Global Data Privacy and Regional Governance for Palisade
Published Confluence page for Project Palisade.
Intended Confluence destination: AIIP Project Palisade folder. Confluence page ID:
6102646902Parent folder ID:6018662571Remote version:2Last remote update:2026-07-01T12:32:14.053ZSync status: Published to Confluence. Last updated: 2026-07-01.
Executive Summary
Palisade is intended to become a shared guardrails platform for ADC AI applications, including current and future LibreAssist deployments. If Palisade sits in front of global AI application traffic, it will see or classify sensitive content such as PHI, PII, audio, images, prompts, model responses, safety signals, and policy violations. That makes privacy, data residency, retention, access control, and model-improvement governance first-class product requirements, not later operational details.
This document is an initial research brief and decision framework. It is not a final legal opinion. The goal is to help Product, Engineering, Legal, Privacy, Compliance, Cybersecurity, and Cloudflare account teams answer:
- Where can Palisade run using Cloudflare regional controls?
- Which Cloudflare products are suitable for PHI/PII paths in each region?
- What data should Palisade store, avoid storing, quarantine, de-identify, or delete?
- What retention policy should apply to raw objects, metadata, audit records, and model-improvement datasets?
- What must be approved before Palisade supports regions outside the United States?
Initial posture:
- Store the minimum data needed to operate, audit, debug, and improve guardrail quality.
- Do not store raw non-compliant or unwanted content by default.
- Use R2 for governed objects only when the data class, jurisdiction, retention period, and deletion behavior are approved.
- Use D1 for metadata, file pointers, classification flags, retention status, audit state, and workflow status.
- Treat embeddings, transcripts, redacted text, thumbnails, and de-identified records as sensitive derived data until Privacy/Legal confirms otherwise.
- Do not use production PHI/PII for model training or fine-tuning unless Legal/Privacy approves the lawful basis, consent or authorization model, de-identification standard, data provenance, region, retention, and vendor terms.
Why This Matters for Palisade and LibreAssist
LibreAssist is currently U.S.-only, but the expected product direction is broader international availability. Palisade is also intended to serve multiple ADC AI applications, not just LibreAssist. A shared guardrail layer can improve safety and consistency, but it also centralizes sensitive inspection, verdicts, and operational evidence.
That centralization creates a governance challenge:
- Guardrails may receive sensitive data even when the application does not intend to store it.
- The most valuable examples for improving guardrails may be the highest-risk examples to retain.
- The region where a request is inspected may differ from the region where logs, metadata, model providers, object storage, and dashboards operate.
- Compliance requirements differ by geography, data type, patient/user relationship, product claims, and whether the AI system is used for care, wellness, support, or operational workflow.
Palisade should therefore define the data governance model before global rollout, not after the first regional expansion.
Research Approach
Use a source hierarchy:
- Primary product sources: Cloudflare docs, Cloudflare Trust Hub, Cloudflare account-team confirmation, executed Abbott agreements, and product-specific BAA/DPA language.
- Primary legal and regulator sources: HHS/OCR for HIPAA, European Commission and EDPB materials for GDPR and AI Act context, national regulators for country-specific privacy laws.
- Secondary legal indexes: IAPP Global Privacy Law and DPA Directory and DLA Piper Data Protection Laws of the World to identify relevant laws and regulators, then verify with official sources or Legal.
- Abbott internal sources: privacy classifications, cybersecurity standards, retention schedules, AI governance requirements, LibreAssist launch markets, and approved vendor lists.
This document deliberately separates likely engineering options from decisions that must be confirmed by Legal, Privacy, Compliance, Cybersecurity, or Cloudflare.
Global Cloudflare Readiness Map
Use this as the first working map for Palisade regional feasibility. It is not a country launch approval list.
| Readiness tier | Regions or markets | Initial Palisade stance | Main reason |
|---|---|---|---|
| Tier 1: first detailed review | United States, EU/EEA, United Kingdom | Good candidates for first privacy architecture work | Strong Cloudflare regional controls exist for U.S. and EU; LibreAssist starts in the U.S.; GDPR/UK GDPR needs early design input |
| Tier 2: likely follow-on review | Canada, Japan, South Korea, Singapore, Australia | Evaluate after U.S./EU model is defined | Cloudflare has Regional Services in these markets, but metadata boundary, PHI equivalent rules, and local health privacy requirements need confirmation |
| Tier 3: needs deeper legal and Cloudflare review | Brazil/LATAM, India, Middle East, Turkey, UAE, Saudi Arabia, South Africa | Do not assume the U.S./EU design transfers directly | Cloudflare Regional Services may be available in some countries, but local data localization, health data, AI rules, and storage options vary |
| Tier 4: special path | Mainland China | Treat as separate product and compliance workstream | Cloudflare China Network is a separate Enterprise subscription operated with JD Cloud, has product limitations, ICP/content-vetting requirements, and local regulatory considerations |
| Tier 5: restricted or blocked until approved | Sanctioned countries and restricted territories | Do not launch or process without Legal/Trade Compliance approval | OFAC and other sanctions programs may prohibit or restrict services, transfers, support, or business activity |
Cloudflare Regional Controls and Product Fit
Cloudflare has several different location concepts. They are not interchangeable:
- Regional Services controls where HTTPS traffic is decrypted and inspected.
- Customer Metadata Boundary controls where Cloudflare traffic logs and analytics metadata are stored.
- R2 and D1 jurisdiction settings control where those storage products persist data.
- Location hints are performance hints, not legal residency guarantees.
- Product compatibility varies; each Palisade component must be validated against Cloudflare's current DLS compatibility matrix and Abbott's contracts.
| Product or control | Potential Palisade role | Regional/privacy fit | Open concern |
|---|---|---|---|
| Workers on a zone | Runtime for proxy/check API and policy execution | Regional Services can constrain HTTPS decryption/inspection for zone-based Workers; use custom domains rather than workers.dev for regulated paths | Confirm account enablement, managed/custom regions, and whether all Palisade routes are zone-based |
| R2 | Store governed audio, images, transcripts, redacted artifacts, and evidence packages | Jurisdictional Restrictions can guarantee object storage in supported jurisdictions such as eu and fedramp; lifecycle rules can delete or transition objects | Location hints are not residency guarantees; bucket jurisdiction cannot be changed after creation; confirm BAA/DPA coverage for each data class |
| R2 lifecycle rules | Enforce object expiration | Useful for default deletion of raw objects, temporary debug captures, and review queues | Must align with legal hold and bucket lock behavior |
| R2 bucket locks | Prevent premature deletion when required | Useful only when a minimum retention period is legally required | Bucket locks override lifecycle deletion; dangerous for unwanted/non-compliant data if misapplied |
| D1 | Store metadata, object keys, classification flags, retention state, review decisions, and audit status | D1 supports jurisdictions such as eu and fedramp; D1 encrypts data at rest and in transit | Location hints are not guarantees; read replication may create global read copies when enabled; avoid storing raw PHI/PII in D1 unless approved |
| Workers AI | Run AI-based checks or embeddings | Cloudflare says Workers AI customer content is not used to train Workers AI or improve services without explicit consent | Do not assume region-constrained inference; validate Workers AI DLS compatibility, model licenses, BAA coverage, and PHI suitability |
| AI Gateway | Observe, route, control, and protect AI-provider calls | Useful for AI traffic governance and prompt-injection/data-leak controls | DLS compatibility has limitations; provider-specific BAA, data retention, logging, and regional routing must be approved before PHI use |
| Vectorize | Store embeddings for retrieval or similarity search | Useful for non-PHI knowledge retrieval or synthetic/de-identified evaluation search | DLS compatibility limitations mean no production PHI/PII embeddings until Legal/Privacy approve architecture and residency |
| Logs, analytics, Logpush | Security and operations telemetry | Customer Metadata Boundary can keep Cloudflare Customer Logs in EU or U.S.; Logpush can export to approved storage | Prompt/response content should not be general telemetry; ensure redaction before export |
| Cloudflare Access and Zero Trust | Protect dashboard, admin workflows, and reviewer tools | Strong fit for identity-aware least privilege, RBAC, and auditability | Confirm admin access across regions, out-of-region log access settings, and Abbott SSO integration |
| WAF, Bot Management, API Shield, Rate Limiting | Protect public Palisade endpoints | Many app security products are compatible with DLS features | Validate product-specific caveats before regulated rollout |
| China Network | Performance/security path for Mainland China | Separate Enterprise service with JD Cloud-operated infrastructure | Not all products are available; ICP, content vetting, local monitoring, and partner data handling need a dedicated review |
Data Categories
Palisade needs a simple, explicit data taxonomy before implementation. The taxonomy should be represented in D1 metadata and applied consistently to text, audio, image, and multimodal files.
| Category | Examples | Default handling | Possible storage |
|---|---|---|---|
| Operational metadata | Request ID, app ID, policy profile, verdict, module version, latency, region, timestamp | Store for audit and operations with no raw prompt/response content | D1 and telemetry, region-scoped where required |
| Allowed content needed for audit | Approved transcript sample, redacted model response, guardrail evidence | Store only if there is a defined audit or quality purpose and approved retention | R2 with D1 pointer and retention flags |
| PHI/PII content | Health data, identifiers, voice recordings, images, transcripts, patient context | Minimize, region-scope, encrypt, restrict access, and delete by policy | R2 jurisdiction bucket only if approved; D1 stores pointer and flags |
| Unwanted or non-compliant content | Content that violates policy, unsafe advice, irrelevant side conversation, sensitive leakage, prompt-injection payloads | Do not store raw content by default; store minimal metadata needed to prove handling | D1 metadata only; optional short-lived quarantine if approved |
| Quarantined review content | A flagged audio/image/text case needing human review | Store in a restricted bucket with short TTL and reviewer workflow | R2 quarantine bucket plus D1 review status |
| De-identified data | HIPAA de-identified cases, GDPR-anonymized or strongly pseudonymized samples, synthetic examples | Use for evaluation or model improvement only after review | R2 de-identified/evaluation bucket |
| Model-training candidate | High-value failure case, edge case, remediation example | Not eligible until consent/lawful basis, de-identification, vendor terms, and governance are approved | Separate governed dataset, not production raw store |
| Security telemetry | Threat events, WAF/API Shield hits, auth failures | Store for security operations without user content where possible | SIEM/Logpush destination approved by Cybersecurity |
Proposed Storage and Retention Model
Palisade should separate raw object storage from metadata and governance decisions:
- R2 stores files and larger artifacts only when retention is approved.
- D1 stores references, data classification flags, lifecycle state, and review state.
- Telemetry stores metrics and traces without prompt, response, audio, image, or transcript bodies.
Recommended R2 bucket pattern:
| Bucket pattern | Intended content | Default retention |
|---|---|---|
palisade-raw-<jurisdiction> | Approved raw content needed for audit or product workflow | Legal/Privacy-defined only; no default indefinite retention |
palisade-quarantine-<jurisdiction> | Restricted flagged content awaiting review | Short TTL, for example 24 to 72 hours, unless Legal approves longer |
palisade-redacted-<jurisdiction> | Redacted transcripts, redacted screenshots, evidence snippets | 30 to 90 days unless a stricter regional policy applies |
palisade-deidentified-<jurisdiction> | Approved de-identified or anonymized examples | Longer retention possible if governance approves |
palisade-eval-synthetic | Synthetic evaluation data | Longer retention acceptable if confirmed non-sensitive |
Recommended D1 metadata fields:
| Field | Purpose |
|---|---|
record_id | Stable Palisade metadata identifier |
app_id | Source app, for example libreassist |
region_policy | Region or jurisdiction selected for processing/storage |
object_key | R2 object key when an object exists |
modality | text, audio, image, or multimodal |
policy_profile | Palisade policy profile applied |
verdict | allow, flag, remediate, or block |
contains_phi | Boolean or tri-state classification |
contains_pii | Boolean or tri-state classification |
policy_noncompliant | Whether the content violated policy |
risk_level | Low, medium, high, or critical |
retention_class | no_store, quarantine_short, audit_metadata, regulated_audit, deidentified_reuse, or legal_hold |
delete_after | Automatic deletion timestamp |
review_status | none, pending, approved, rejected, or deleted |
training_eligible | False by default; true only after governance approval |
lawful_basis_ref | Reference to approved legal basis or policy document, not free text |
consent_ref | Reference to consent or authorization record when required |
hash | Integrity/deduplication hash when safe to compute and store |
created_at, deleted_at | Lifecycle audit timestamps |
Retention classes should be simple enough to implement:
| Retention class | Default rule | Notes |
|---|---|---|
no_store | No raw object persisted | Default for unwanted/non-compliant content |
quarantine_short | Delete quickly after review window | Needs strict reviewer RBAC and audit trail |
audit_metadata | Keep metadata only | Useful for evidence without retaining raw content |
regulated_audit | Keep only when required by approved policy | May need R2 bucket locks; avoid for unwanted content |
deidentified_reuse | Keep de-identified/synthetic cases for evaluation | Requires documented de-identification method and re-identification risk review |
legal_hold | Suspend deletion under Legal control | Must override automated deletion intentionally and visibly |
Palisade Regional Data Flow
Data Disposition Decision Tree
Regional Privacy and AI Regulation Themes
This matrix identifies the research starting point for each region. It should be reviewed with Legal and Privacy before any launch decision.
| Region | Relevant themes | Cloudflare posture to validate | Initial Palisade questions |
|---|---|---|---|
| United States | HIPAA/HITECH for PHI, business associate obligations, state privacy laws, FTC/state health data scrutiny | Confirm Enterprise BAA covers the exact Cloudflare products used: Workers, R2, D1, Workers AI, AI Gateway, Access, logs | What PHI can Palisade process? What raw content can be retained? What retention is required for audit vs prohibited for unwanted content? |
| EU/EEA | GDPR lawful basis, special category health data, DPIA, international transfers, data minimization, storage limitation, AI Act risk classification | Use EU Regional Services, EU Customer Metadata Boundary, EU R2/D1 jurisdictions where applicable | Is Palisade a processor/subprocessor path? Which lawful basis and Article 9 condition apply? Are SCCs/BCRs/adequacy needed for any transfer? |
| United Kingdom | UK GDPR, Data Protection Act, health data rules, international transfer rules | Validate UK Regional Services and metadata/log handling; Cloudflare docs note UK can use EU metadata boundary | Does UK data need a UK-specific storage/processing boundary or is EU handling acceptable under Abbott policy? |
| Canada | PIPEDA plus provincial health privacy laws | Validate Canada Regional Services; no Customer Metadata Boundary in Canada in current DLS table | Which provinces matter for LibreAssist? Are cross-border notices, consents, or hosting restrictions required? |
| Brazil/LATAM | LGPD in Brazil, country-specific privacy laws across LATAM, health data sensitivity, international transfers | Brazil Regional Services exists; R2/D1 jurisdiction support is not Brazil-specific today | Can Brazilian health/PII be stored outside Brazil? What consent/legal basis is required for model improvement? |
| China | PIPL, Cybersecurity Law, Data Security Law, cross-border transfer controls, ICP/content obligations | China Network is separate, partner-operated, and not all products are available | Should China be excluded from initial Palisade scope? If included, does it require separate architecture, local approvals, and local review workflow? |
| India | DPDP Act, consent/notice, significant data fiduciary obligations, sectoral health rules | India Regional Services and Geo Key Manager support exist; no Customer Metadata Boundary in India | Does health data require local storage or special consent? Can AI guardrail logs leave India? |
| Japan | APPI, sensitive personal information, EU adequacy relationship | Japan Regional Services exists; no Japan Customer Metadata Boundary | What local consent and transfer disclosures are needed for health-related AI guardrail processing? |
| South Korea | PIPA, sensitive information, cross-border transfer controls, EU adequacy relationship | South Korea Regional Services and Geo Key Manager support exist; no local CMB | What approvals/notices apply to health and biometric/audio data? |
| Singapore | PDPA, consent/notification, transfer limitation obligations | Singapore Regional Services and Geo Key Manager support exist; no local CMB | Can regional APAC storage be used, or is Singapore-specific processing needed? |
| Australia | Privacy Act, health information, state rules, possible IRAP needs | Australia Regional Services and IRAP Protected region are available; no local CMB | Is IRAP required for Abbott use cases? What retention and access controls apply to health data? |
| Middle East | Country-specific privacy and health data rules, localization in some markets, government access concerns | Regional Services includes markets such as UAE, Saudi Arabia, and Turkey; no local CMB | Which launch countries matter? Are local hosting or transfer approvals required? |
| Sanctioned/restricted regions | OFAC, EU/UK sanctions, export controls, local restrictions | Do not infer Cloudflare availability means Abbott can provide service | Which regions must be geoblocked or excluded from Palisade and upstream providers? |
Cybersecurity and Operational Controls
Palisade should adopt the following controls before any PHI/PII-capable rollout:
| Control | Why it matters | Owner |
|---|---|---|
| Cloudflare Access and Abbott SSO | Restrict admin dashboards and review tools to approved users | Cybersecurity / Engineering |
| Role-based access control | Separate platform admins, app owners, reviewers, auditors, and developers | Product / Engineering |
| No public R2 buckets | Prevent accidental exposure of audio, images, transcripts, or evidence | Engineering |
| Short-lived signed access | Make review access time-bound and auditable | Engineering |
| Encryption at rest and in transit | Baseline requirement for PHI/PII systems | Cybersecurity / Cloudflare |
| Secret management | Keep API keys, provider tokens, and signing secrets out of code and logs | Engineering |
| Telemetry hygiene | Prevent prompts, responses, audio, images, and PHI from entering general logs | Engineering / Cybersecurity |
| DLP and redaction | Reduce accidental storage and human review exposure | Privacy / Engineering |
| Audit trail | Record who accessed, reviewed, exported, deleted, or changed retention state | Compliance / Engineering |
| Deletion evidence | Prove lifecycle deletion without retaining the sensitive raw content | Compliance / Engineering |
| Incident response | Define breach, unauthorized access, and misclassification playbooks | Cybersecurity / Legal |
| Vendor risk review | Confirm Cloudflare and downstream model providers are approved for each data class | Compliance / Procurement |
| Regional route tests | Prove actual request, log, storage, and provider paths by region before launch | Engineering / Cloudflare |
Model Improvement and Training Use Considerations
Palisade will generate useful examples for improving guardrails: false positives, false negatives, prompt-injection attempts, unsafe medical advice, irrelevant audio, side conversations, remediation failures, and region-specific edge cases. Those examples are valuable, but using them for training or fine-tuning can create high legal and privacy risk.
Recommended policy:
- Production raw PHI/PII is not training data by default.
- Non-compliant or unwanted raw content is not training data by default.
- Training eligibility must be explicit in D1 metadata and false unless approved.
- Model-improvement datasets should prefer synthetic, de-identified, or strongly redacted examples.
- De-identification must be documented; for U.S. PHI, HHS recognizes Expert Determination and Safe Harbor methods.
- EU/UK data must be reviewed under GDPR/UK GDPR concepts such as purpose limitation, data minimization, special-category processing, and international transfer safeguards.
- Audio and images need special review because voice, face, device screenshots, and background context may identify people even after transcript redaction.
- Embeddings should be treated as derived sensitive data; do not store PHI/PII embeddings in Vectorize until residency, deletion, and re-identification risk are approved.
- Any third-party model provider or AI gateway used for training, evaluation, or inference must have approved contractual terms, retention settings, BAA/DPA where needed, and documented no-training/no-retention posture.
Legal, Compliance, and Cloudflare Account-Team Questions
| Owner | Questions |
|---|---|
| Legal | Which countries are in scope for the next LibreAssist expansion? What lawful bases apply to guardrail processing, retention, review, and model improvement? Which countries require local counsel review? |
| Privacy | What is the approved data classification for prompts, responses, audio, images, transcripts, embeddings, verdicts, and metadata? When is data truly de-identified vs pseudonymized? |
| Compliance | What retention periods are required for audit evidence? Which evidence can be metadata-only? What legal-hold process should override deletion? |
| Cybersecurity | What controls are mandatory before PHI/PII touches Palisade? What logging, DLP, access-review, incident-response, and SIEM requirements apply? |
| Cloudflare account team | Which products are covered by Abbott's Cloudflare agreements and BAA/DPA? Are Workers, R2, D1, Workers AI, AI Gateway, Vectorize, Access, Logpush, and DLS in scope for PHI/PII? Which regional features are enabled on Abbott accounts? |
| Product | Which Palisade evidence must be retained for user trust, quality review, customer support, or regulatory defense? Which data can be discarded immediately? |
| Engineering | How will the app pass region, consent, policy profile, and retention instructions to Palisade? How will deletion be tested? How will route/storage/log region evidence be collected? |
Recommended Research Workplan and Decisions Needed
Phase 1: Cloudflare Capability Confirmation
Output: Cloudflare product and region readiness table approved by Engineering, Cybersecurity, and Cloudflare account team.
- Confirm current DLS availability for target launch regions.
- Confirm whether Palisade Workers must run only on custom domains with Regional Services.
- Confirm R2 and D1 jurisdiction support for U.S., EU, FedRAMP, and other required regions.
- Confirm D1 read replication settings and whether they are allowed for regulated metadata.
- Confirm Workers AI, AI Gateway, and Vectorize suitability for PHI/PII paths.
- Confirm Cloudflare BAA/DPA scope for every product in the Palisade architecture.
Phase 2: Legal and Privacy Regional Matrix
Output: region-by-region launch constraints and required approvals.
- Identify target launch regions for LibreAssist and future ADC AI applications.
- For each region, document personal data, health data, biometric/audio, AI, transfer, retention, and breach-notification requirements.
- Decide whether Palisade can process raw content, metadata only, de-identified data, or no data in each region.
- Decide whether human review is allowed and from which countries reviewers may access data.
Phase 3: Data Disposition Policy
Output: approved retention classes and D1/R2 governance fields.
- Define
no_store,quarantine_short,audit_metadata,regulated_audit,deidentified_reuse, andlegal_hold. - Define which Palisade verdicts map to each default retention class.
- Define deletion evidence requirements.
- Define who can override deletion and under what approval path.
Phase 4: Architecture Validation
Output: tested regional proof for one U.S. path and one EU path.
- Prove request routing, TLS termination, storage location, log location, and admin access behavior.
- Prove R2 lifecycle deletion and D1 metadata update behavior.
- Prove blocked/non-compliant content is not stored by default.
- Prove telemetry does not contain prompt, response, audio, image, transcript, or PHI bodies.
Phase 5: Model Improvement Governance
Output: model-improvement policy for Palisade datasets.
- Define what data can enter evaluation datasets.
- Define when de-identified or synthetic examples may be retained.
- Define consent/authorization requirements for production-derived examples.
- Define vendor restrictions and no-training terms.
- Define human-review sampling and dataset approval workflow.
Initial Decisions to Make
| Decision | Recommended default | Needed approval |
|---|---|---|
| Should Palisade store raw non-compliant content? | No, except short quarantine if explicitly approved | Legal, Privacy, Cybersecurity |
| Should Palisade store raw allowed content? | Only when required for a product/audit purpose and with retention | Product, Legal, Privacy |
| Should D1 store PHI/PII? | Avoid raw PHI/PII; store flags, pointers, and retention state | Privacy, Cybersecurity |
| Should Vectorize store production-derived embeddings? | No for PHI/PII until reviewed | Privacy, Legal, Engineering |
| Should AI Gateway route PHI? | Not until BAA/DPA, provider terms, logging, and DLS caveats are approved | Legal, Cloudflare, Cybersecurity |
| Should training use production data? | No by default; use synthetic/de-identified first | Legal, Privacy, AI Governance |
| Should China be in first expansion scope? | No; separate workstream | Legal, Product, Cloudflare |
Source Register
Primary Cloudflare sources:
- Cloudflare Global Network - global network availability context.
- Cloudflare Data Localization Suite - overview of regional inspection, key, log, and processing controls.
- Cloudflare DLS Region Support - current regional support for Geo Key Manager, Regional Services, and Customer Metadata Boundary.
- Cloudflare DLS Product Compatibility - product-by-product compatibility with DLS controls.
- Cloudflare Regional Services - where TLS termination and application-layer inspection occur.
- Cloudflare Customer Metadata Boundary - EU/U.S. Customer Logs storage boundary.
- Cloudflare R2 Data Location - R2 automatic placement, location hints, and jurisdictional restrictions.
- Cloudflare R2 Object Lifecycles - object retention and deletion lifecycle rules.
- Cloudflare R2 Bucket Locks - minimum retention controls and lifecycle precedence.
- Cloudflare D1 Data Location - D1 jurisdiction and location-hint behavior.
- Cloudflare D1 Data Security - D1 encryption at rest and in transit.
- Cloudflare D1 Time Travel and Backups - D1 restore window and R2 export option.
- Cloudflare Workers AI Data Usage - customer content and no-training statements for Workers AI.
- Cloudflare Responsible AI - Cloudflare AI governance and customer-content training posture.
- Cloudflare HIPAA/HITECH whitepaper - BAA and HIPAA scope framing to confirm with account team.
- Cloudflare China Network and China Network FAQ - separate China service, JD Cloud, ICP, content vetting, and product availability context.
Primary regulatory and government sources:
- HHS HIPAA Security Rule Summary - administrative, physical, and technical safeguards for ePHI.
- HHS HIPAA De-identification Guidance - Expert Determination and Safe Harbor methods.
- European Commission Data Protection - GDPR and international transfer context.
- European Commission Adequacy Decisions - adequacy mechanism and recognized countries.
- EU AI Act - risk-based AI regulatory framework.
- OFAC Sanctions Programs and Country Information - sanctions program source for restricted-region review.
Secondary legal research indexes:
- IAPP Global Privacy Law and DPA Directory - jurisdiction and data protection authority index, informational only.
- DLA Piper Data Protection Laws of the World - cross-jurisdiction legal research starting point, not a substitute for legal advice.