Data Privacy Conference

Data Privacy Conference

On building privacy in engineering and product processes.



Rohan Prabhu


Our approach to PII/SPDI redaction

Submitted Mar 2, 2021

Abstract By regulation and more so by a moral obligation, Jupiter is required to safeguard the privacy of its customers. As providers of financial services, we are often entrusted with information that could be extremely private to users, of a sensitive nature and at the same time can be used to personally identify them by a single data element. Dealing with an engineering stack that builds upon a number of microserves and subsystems, reliant on an equally large number of data storage systems - brings about its own challenges when it comes to governance of customer’s private data. In this talk we would like to give a walkthrough of the solution that Jupiter implemented to solve this problem and to massively reduce the number of systems that would interact with actual, raw PII/SPDI (Personally Identifying Information/Sensitive Personal Data or Information) so that monitoring of access and data control could be achieved with a higher degree of operational confidence.

We would be talking about the basic requirements around PII/SPDI protection as an industry requirement:

  1. What does the law/regulation say about PII/SPDI
  2. What did our partners need from us when it came to protecting customer data

In terms of engineering:

  1. How can we implement a solution that induces little to no developer friction - the aim here was not just making it easy for developers to integrate PII/SPDI redaction; having an intrusive process with multiple touchpoints would make a human error that much more likely, which could end up being a potential point of breach
  2. The same code should work with PII/SPDI redaction switched off as it does with redaction switched on
  3. How are we ensuring that we are still able to maintain semantics of lookup, uniqueness of certain data elements, specifically the ability to use certain data elements as primary keys for user centric data
  4. How we are handling multiple partners wanting their customers data to be stored isolated from other partners, with encryption using keys that are provisioned specifically for them
  5. Why we chose to work at the serialization layer to implement PII/SPDI redaction

And in terms of where we see this going:

  1. What are the limitations and caveats of the current system
  2. Ideas to explore - Is it possible to do this at a service mesh level? Proxy level? At a gateway, maybe - our thoughts and musings on this topic

Slide Deck


{{ gettext('Login to leave a comment') }}

{{ gettext('Post a comment…') }}
{{ gettext('New comment') }}
{{ formTitle }}

{{ errorMsg }}

{{ gettext('No comments posted yet') }}

Hybrid access (members only)

Hosted by

We care about site reliability, cloud costs, security and data privacy

Supported by

Zeta® is in the business of providing a full-stack, cloud-native, API first neo-banking platform including a digital core and a payment engine for issuance of credit, debit and prepaid products that enable legacy banks and new-age fintech institutions to launch modern retail and corporate fintech p… more


We’re the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. As a hyperscale cloud service provider, AWS provides access to highly advanced computing tools on rent for startups and SMEs at affordable prices. We help t… more
Omidyar Network India invests in bold entrepreneurs who help create a meaningful life for every Indian, especially the hundreds of millions of Indians in low-income and lower-middle-income populations, ranging from the poorest among us to the existing middle class. To drive empowerment and social i… more
Deep dives into privacy and security, and understanding needs of the Indian tech ecosystem through guides, research, collaboration, events and conferences. Sponsors: Privacy Mode’s programmes are sponsored by: more