ ┌────────────────────────┐ │
│ │ Agrifinance API │ │
│ │ Gateway (Kong/ │ │
│ │ AWS API Gateway) │ │
│ └────────────────────────┘ │
│ │ │
│ │ 5. JWT validation, role extraction, scope enforcement │
│ ▼ │
│ ┌────────────────────────┐ │
│ │ Backend Services │ │
│ └────────────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────────┘
Authentication Specifications:
| Component | Specification | Notes |
|---|---|---|
| Authentication protocol | OAuth 2.0 Authorization Code Flow with PKCE | PKCE required for all clients including confidential clients (prevents authorization code interception) |
| Government SSO integration | SAML 2.0 or OIDC, per agency preference | SAML for agencies with existing SAML infrastructure; OIDC for modern agencies |
| Access token format | JWT (RS256 signed) | Includes: sub, iss, aud, exp, iat, roles, program_scope, consent_reference |
| Access token expiry | 1 hour | Short-lived to minimize exposure window |
| Refresh token expiry | 24 hours | Requires re-authentication after expiry. Refresh token rotation enforced. |
| Refresh token rotation | Yes (one-time use) | Old refresh token invalidated on each use. Detects token replay attacks. |
| API key (programmatic) | 256-bit random, base64-encoded | Rotated every 90 days. Stored as bcrypt hash server-side. |
| Mutual TLS | Required for agency-to-agency service accounts | Certificate pinning, certificate rotation every 12 months |
| Rate limiting | Per-client, per-endpoint | Sliding window algorithm. Burst allowance of 20% over base rate. |
| Audit logging | All authentication events logged | login, logout, token_refresh, token_expired, auth_failure, rate_limit_exceeded |
Token Payload Schema:
{
"sub": "user_hashed_abc123",
"iss": "https://auth.agrifinance.gov",
"aud": "https://api.agrifinance.gov",
"exp": 1712487600,
"iat": 1712484000,
"jti": "token_uuid_123",
"roles": ["program_analyst"],
"program_scope": ["prog_abc123", "prog_def456"],
"agency": "DA",
"consent_reference": {
"consent_registry_url": "https://api.agrifinance.gov/consent",
"consent_check_required": true
},
"session_id": "session_uuid_456",
"source_ip": "203.177.x.x",
"mfa_verified": true
}| Role | Scope | Permissions | Rate Limit | Token Claims |
|---|---|---|---|---|
| Program Administrator | Full program data for assigned programs | Read all beneficiary, transaction, and program data. Create/manage program configurations. Initiate disbursements. Export data. View reconciliation reports. | 1,000 req/hour | role: program_admin, programs: [ids], permissions: [read, write, export, disburse] |
| Program Analyst | Assigned program subset | Read aggregated and individual data for analysis. Export capability with data classification limits. Cannot modify program configuration or initiate disbursements. | 500 req/hour | role: program_analyst, programs: [ids], permissions: [read, export] |
| Auditor (internal government) | All programs (read-only) | Read any program data across all programs. Audit log access. Export capability. Cannot modify any data. Full reconciliation report access. | 200 req/hour | role: auditor_internal, programs: ["*"], permissions: [read, export, audit_log] |
| Auditor (external/COA) | All programs (read-only) | Same as internal auditor, with audit trail full access including event signatures and chain verification data. Access to Obligation Ledger raw entries. | 200 req/hour | role: auditor_external, programs: ["*"], permissions: [read, export, audit_log_full] |
| BI Dashboard User | Aggregated data only | Read pre-computed dashboards. No individual record access. Pre-aggregated data with k-anonymity threshold (minimum 10 records per aggregation). No export of disaggregated data. | 100 req/hour | role: bi_dashboard, programs: [ids], permissions: [read_aggregated] |
| Finance Officer | Disbursement data only | Read disbursement schedules, execution status, reconciliation reports. NAV history. Reserve attestation reports. Cannot modify disbursement parameters. | 500 req/hour | role: finance_officer, programs: [ids], permissions: [read_financial] |
| Regulator (BSP/AMLC) | All programs (read-only) | Full read access across all programs. Export capability. Audit log access. Compliance report access. STR/CTR filing status. Reserve attestation verification. No rate limit for regulated queries. | Unlimited (regulated) | role: regulator, agency: "BSP/AMLC", programs: ["*"], permissions: [read_all, export, audit_log, compliance] |
| Regulator (NPC) | Privacy compliance data | Consent records. DSR processing status. Breach reports. Data retention compliance. Privacy Impact Assessments. DPO correspondence. No personal data access without legal authority. | Unlimited (regulated) | role: regulator, agency: "NPC", programs: ["*"], permissions: [read_privacy, export] |
| LGU Officer | LGU-jurisdiction only | Read program data for beneficiaries and transactions within LGU geographic jurisdiction. Cannot access data from other LGU areas. Submit data corrections. | 200 req/hour | role: lgu_officer, jurisdiction: [province, municipality], programs: [ids], permissions: [read_jurisdiction, submit_correction] |
| Enrollment Officer | Beneficiary enrollment operations | Create/update beneficiary records. Process KYC tier changes. Manage exception queue. Cannot access transaction data or financial reports. | 500 req/hour | role: enrollment_officer, programs: [ids], permissions: [read_beneficiary, write_beneficiary, exception_queue] |
Permission Inheritance:
- Roles do not inherit from other roles (flat permission model)
- Users can be assigned multiple roles; effective permissions = union of all assigned roles
- Most restrictive scope always applies (e.g., user with
program_adminfor prog_A andprogram_analystfor prog_B cannot access prog_C) - Emergency role escalation available with time-bounded tokens (max 4 hours, requires supervisor authorization)
Every API request for individual beneficiary data includes a consent verification step. This ensures that personal data is only accessed when there is a valid, active consent record or other lawful basis.
Consent Verification Flow:
API Request (individual beneficiary data)
│
▼
API Gateway intercepts request
│
▼
Extract consent_reference from request headers
│
▼
Query Consent Registry:
- consent_id exists?
- consent is active (not revoked, not expired)?
- consent purpose_code matches API request purpose?
- consent covers the requested data subject?
│
├── YES → Proceed with request, attach consent metadata to response
│
└── NO → Return 403 Forbidden with consent_revoked error
└── If consent was revoked by data subject:
- Log as access.consent_revoked event
- Notify DPO if access attempt was by government agency
Consent Reference in API Request:
{
"headers": {
"Authorization": "Bearer <jwt_token>",
"X-Consent-ID": "consent_uuid_here",
"X-Consent-Purpose": "P004",
"X-Request-Trace-ID": "request_uuid_here"
}
}Consent Verification Response Header:
{
"headers": {
"X-Consent-Verified": "true",
"X-Consent-ID": "consent_uuid_here",
"X-Consent-Purpose": "P004",
"X-Consent-Given-At": "2025-01-15T08:30:00Z",
"X-Consent-Expiry": "2026-01-15T08:30:00Z"
}
}403 Consent Revoked Response:
{
"error": {
"code": "consent_revoked",
"message": "Access to individual beneficiary data is denied. The data subject has revoked consent for this purpose.",
"details": {
"consent_id": "uuid",
"purpose_code": "P004",
"consent_revoked_at": "2025-04-05T14:22:00Z",
"revoked_by": "data_subject",
"alternative_access": "Submit DSR to DPO or request consent re-authorization from data subject"
}
}
}Consent Purpose Codes:
| Code | Purpose | Data Scope |
|---|---|---|
| P001 | KYC/Identity verification | Full identity data |
| P002 | Transaction processing | Transaction data |
| P003 | Disbursement execution | Beneficiary + transaction data |
| P004 | Program administration (individual) | Full beneficiary profile |
| P005 | Program administration (aggregated) | Aggregated data only (no consent required) |
| P006 | Compliance/AML screening | Full identity + transaction data |
| P007 | Analytics and research (anonymized) | Anonymized data (no consent required) |
| P008 | Direct communication | Contact information |
Aggregated Data Access Exemption:
Requests for aggregated data (pre-computed dashboards, summary statistics, k-anonymous reports with threshold >= 10) do not require individual consent verification. These endpoints are identified by /aggregated/ path prefix and bypass consent checks.
Every action in the platform is recorded as an immutable event using event sourcing architecture. This provides a complete, cryptographically verifiable record of all system activity.
Audit Log Event Schema:
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Audit Log Event",
"type": "object",
"required": [
"event_id", "event_type", "aggregate_id", "aggregate_type",
"timestamp", "actor_id", "actor_role", "payload",
"signature", "previous_event_hash", "source_ip", "session_id"
],
"properties": {
"event_id": {
"type": "string",
"format": "uuid",
"description": "Unique event identifier (ULID for time-sortable)"
},
"event_type": {
"type": "string",
"description": "Categorized event type (e.g., user.created, transaction.completed)",
"pattern": "^[a-z_]+\\.[a-z_]+$"
},
"aggregate_id": {
"type": "string",
"description": "Entity this event relates to (beneficiary_id, transaction_id, etc.)"
},
"aggregate_type": {
"type": "string",
"enum": ["beneficiary", "transaction", "voucher", "policy", "program", "treasury", "compliance", "system", "access"],
"description": "Type of aggregate entity"
},
"timestamp": {
"type": "string",
"format": "date-time",
"description": "When the event occurred (ISO-8601, UTC)"
},
"actor_id": {
"type": "string",
"description": "Who/what triggered the event (hashed user_id, system identifier)"
},
"actor_role": {
"type": "string",
"description": "Role of the actor at time of event"
},
"payload": {
"type": "object",
"description": "Event-specific data (varies by event_type)"
},
"signature": {
"type": "string",
"description": "Ed25519 cryptographic signature of event payload (base64-encoded)"
},
"signing_key_id": {
"type": "string",
"description": "Identifier of the key used for signing (for key rotation tracking)"
},
"previous_event_hash": {
"type": "string",
"description": "SHA-256 hash of the previous event for chain integrity verification"
},
"source_ip": {
"type": "string",
"format": "ipv4|ipv6",
"description": "IP address of request origin"
},
"session_id": {
"type": "string",
"format": "uuid",
"description": "Session identifier for request correlation"
},
"consent_id": {
"type": ["string", "null"],
"format": "uuid",
"description": "Related consent reference (if applicable)"
},
"obligation_ref": {
"type": ["string", "null"],
"description": "Related Obligation Ledger entry reference"
},
"request_id": {
"type": ["string", "null"],
"format": "uuid",
"description": "API request ID for correlation"
},
"program_id": {
"type": ["string", "null"],
"description": "Program this event relates to"
}
}
}Chain Integrity Verification:
The audit log forms a cryptographically linked chain:
- Each event includes the SHA-256 hash of the previous event
- The first event in each chain has
previous_event_hash: null(genesis event) - Chain verification:
SHA-256(event_n-1) == event_n.previous_event_hash - Any tampering breaks the chain, making unauthorized modification detectable
- Chain verification is performed daily by automated integrity checker
- Chain verification results logged and reported to DPO weekly
Complete catalog of all event types recorded in the audit log.
| Event Category | Event Types | Description | Sensitive Data in Payload |
|---|---|---|---|
| Identity | user.created |
New beneficiary account created | Yes (hashed identifiers only) |
user.kyc_upgraded |
KYC tier increased with new verification level | No | |
user.kyc_downgraded |
KYC tier decreased (verification expired or revoked) | No | |
user.suspended |
Account suspended (compliance, fraud, or administrative) | No | |
user.closed |
Account closed by user or administrator | No | |
user.consent_given |
Consent record created | No (consent metadata only) | |
user.consent_revoked |
Consent record revoked | No | |
user.profile_updated |
Profile data modified | Yes (field names only, not values) | |
| Transaction | transaction.initiated |
Transaction request created | Yes (amount, asset type, hashed counterparties) |
transaction.authorized |
Transaction authorized by required parties | No | |
transaction.completed |
Transaction settled on-chain and in Obligation Ledger | Yes (amount, asset type, hashed counterparties) | |
transaction.failed |
Transaction failed (insufficient funds, network error, etc.) | No | |
transaction.reversed |
Transaction reversed (error, fraud, or compliance action) | Yes (reversal reason, amounts) | |
transaction.claimed |
Stellar anchor claim processed | No | |
| Voucher | voucher.issued |
Voucher created and assigned to beneficiary | Yes (voucher type, amount, hashed beneficiary) |
voucher.redeemed |
Voucher redeemed at accredited vendor | Yes (vendor_id, amount, timestamp) | |
voucher.expired |
Voucher expired without redemption | No | |
voucher.burned |
Voucher burned (program termination, policy change) | No | |
voucher.clawed_back |
Voucher clawed back to program pool | Yes (reason, amount) | |
| Policy | policy.created |
New voucher policy defined | No |
policy.updated |
Existing policy modified | No (diff of changes) | |
policy.deployed |
Policy deployed to production | No | |
policy.rolled_back |
Policy rolled back to previous version | No (rollback reason) | |
| Compliance | compliance.screening_completed |
AMLC screening result recorded | No (hit/non-hit only) |
compliance.flag_raised |
Compliance flag created | Yes (flag reason, risk level) | |
compliance.flag_cleared |
Compliance flag resolved | No (resolution reason) | |
compliance.ctr_filed |
Currency Transaction Report filed with AMLC | No (filing reference only) | |
compliance.str_filed |
Suspicious Transaction Report filed with AMLC | Yes (STR reference, no details in audit log) | |
compliance.freeze_executed |
Account or transaction frozen by compliance | Yes (freeze reason, duration) | |
| Treasury | treasury.nav_calculated |
Net Asset Value calculated | No (NAV value, timestamp) |
treasury.variance_detected |
NAV variance exceeds threshold | Yes (variance amount, percentage) | |
treasury.variance_resolved |
NAV variance investigated and resolved | No (resolution description) | |
treasury.buffer_adjusted |
Reserve buffer adjusted | No | |
treasury.attestation_completed |
Independent reserve attestation completed | No | |
treasury.emergency_activated |
Emergency Settlement Protocol activated | Yes (activation reason) | |
| Access | access.login |
User login successful | No (user_id hashed, IP, device) |
access.logout |
User logout | No | |
access.token_refreshed |
OAuth token refreshed | No | |
access.api_call |
API call logged | No (endpoint, status code) | |
access.unauthorized_attempt |
Unauthorized access attempt detected | Yes (attempted resource, actor) | |
| Admin | admin.user_created |
Admin user created | No |
admin.role_changed |
User role modified | No (old role, new role) | |
admin.settings_changed |
System settings modified | No (setting name, diff) | |
admin.data_exported |
Data export generated | No (export type, record count) | |
admin.data_deleted |
Data deleted per retention schedule | No (data category, record count, hashed IDs) | |
| System | system.deployed |
System deployment completed | No (version, commit hash) |
system.config_changed |
Configuration changed | No (config key, no values) | |
system.backup_completed |
Backup completed | No | |
system.incident_opened |
Security incident opened | Yes (incident severity) | |
system.incident_resolved |
Security incident resolved | No | |
| Emergency | emergency.protocol_activated |
Emergency Settlement Protocol activated | Yes (activation reason, authorizing officer) |
emergency.payout_executed |
Emergency manual payout processed | Yes (amount, hashed beneficiary) | |
emergency.payout_bound |
Emergency payout bound to Obligation Ledger | No (binding hash) | |
emergency.protocol_concluded |
Emergency protocol deactivated | No (conclusion summary) |
All API requests and responses are cryptographically signed to ensure integrity and non-repudiation.
Request Signing Process:
1. Construct canonical request:
HTTP_METHOD + "\n" +
URI + "\n" +
CanonicalQueryString + "\n" +
CanonicalHeaders + "\n" +
HashedPayload (SHA-256)
2. Construct string to sign:
"AGRIFINANCE-ED25519" + "\n" +
ISO-8601 timestamp + "\n" +
SHA-256(canonical_request)
3. Sign string with Ed25519 private key
4. Include in request headers:
X-Request-Signature: <base64_signature>
X-Request-Timestamp: <ISO-8601>
X-Request-Nonce: <random_string>
X-Request-Key-ID: <signing_key_identifier>
Response Signing Process:
1. Construct canonical response:
StatusCode + "\n" +
CanonicalResponseHeaders + "\n" +
HashedPayload (SHA-256)
2. Construct string to sign:
"AGRIFINANCE-ED25519" + "\n" +
ISO-8601 timestamp + "\n" +
SHA-256(canonical_response) + "\n" +
RequestHash (SHA-256 of original request)
3. Sign string with Ed25519 private key (server key)
4. Include in response headers:
X-Response-Signature: <base64_signature>
X-Response-Timestamp: <ISO-8601>
X-Request-Hash: <sha256_of_request>
X-Response-Key-ID: <signing_key_identifier>
Verification Rules:
- Signature verified before processing (request) and before consumption (response)
- Timestamp checked: request must be within 5 minutes of server time (prevents replay)
- Nonce checked: replay detected if same nonce + key combination seen within time window
- Signature verification failure logged as
access.unauthorized_attemptevent - Failed verification returns HTTP 401 with
signature_invaliderror code - Signing keys rotated every 90 days; old keys accepted during 24-hour grace period
| Specification | Detail |
|---|---|
| Encoding | UTF-8 with BOM (for Excel compatibility) |
| Delimiter | Comma (,) |
| Quoting | Fields containing commas, quotes, or newlines quoted with double quotes |
| Quote character | Double quote (") |
| Escape character | Double double-quote ("") within quoted fields |
| Header row | Required, column names as defined in data dictionary |
| Date format | ISO-8601 (YYYY-MM-DDTHH:MM:SSZ) |
| Numeric format | Standard decimal, no thousands separator, 2 decimal places for currency |
| Null handling | Empty string for null values |
| File naming | {program_id}_{category}_{date_from}_{date_to}.csv |
| Maximum file size | 1 GB per file (split into multiple files if exceeded) |
| Accompanying document | Data dictionary (column descriptions, valid values, format specifications) |
Example CSV (transactions):
transaction_id,beneficiary_id_hash,transaction_type,asset_type,amount,currency,timestamp,status,vendor_id_hash,program_id
txn_abc123,sha256:xyz789,redemption,rice_voucher,500.00,PHP,2025-04-07T08:30:00Z,completed,vendor_def456,prog_abc123| Specification | Detail |
|---|---|
| Format | JSON Lines (JSONL) - one JSON object per line, UTF-8 |
| Encoding | UTF-8 without BOM |
| Line ending | LF (\n) |
| Nested structures | Flattened using dot notation for nested keys |
| Arrays | Serialized as JSON array within flattened structure |
| Null handling | JSON null value |
| Date format | ISO-8601 (YYYY-MM-DDTHH:MM:SSZ) |
| File naming | {program_id}_{category}_{date_from}_{date_to}.jsonl |
| Accompanying document | JSON Schema file defining structure, types, and constraints |
Example JSONL (audit log):
{"event_id":"evt_001","event_type":"transaction.completed","aggregate_id":"txn_abc123","aggregate_type":"transaction","timestamp":"2025-04-07T08:30:00Z","actor_id":"beneficiary_hashed_123","actor_role":"beneficiary","payload":{"amount":"500.00","currency":"PHP","asset_type":"rice_voucher"},"signature":"base64sig...","previous_event_hash":"sha256prev..."}| Specification | Detail |
|---|---|
| Format | PDF/A-2b (archival PDF) |
| Font | Embedded fonts (Noto Sans for Latin, Noto Sans CJK for Filipino characters) |
| Color space | sRGB |
| Metadata | Title, author, subject, keywords embedded in PDF metadata |
| Digital signature | Ed25519 signature embedded in PDF signature field, with platform certificate chain |
| Structure | Table of contents with clickable bookmarks, numbered pages, header/footer with report metadata |
| Content | Executive summary, data tables with pagination, charts/graphs (vector graphics), appendix with methodology notes |
| File naming | {program_id}_{report_type}_{date_from}_{date_to}.pdf |
| Accessibility | PDF/UA compliance (screen reader compatible) where feasible |
Annual Independent Security Assessment:
| Requirement | Detail |
|---|---|
| Assessment frequency | Annual, or upon material system change |
| Assessment firm | DPA-accredited security firm (NPC-recognized) |
| Conflict of interest | Firm must have no consulting relationship with platform. No financial interest in platform or its partners. |
| Assessment scope | Infrastructure security, application security, data privacy controls, access controls, encryption key management, incident response capability, business continuity |
| Assessment standards | ISO 27001, NIST CSF, BSP Circular 1071, NPC compliance framework |
| Assessment report | Submitted to DPO, CTO, and Board of Directors. Executive summary shared with government program sponsors. Full report available to regulators upon request. |
| Finding remediation | Critical findings: remediated within 30 days. High findings: remediated within 60 days. Medium findings: remediated within 90 days. Low findings: remediated within next release cycle. |
| Remediation tracking | All findings tracked in vulnerability management system with assigned owner, target date, and status. DPO receives weekly remediation status report. |
COA Examination Access:
| Access Component | Permission | Method |
|---|---|---|
| Audit log | Full read-only access, all programs, all event types | Dedicated auditor API credentials, event-sourced query with signature verification |
| Obligation Ledger | Full read-only access, all entries, all programs | Dedicated auditor API credentials, raw entry access |
| Reconciliation reports | Full read access | API access, CSV/PDF export |
| Beneficiary data (individual) | Read access with consent verification | API access, consent reference required |
| Beneficiary data (aggregated) | Read access without consent | Aggregated API endpoints |
| Transaction data (individual) | Read access with consent verification | API access, consent reference required |
| Transaction data (aggregated) | Read access without consent | Dashboard and summary API endpoints |
| Policy configurations | Full read access | API access, policy version history |
| Treasury/NAV data | Full read access | API access, NAV history, reserve attestation reports |
| Compliance reports | Full read access | API access, AMLC filing status, screening results |
| KYC records | Read access with consent/legal basis | API access, individual records require lawful basis documentation |
BSP Examination Access:
| Access Component | Permission | Additional Notes |
|---|---|---|
| All COA examination access | Yes | Includes all access granted to COA auditors |
| Reserve attestation reports | Full access | Current and historical attestation reports, anchor partner SLA compliance |
| NAV history | Full access | Complete NAV calculation history, variance investigation records |
| Anchor partner SLA compliance | Full access | SLA monitoring data, breach events, remediation actions |
| Treasury operations | Full access | Fund flow analysis, reserve management, liquidity monitoring |
| Stablecoin operations | Full access | Mint/burn history, collateral ratios, redemption processing |
| Risk management | Full access | Risk models, stress test results, risk metric history |
Audit Evidence Package (prepared annually for COA/BSP):
- System architecture documentation (infrastructure diagrams, data flow diagrams)
- Security assessment report (most recent independent assessment)
- Access control matrix (role definitions, permission assignments)
- Audit log sample with chain verification demonstration
- Data retention and deletion policy with evidence of enforcement
- Incident response plan with evidence of testing
- Business continuity plan with evidence of testing
- DPA compliance evidence (registered PIPS, DPO appointment, privacy notices)
- AMLA compliance evidence (AML program, compliance officer appointment, screening procedures)
- Obligation Ledger design documentation (event sourcing model, reconciliation methodology)
- Reserve attestation reports (most recent independent attestation)
- Risk assessment documentation (threat models, vulnerability assessments)
Incidents are classified by severity based on confirmed impact to personal data, system integrity, and regulatory compliance.
| Severity | Level | Description | Examples | Response SLA | Notification Requirements |
|---|---|---|---|---|---|
| Critical | S1 | Confirmed data breach, mass data exposure, active exploitation of production systems. Personal data of data subjects has been or is being compromised. | Database exposed publicly with no authentication. Attacker actively exfiltrating personal data. Ransomware encrypting production data. Auth bypass allowing unauthorized access to personal data. | 1 hour (Incident Response Team activated, containment initiated) | NPC within 72 hours of awareness. Affected data subjects within 72 hours. Board of Directors immediately. Government program sponsors within 24 hours. BSP/AMLC if financial data affected. |
| High | S2 | Suspected breach with credible evidence, significant data integrity issue, or security control failure that could lead to data exposure. | Anomalous access patterns indicating potential unauthorized access. Data integrity discrepancy suggesting unauthorized modification. Security control (WAF, IDS) failure in production. Insider threat indicator with credible evidence. | 4 hours (Incident Response Team activated, preliminary assessment completed) | DPO immediately. CTO immediately. Legal counsel within 4 hours. NPC if assessment confirms breach. Government program sponsors if program data potentially affected. |
| Medium | S3 | Security weakness identified with no confirmed data impact, but potential for exploitation if unaddressed. | Misconfigured access control with no evidence of exploitation. Expired TLS certificate (briefly). Third-party vulnerability disclosed with no current exploit evidence. Failed security control test (penetration test finding). | 8 hours (Security team assessment, DPO consultation) | Security team lead immediately. DPO within 8 hours if personal data potentially at risk. Remediation plan within 48 hours. |
| Low | S4 | Minor security observation with no direct impact to personal data or system security. | Log gap identified (monitoring blind spot). Documentation policy deviation. Minor configuration non-compliance. Expired internal certificate (non-production). | 24 hours (Security team review) | Security team lead within 24 hours. Remediation tracked in vulnerability management system. |
Severity Escalation Criteria:
- S3 escalates to S2 if evidence of exploitation discovered during assessment
- S2 escalates to S1 if breach is confirmed and personal data affected
- S1 de-escalates to S2 if initial assessment shows no personal data exposure
- All severity changes logged with justification and timestamp
- DPO notified of all severity changes
Per RA 10173 Section 20(f) and NPC Circular 2016-03 (Personal Data Breach Management), the platform must notify the National Privacy Commission within 72 hours of becoming aware of a personal data breach.
┌──────────────────────────────────────────────────────────────────────┐
│ 72-HOUR BREACH NOTIFICATION TIMELINE │
├──────────────────────────────────────────────────────────────────────┤
│ │
│ T+0: BREACH DETECTION │
│ ├── Automated detection: Prometheus/Grafana alerts, IDS alerts, │
│ │ SIEM correlation rules, anomaly detection │
│ ├── Manual detection: User report, third-party notification, │
│ │ bug bounty submission, regulator notification │
│ ├── Incident ticket created with: │
│ │ - Incident ID (auto-generated) │
│ │ - Detection method │
│ │ - Initial severity assessment │
│ │ - Affected systems (preliminary) │
│ │ - Timestamp of detection │
│ └── On-call Incident Commander notified │
│ │
│ T+1 hour: INCIDENT RESPONSE TEAM ACTIVATION (S1/S2) │
│ ├── Incident Commander assumes command authority │
│ ├── Technical Lead begins technical investigation │
│ ├── DPO notified and begins compliance assessment │
│ ├── Legal counsel engaged │
│ ├── Communications Lead prepares internal notification │
│ └── Forensic analyst engaged (if retained firm) │
│ │
│ T+4 hours: INITIAL ASSESSMENT COMPLETED │
│ ├── Scope estimated: │
│ │ - Data categories potentially affected │
│ │ - Number of data subjects potentially affected │
│ │ - Time range of potential exposure │
│ │ - Attack vector identified (if applicable) │
│ ├── Containment measures implemented: │
│ │ - Isolate affected systems │
│ │ - Revoke compromised credentials │
│ │ - Activate circuit breakers if needed │
│ │ - Preserve forensic evidence │
│ └── Assessment report to Incident Commander │
│ │
│ T+12 hours: FORENSIC ANALYSIS INITIATED │
│ ├── Forensic image of affected systems captured │
│ ├── Chain of custody established │
│ ├── Attack timeline reconstruction initiated │
│ ├── Data exfiltration assessment (what data, how much, where to) │
│ ├── Indicator of Compromise (IOC) extraction │
│ └── Containment measures verified effective │
│ │
│ T+24 hours: NPC PRELIMINARY NOTIFICATION (S1/S2) │
│ ├── NPC notified via official breach notification channel │
│ ├── Preliminary notification includes: │
│ │ - Nature of the breach (what is known at this time) │
│ │ - Categories of data potentially affected │
│ │ - Estimated number of data subjects │
│ │ - Containment measures taken │
│ │ - DPO contact information │
│ │ - Commitment to formal notification within 72 hours │
│ └── Government program sponsors notified │
│ │
│ T+48 hours: AFFECTED USERS IDENTIFIED, NOTIFICATION DRAFTED │
│ ├── Affected data subjects positively identified │
│ ├── Notification drafted in Filipino and English │
│ ├── Notification reviewed by DPO and Legal counsel │
│ ├── Notification includes (per Section 5.4): │
│ │ - Description of breach in plain language │
│ │ - Types of personal data affected │
│ │ - Potential impact on data subject │
│ │ - Steps platform has taken │
│ │ - Steps data subject should take │
│ │ - DPO contact information │
│ │ - NPC complaint mechanism reference │
│ └── Delivery channels prepared (SMS, email, in-app, postal) │
│ │
│ T+72 hours: NPC FORMAL NOTIFICATION, AFFECTED USERS NOTIFIED │
│ ├── Formal NPC notification submitted with: │
│ │ - Complete nature and circumstances of breach │
│ │ - Categories and approximate number of affected data subjects │
│ │ - Categories and approximate number of affected records │
│ │ - Likely consequences of the breach │
│ │ - Measures taken or proposed to address the breach │
│ │ - DPO contact details │
│ │ - Timeline of discovery and response actions │
│ ├── Affected data subjects notified via prepared channels │
│ ├── DPO hotline activated for data subject inquiries │
│ └── Communications team monitors media and public response │
│ │
│ T+7 days: ROOT CAUSE ANALYSIS COMPLETED │
│ ├── Root cause determined and documented │
│ ├── Contributing factors identified │
│ ├── Impact assessment finalized │
│ └── Remediation plan drafted │
│ │
│ T+14 days: REMEDIATION PLAN SUBMITTED TO NPC │
│ ├── Detailed remediation plan submitted to NPC │
│ ├── Remediation plan includes: │
│ │ - Root cause │
│ │ - Corrective actions │
│ │ - Preventive measures │
│ │ - Timeline for implementation │
│ │ - Responsible parties │
│ └── Ongoing status reporting committed (monthly until resolved) │
│ │
│ T+30 days: POST-INCIDENT REVIEW COMPLETED │
│ ├── Post-incident review conducted with all stakeholders │
│ ├── Lessons learned documented │
│ ├── Policy and runbook updates identified │
│ ├── Training needs identified │
│ ├── Incident closure report approved by Incident Commander │
│ └── Final report filed, incident ticket closed │
│ │
└──────────────────────────────────────────────────────────────────────┘
Per RA 10173 Section 20(f) and NPC Circular 2016-03, the formal notification to the National Privacy Commission must include the following elements:
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "NPC Breach Notification",
"type": "object",
"required": [
"notification_id", "submission_date", "incident_id",
"nature_of_breach", "affected_data_subjects", "affected_records",
"likely_consequences", "measures_taken", "dpo_contact",
"discovery_timeline", "status"
],
"properties": {
"notification_id": {
"type": "string",
"format": "uuid",
"description": "Unique identifier for this notification"
},
"submission_date": {
"type": "string",
"format": "date-time",
"description": "Date and time of notification submission"
},
"incident_id": {
"type": "string",
"description": "Internal incident reference"
},
"nature_of_breach": {
"type": "object",
"required": ["breach_type", "description", "discovery_method", "attack_vector"],
"properties": {
"breach_type": {
"type": "string",
"enum": ["confidentiality_breach", "integrity_breach", "availability_breach", "combined"],
"description": "Type of personal data breach"
},
"description": {
"type": "string",
"description": "Detailed description of what happened"
},
"discovery_method": {
"type": "string",
"description": "How the breach was discovered"
},
"attack_vector": {
"type": "string",
"description": "Method of attack or cause of breach (if known)"
},
"vulnerability_exploited": {
"type": "string",
"description": "Specific vulnerability that was exploited (if known)"
}
}
},
"affected_data_subjects": {
"type": "object",
"required": ["categories", "approximate_number"],
"properties": {
"categories": {
"type": "array",
"items": { "type": "string" },
"description": "Categories of affected data subjects (e.g., program beneficiaries, vendors, employees)"
},
"approximate_number": {
"type": "integer",
"minimum": 1,
"description": "Approximate number of affected data subjects"
},
"sensitive_personal_data": {
"type": "boolean",
"description": "Whether sensitive personal data (RA 10173 Sec. 3(l)) was affected"
},
"sensitive_data_description": {
"type": "string",
"description": "Description of sensitive personal data affected (if applicable)"
}
}
},
"affected_records": {
"type": "object",
"required": ["categories", "approximate_number"],
"properties": {
"categories": {
"type": "array",
"items": { "type": "string" },
"description": "Categories of affected personal data records"
},
"approximate_number": {
"type": "integer",
"minimum": 1,
"description": "Approximate number of affected records"
}
}
},
"likely_consequences": {
"type": "object",
"required": ["assessment", "risk_level"],
"properties": {
"assessment": {
"type": "string",
"description": "Assessment of likely consequences for data subjects"
},
"risk_level": {
"type": "string",
"enum": ["low", "medium", "high", "critical"],
"description": "Risk level to data subjects' rights and freedoms"
},
"potential_harms": {
"type": "array",
"items": { "type": "string" },
"description": "Specific potential harms (identity theft, financial fraud, discrimination, etc.)"
}
}
},
"measures_taken": {
"type": "object",
"required": ["containment", "remediation", "prevention"],
"properties": {
"containment": {
"type": "array",
"items": { "type": "string" },
"description": "Containment measures already taken"
},
"remediation": {
"type": "array",
"items": { "type": "string" },
"description": "Remediation measures taken or proposed"
},
"prevention": {
"type": "array",
"items": { "type": "string" },
"description": "Preventive measures to avoid recurrence"
},
"remediation_timeline": {
"type": "string",
"description": "Expected timeline for full remediation"
}
}
},
"dpo_contact": {
"type": "object",
"required": ["name", "email", "phone"],
"properties": {
"name": { "type": "string", "description": "Data Protection Officer name" },
"email": { "type": "string", "format": "email" },
"phone": { "type": "string" },
"address": { "type": "string", "description": "DPO mailing address" }
}
},
"discovery_timeline": {
"type": "array",
"items": {
"type": "object",
"required": ["timestamp", "event"],
"properties": {
"timestamp": { "type": "string", "format": "date-time" },
"event": { "type": "string", "description": "Event description" }
}
},
"description": "Chronological timeline of breach discovery and response actions"
},
"status": {
"type": "string",
"enum": ["preliminary", "formal", "supplemental", "final"],
"description": "Type of notification"
},
"previous_notification_id": {
"type": ["string", "null"],
"format": "uuid",
"description": "Reference to previous notification (for supplemental/final updates)"
}
}
}Notifications to affected data subjects must be clear, accessible, and actionable.
Notification Template (English):
IMPORTANT NOTICE: Personal Data Security Incident
Dear [Beneficiary Name],
We are writing to inform you about a security incident that may have affected
your personal data on the Agrifinance platform.
WHAT HAPPENED:
On [date], we discovered that [brief, non-technical description of the breach].
We immediately took steps to [containment actions taken].
WHAT INFORMATION WAS INVOLVED:
The following types of your personal data may have been affected:
- [List specific data types: e.g., name, contact information, PhilSys ID number]
- [Be specific; do not list unaffected data types]
WHAT THIS MEANS FOR YOU:
[Clear description of potential impact - no jargon, no minimizing]
WHAT WE ARE DOING:
- [Specific actions taken to address the breach]
- [Specific actions to prevent future occurrences]
- [Support we are offering: e.g., credit monitoring, dedicated hotline]
WHAT YOU CAN DO:
- [Specific, actionable steps the data subject should take]
- [Be practical and relevant to the type of data affected]
WHO TO CONTACT:
If you have questions or concerns, please contact our Data Protection Officer:
- Phone: [DPO hotline number]
- Email: [dpo@agrifinance.gov.ph]
- Hours: [operating hours]
You also have the right to file a complaint with the National Privacy Commission:
- Website: privacy.gov.ph
- Phone: (02) 8928-1111
- Email: complaints@privacy.gov.ph
We sincerely apologize for this incident and any inconvenience it may cause.
Sincerely,
The Agrifinance Team
Notification Template (Filipino):
MAHALAGANG PAUNAWA: Insidente ng Seguridad ng Personal na Datos
Mahal na [Pangalan ng Benepisyaryo],
Isinusulat namin ito upang ipaalam sa inyo tungkol sa isang insidente ng seguridad
na maaaring nakaapekto sa inyong personal na datos sa Agrifinance platform.
ANO ANG NANGYARI:
Sa [petsa], natuklasan namin na [maikling paglalarawan ng insidente].
Agad kumilos ang aming koponan upang [mga hakbang na ginawa].
ANONG IMPORMASYON ANG KASANGKOT:
Ang mga sumusunod na uri ng inyong personal na datos ay maaaring nakaapekto:
- [Tiyak na uri ng datos]
ANO ANG IBIG SABIHIN NITO PARA SA INYO:
[Malinaw na paglalarawan ng posibleng epekto]
ANO ANG GINAGAWA NAMIN:
- [Mga tiyak na hakbang]
- [Mga hakbang upang maiwasan ang ganitong pangyayari sa hinaharap]
ANO ANG MAAARI NYONG GAWIN:
- [Mga tiyak na hakbang na dapat gawin]
SAAN MAKIPAG-UGNAYAN:
Kung mayroon kayong mga katanungan, makipag-ugnayan sa aming Data Protection Officer:
- Telepono: [DPO hotline number]
- Email: [dpo@agrifinance.gov.ph]
Maaari kayong magsumite ng reklamo sa National Privacy Commission:
- Website: privacy.gov.ph
- Telepono: (02) 8928-1111
Lubos kaming humihingi ng paumanhin sa insidenteng ito.
Lubos na gumagalang,
Ang Agrifinance Team
During incident response, enhanced forensic logging is activated to preserve evidence for potential legal proceedings.
Forensic Logging Requirements:
| Requirement | Specification |
|---|---|
| Scope | All actions taken by Incident Response Team members during the investigation |
| Content | Investigator identity, action performed, tool used, command executed, output summary, timestamp, target system |
| Format | Structured JSON with Ed25519 signature per entry |
| Retention | 10 years from incident closure (vs. standard 7-year audit log retention) |
| Access | Restricted to Incident Response Team members and Legal counsel |
| Integrity | Each log entry signed with investigator's personal Ed25519 key |
| Chain of custody | Exported forensic logs include cryptographic hash chain and custody transfer records |
| Export | Forensic logs exported to write-once storage (WORM) upon incident closure |
| Admissibility | Logging procedures designed to meet Philippine Rules on Electronic Evidence requirements |
Forensic Log Entry Schema:
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Forensic Log Entry",
"type": "object",
"required": [
"log_id", "incident_id", "investigator_id", "action",
"tool", "target", "timestamp", "signature"
],
"properties": {
"log_id": { "type": "string", "format": "uuid" },
"incident_id": { "type": "string", "description": "Related incident ID" },
"investigator_id": { "type": "string", "description": "Investigator identifier (hashed)" },
"investigator_role": { "type": "string", "description": "Investigator's role in the incident response" },
"action": {
"type": "string",
"description": "Action performed (e.g., 'executed command', 'reviewed log', 'captured forensic image')"
},
"tool": {
"type": "object",
"properties": {
"name": { "type": "string", "description": "Tool name and version" },
"command": { "type": "string", "description": "Command executed (if CLI tool)" },
"parameters": { "type": "object", "description": "Tool parameters used" }
}
},
"target": {
"type": "object",
"properties": {
"system": { "type": "string", "description": "Target system identifier" },
"resource": { "type": "string", "description": "Specific resource accessed or modified" }
}
},
"output_summary": {
"type": "string",
"description": "Summary of tool output or action result (no sensitive data in plain text)"
},
"findings": {
"type": "string",
"description": "Investigator's interpretation or findings from this action"
},
"timestamp": { "type": "string", "format": "date-time" },
"signature": {
"type": "string",
"description": "Ed25519 signature of log entry by investigator"
},
"previous_log_hash": {
"type": "string",
"description": "SHA-256 hash of previous log entry for chain integrity"
}
}
}When an incident involves third-party systems or data, additional controls and coordination are required.
Third-Party Incident Response Protocol:
| Step | Action | Timeline | Responsible Party |
|---|---|---|---|
| 1 | Third-party identification: determine which third parties are involved (anchor bank, screening vendor, cloud provider, government agency) | T+4 hours | Technical Lead |
| 2 | Third-party notification: inform affected third parties of incident with relevant details (need-to-know basis) | T+24 hours from confirmation | Incident Commander |
| 3 | Contractual data breach clauses invoked: review Data Processing Agreements, SLAs, and security addendums for breach notification and liability provisions | T+48 hours | Legal Counsel |
| 4 | Joint investigation: coordinate forensic analysis with third-party security teams. Establish secure communication channel and evidence sharing protocol. | T+48 hours | Technical Lead + Third-party security team |
| 5 | Third-party cooperation verification: verify third-party is conducting appropriate investigation and containment on their systems | T+72 hours | Incident Commander |
| 6 | Third-party remediation tracking: monitor third-party remediation actions, verify completion, and assess residual risk | Ongoing | Technical Lead |
| 7 | Third-party liability assessment: determine contractual liability, indemnification obligations, and potential claims | T+14 days | Legal Counsel |
| 8 | Sub-processor replacement consideration: for repeated or severe third-party failures, initiate sub-processor replacement assessment | T+30 days | DPO + CTO |
Third-Party Notification Template:
CONFIDENTIAL - THIRD-PARTY SECURITY NOTIFICATION
To: [Third-party Security Contact]
From: [Incident Commander], Agrifinance Incident Response Team
Date: [Date]
Reference: Incident [ID], Third-Party Notification [TPN-ID]
Dear [Contact],
We are notifying you of a security incident that may affect systems and data
shared between [Third-party Name] and Agrifinance.
Incident Summary:
- [Brief description relevant to third-party's systems/data]
- [Specific impact on shared systems or data]
- [Actions we have taken on our systems]
Requested Actions:
1. [Specific actions requested from third-party]
2. [Specific information requested for our investigation]
3. [Coordination mechanism: secure communication channel, evidence sharing]
Timeline:
- We request acknowledgment of this notification within 4 hours
- We request preliminary findings within 24 hours
- We request a joint investigation call within 12 hours
Contact:
- Incident Commander: [contact information]
- Technical Lead: [contact information]
This notification is made pursuant to Section [X] of our Data Processing
Agreement / Service Level Agreement dated [date].
Sincerely,
[Incident Commander]
During Emergency Settlement Protocol (TEP) activation, special data handling procedures apply to ensure complete auditability of emergency operations.
Emergency Settlement Data Requirements:
| Requirement | Specification | Rationale |
|---|---|---|
| Emergency payout cryptographic binding | All emergency manual payouts bound to signed Obligation Ledger entries via SHA-256 binding hash of canonical payload | Ensures emergency payouts are traceable and cannot be repudiated |
| Binding hash payload | Canonical JSON including: payout_id, beneficiary_id_hash, amount, asset_type, maker_id, maker_signature, checker_id, checker_signature, timestamp, emergency_protocol_id | Complete attribution for post-emergency audit |
| Maker/Checker signatures | Both maker (initiator) and checker (approver) must sign with their Ed25519 keys. Keys stored in HSM. Dual authorization required for all emergency payouts. | Segregation of duties prevents single-person fraud |
| Emergency audit channel | Separate, independently signed audit log for all TEP-related events. 10-year retention (vs. standard 7-year audit log). | Extended retention for emergency operations accountability |
| Post-emergency reconciliation | Full audit of all emergency payout binding hashes performed within 7 days of TEP conclusion. Each payout verified against Obligation Ledger entry. Signatures verified. Amounts reconciled. | Ensures all emergency payouts are properly recorded and accounted for |
| Regulator notification | BSP and AMLC notified within 2 hours of TEP activation. Notification includes: activation reason, estimated scope, emergency contact. Full report submitted within 7 days of TEP conclusion. | Regulatory transparency for emergency financial operations |
| Emergency data preservation | All TEP-related data (communications, decision records, authorization chains) preserved in write-once storage with 10-year retention. | Evidence preservation for potential regulatory or legal review |
| Beneficiary notification | Beneficiaries receiving emergency payouts notified of: payout amount, payout reason, their rights, DPO contact. Notification within 48 hours of payout. | Transparency to data subjects |
Emergency Payout Binding Hash:
{
"payout_id": "emergency_payout_uuid",
"beneficiary_id_hash": "sha256:beneficiary_hash",
"amount": "5000.00",
"currency": "PHP",
"asset_type": "PHP_stablecoin",
"emergency_protocol_id": "tep_abc123",
"maker": {
"officer_id": "officer_hash_1",
"signature": "ed25519_maker_signature_base64",
"timestamp": "2025-04-07T12:00:00Z"
},
"checker": {
"officer_id": "officer_hash_2",
"signature": "ed25519_checker_signature_base64",
"timestamp": "2025-04-07T12:05:00Z"
},
"binding_hash": "sha256:hash_of_canonical_payload",
"obligation_ledger_entry": "ole_emergency_xyz",
"justification": "Typhoon emergency - Barangay San Roque, Puerto Princesa. NDRRMC Declaration #2025-042."
}The Incident Response Team (IRT) is a cross-functional team responsible for managing security incidents and data breaches.
| Role | Responsibility | Availability | Contact Method | Backup |
|---|---|---|---|---|
| Incident Commander | Overall incident management, decision authority, resource allocation, escalation point for all decisions. Single point of truth for incident status. | 24/7 on-call rotation (weekly rotation among senior engineering leadership) | PagerDuty primary, phone secondary | Deputy Incident Commander (always identified) |
| Technical Lead | Technical investigation, containment strategy, remediation planning, forensic coordination. Leads technical analysis and recommends technical actions to Incident Commander. | 24/7 on-call rotation (weekly rotation among senior engineering staff) | PagerDuty primary, phone secondary | Senior engineer on standby |
| Data Protection Officer (DPO) | DPA compliance assessment, NPC notification preparation and submission, data subject communication, privacy impact assessment, coordination with NPC. | Business hours (Mon-Fri, 8AM-6PM PHT) + emergency contact for S1/S2 incidents | Email primary, phone secondary (after hours) | Assistant DPO or external DPO consultant |
| Legal Counsel | Legal liability assessment, contract review (third-party DPAs, SLAs), regulatory coordination (NPC, BSP, AMLC legal), litigation hold management, external counsel engagement. | Business hours (Mon-Fri, 8AM-6PM PHT) + emergency contact for S1/S2 incidents | Email primary, phone secondary (after hours) | External law firm on retainer |
| Communications Lead | Internal communication (employee notification, leadership briefings), external communication (media response, public statements, data subject notification drafts), coordination with government agency communications teams. | Business hours (Mon-Fri, 8AM-6PM PHT) + emergency contact for S1/S2 incidents | Email primary, phone secondary (after hours) | Marketing team lead |
| Forensic Analyst | Evidence collection, forensic image capture, chain of custody maintenance, malware analysis, attack timeline reconstruction, IOC extraction. | On-demand (retained external firm, 4-hour SLA) | Retained firm direct line | Secondary retained firm |
Incident Response Team Activation Criteria:
- S1 (Critical): Full team activated within 1 hour
- S2 (High): Incident Commander, Technical Lead, DPO, Legal activated within 4 hours. Communications and Forensic Analyst on standby.
- S3 (Medium): Technical Lead and DPO activated within 8 hours. Incident Commander notified.
- S4 (Low): Technical Lead reviews within 24 hours. No team activation required.
Runbook: General Incident Response
┌──────────────────────────────────────────────────────────────────────┐
│ INCIDENT RESPONSE RUNBOOK │
├──────────────────────────────────────────────────────────────────────┤
│ │
│ PHASE 1: DETECTION │
│ ───────────────── │
│ │
│ Automated Detection Sources: │
│ ├── Prometheus/Grafana alerts (system metrics, anomaly detection) │
│ ├── SIEM correlation rules (Splunk/ELK) │
│ ├── IDS/IPS alerts (Suricata/Snort) │
│ ├── WAF alerts (ModRules/Cloudflare) │
│ ├── EDR alerts (CrowdStrike/SentinelOne) │
│ └── Custom anomaly detection (ML-based behavioral analysis) │
│ │
│ Manual Detection Sources: │
│ ├── User reports (support tickets, DPO hotline) │
│ ├── Third-party notifications (bug bounty, security researchers) │
│ ├── Regulator notifications (NPC, BSP, AMLC) │
│ ├── Government partner notifications │
│ └── Media monitoring │
│ │
│ Action: Create incident ticket with initial information │
│ ├── Incident ID (auto-generated) │
│ ├── Detection source and timestamp │
│ ├── Initial severity assessment │
│ ├── Affected systems (preliminary) │
│ └── Notify on-call Incident Commander │
│ │
│ PHASE 2: TRIAGE │
│ ───────────── │
│ │
│ 1. Incident Commander assesses initial information │
│ 2. Classify severity (S1-S4) per Section 5.1 │
│ 3. Open incident ticket in incident management system │
│ 4. Activate Incident Response Team per severity criteria │
│ 5. Establish communication channel (dedicated Slack/Teams channel) │
│ 6. Set communication cadence (S1: every 30 min, S2: every hour) │
│ │
│ PHASE 3: CONTAIN │
│ ────────────── │
│ │
│ Immediate Containment Actions: │
│ ├── Isolate affected systems (network segmentation, ACL updates) │
│ ├── Revoke compromised credentials (API keys, sessions, tokens) │
│ ├── Activate circuit breakers (stop affected transaction flows) │
│ ├── Block malicious IPs/domains (WAF, firewall rules) │
│ ├── Preserve forensic evidence (disk images, memory dumps, logs) │
│ └── Notify affected third parties (if third-party systems involved)│
│ │
│ Containment Verification: │
│ ├── Verify isolation is effective (no further unauthorized access) │
│ ├── Verify credentials are revoked (no successful auth with revoked│
│ │ credentials) │
│ └── Verify circuit breakers are active (no new affected transactions│
│ processed) │
│ │
│ PHASE 4: INVESTIGATE │
│ ──────────────── │
│ │
│ 1. Determine root cause (how did this happen) │
│ 2. Determine scope (what systems, data, individuals affected) │
│ 3. Determine data impact (what personal data, how many subjects) │
│ 4. Activate forensic logging (enhanced evidence collection) │
│ 5. Establish attack timeline (when did it start, what happened) │
│ 6. Extract IOCs (indicators of compromise for threat intelligence) │
│ 7. Assess ongoing threat (is attacker still active, is data still │
│ being exfiltrated) │
│ 8. Document all findings in incident ticket │
│ │
│ PHASE 5: ERADICATE │
│ ─────────────── │
│ │
│ 1. Remove threat (malware removal, attacker access elimination) │
│ 2. Patch vulnerability (security patch deployment) │
│ 3. Harden affected systems (additional security controls) │
│ 4. Restore from verified clean backup (if data integrity affected) │
│ 5. Verify restoration integrity (checksum verification, functional │
│ testing) │
│ 6. Remove containment measures (gradual, monitored reconnection) │
│ │
│ PHASE 6: RECOVER │
│ ───────────── │
│ │
│ 1. Restore systems to normal operation │
│ 2. Verify system integrity (security scanning, functional testing) │
│ 3. Monitor for recurrence (enhanced monitoring for 30 days) │
│ 4. Resume normal operations │
│ 5. Close containment phase, transition to monitoring phase │
│ │
│ PHASE 7: NOTIFY │
│ ───────────── │
│ │
│ Per Section 5.2 timeline: │
│ ├── NPC (within 72 hours of awareness) │
│ ├── Affected data subjects (within 72 hours of awareness) │
│ ├── Government program sponsors (within 24 hours for S1/S2) │
│ ├── BSP/AMLC (if financial data affected) │
│ ├── Third-party partners (within 24 hours if their data involved) │
│ └── Board of Directors (immediately for S1) │
│ │
│ PHASE 8: REVIEW │
│ ───────────── │
│ │
│ 1. Post-incident review (within 30 days of incident closure) │
│ 2. Lessons learned document (what went well, what didn't) │
│ 3. Policy updates (update incident response policy based on lessons)│
│ 4. Runbook updates (update this runbook based on lessons) │
│ 5. Training updates (identify training gaps, schedule training) │
│ 6. Tool updates (identify tooling gaps, procure/implement tools) │
│ 7. Incident closure report (approved by Incident Commander) │
│ 8. Final incident report archived (10-year retention) │
│ │
└──────────────────────────────────────────────────────────────────────┘
Runbook: Data Breach Specific Actions (S1)
In addition to the general incident response runbook, S1 data breaches require the following specific actions:
| Time | Action | Responsible | Deliverable |
|---|---|---|---|
| T+0 | Breach detected, incident ticket created | Automated system / Reporter | Incident ticket with initial details |
| T+15 min | Incident Commander acknowledges, activates IRT | Incident Commander | IRT activated, communication channel established |
| T+30 min | Initial technical assessment: confirm breach, identify affected systems | Technical Lead | Preliminary technical assessment |
| T+1 hour | DPO begins privacy impact assessment | DPO | Preliminary privacy impact assessment |
| T+2 hours | Containment measures implemented and verified | Technical Lead | Containment verification report |
| T+4 hours | Scope assessment completed | Technical Lead + DPO | Scope assessment (data categories, data subjects, records) |
| T+6 hours | Legal review of notification obligations | Legal Counsel | Legal assessment of notification requirements |
| T+12 hours | Forensic analysis initiated, evidence preservation confirmed | Forensic Analyst | Forensic evidence preservation log |
| T+18 hours | Affected data subject identification completed | Technical Lead + DPO | List of affected data subjects (hashed) |
| T+24 hours | NPC preliminary notification submitted | DPO | NPC preliminary notification submission confirmation |
| T+24 hours | Government program sponsors notified | Incident Commander | Notification sent confirmation |
| T+36 hours | User notification drafted and reviewed | Communications Lead + DPO + Legal | Draft notification approved |
| T+48 hours | DPO hotline activated | DPO + Communications Lead | Hotline operational |
| T+48 hours | User notifications dispatched | Communications Lead | Notification delivery confirmation |
| T+72 hours | NPC formal notification submitted | DPO | NPC formal notification submission confirmation |
| T+7 days | Root cause analysis completed | Technical Lead + Forensic Analyst | Root cause analysis document |
| T+14 days | Remediation plan submitted to NPC | DPO | Remediation plan document |
| T+30 days | Post-incident review completed | Incident Commander | Post-incident review report |
| Regulation | Full Name | Relevance |
|---|---|---|
| RA 10173 | Data Privacy Act of 2012 | Primary data privacy law governing personal information processing |
| RA 9160 | Anti-Money Laundering Act of 2001 (as amended by RA 10365, RA 11521) | AML/CFT obligations for covered institutions |
| RA 11765 | Financial Products and Services Consumer Protection Act | Consumer protection in financial services |
| BSP Circular 1071 | Cybersecurity Framework for BSP Supervised Institutions | Cybersecurity requirements for financial institutions |
| BSP MOR | Manual of Regulations for Banks | Operational requirements for banking and payment services |
| NPC Circular 2016-01 | Registration of Personal Information Processing Systems | PIPS registration requirements |
| NPC Circular 2016-03 | Personal Data Breach Management | Breach notification procedures and timelines |
| NPC Circular 2024-01 | Guidelines on Personal Information Processing Outsourcing | DPA requirements for processor relationships |
| NPC Advisory 2017-01 | Guidance on the Designation of Data Protection Officers | DPO appointment and responsibilities |
| PD 1445 | Government Auditing Code of the Philippines | COA audit requirements |
| RA 8792 | E-Commerce Act of 2000 | Electronic evidence admissibility |
| Rules on Electronic Evidence | Philippine Rules on Electronic Evidence | Forensic log admissibility standards |
| Classification | Description | Examples | Access Control | Encryption | Retention |
|---|---|---|---|---|---|
| Public | No harm from disclosure | Program descriptions, public policies, aggregated statistics | No restriction | TLS in transit | As needed |
| Internal | Internal use, limited harm from disclosure | Operational metrics, system configurations, internal communications | Employee access only | TLS in transit, AES-256 at rest | 3 years |
| Confidential | Significant harm from unauthorized disclosure | Individual beneficiary data, transaction records, KYC documents | Role-based access, consent verification required | TLS 1.3 in transit, AES-256-GCM at rest, HSM-backed keys | Per retention schedule |
| Restricted | Severe harm from unauthorized disclosure | STR reports, forensic logs, incident investigation data, emergency payout authorizations | Need-to-know basis, dual authorization, enhanced audit logging | TLS 1.3 in transit, AES-256-GCM at rest, HSM-backed keys, separate key hierarchy | 10 years |
| Term | Definition |
|---|---|
| AMLC | Anti-Money Laundering Council - Philippine body responsible for AML/CFT oversight |
| BSP | Bangko Sentral ng Pilipinas - Central bank of the Philippines |
| COA | Commission on Audit - Constitutional body responsible for government audit |
| DPA | Data Privacy Act (RA 10173) or Data Processing Agreement (context-dependent) |
| DPO | Data Protection Officer - Designated individual responsible for data privacy compliance |
| DSR | Data Subject Request - Request by a data subject to exercise their rights under RA 10173 |
| KYC | Know Your Customer - Identity verification process |
| LGU | Local Government Unit - Provincial, city, municipal, or barangay government |
| MDM | Master Data Management - System maintaining golden record of entity data |
| NAV | Net Asset Value - Total value of platform assets backing stablecoins and vouchers |
| NPC | National Privacy Commission - Philippine data privacy regulator |
| Obligation Ledger | Platform's event-sourced record of all financial obligations |
| PSA | Philippine Statistics Authority - National statistics agency, administers PhilSys |
| PhilSys | Philippine Identification System - National ID system |
| PIPS | Personal Information Processing System - System registered with NPC |
| RA | Republic Act - Philippine legislation |
| S1/S2/S3/S4 | Incident severity classification (Critical/High/Medium/Low) |
| STR | Suspicious Transaction Report - Filed with AMLC under RA 9160 |
| CTR | Currency Transaction Report - Filed with AMLC for transactions exceeding threshold |
| TEP | Transaction Emergency Protocol / Emergency Settlement Protocol |
Proprietary - Bull Run Consulting / Starting Block Ventures
- Bull Run Consulting - Web3 venture builder
- Starting Block Ventures - Venture studio
For issues or questions, contact the development team.