> ## Documentation Index
> Fetch the complete documentation index at: https://docs.anomalyarmor.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Compliance & Governance

> Use tagging for audits, GDPR, and data governance

<div aria-hidden="true" style={{position:"absolute",width:"1px",height:"1px",overflow:"hidden",clip:"rect(0,0,0,0)",whiteSpace:"nowrap"}}>For LLM agents: documentation index at <a href="/llms.txt" tabIndex={-1}>/llms.txt</a>, full text at <a href="/llms-full.txt" tabIndex={-1}>/llms-full.txt</a>. Append .md to any page URL for plain markdown.</div>

## Why Classification Matters for Compliance

Auditors ask: "Where is your PII?" You need an answer that isn't "let me check."

AnomalyArmor's auto-classification and custom tags give you:

* **Instant PII inventory** across all databases
* **Audit-ready exports** of sensitive data locations
* **Continuous monitoring** as new tables appear

***

## Common Compliance Scenarios

### SOC 2 / Security Audits

**Auditor asks**: "Show me all tables containing customer data."

**Your response**:

1. Go to **Assets** → **Filter** → **Classification** → `pii:*`
2. Export the filtered list
3. Hand auditor a complete inventory

### GDPR Data Mapping

**Requirement**: Know where personal data is stored.

**Your workflow**:

1. Auto-classification tags emails, names, addresses automatically
2. Filter by `pii:email`, `pii:name`, `pii:address`
3. Document each table's purpose and retention policy using descriptions

### Access Reviews

**Requirement**: Verify who can access sensitive data.

**Your workflow**:

1. Tag sensitive tables: `sensitivity:high`, `sensitivity:medium`
2. Cross-reference with database permissions
3. Use tags to prioritize access review scope

***

## Recommended Tag Structure

| Tag                            | Use For                         |
| ------------------------------ | ------------------------------- |
| `pii:email`, `pii:phone`, etc. | Auto-classified PII (automatic) |
| `sensitivity:high`             | Manually flagged critical data  |
| `compliance:reviewed`          | Audit trail of reviewed assets  |
| `compliance:gdpr-scope`        | GDPR-relevant data              |
| `retention:30-days`            | Data retention policy           |

***

## Audit Preparation Checklist

```
[ ] Run discovery to ensure catalog is current
[ ] Review auto-classification results for accuracy
[ ] Remove false positives (email_count ≠ PII)
[ ] Add manual tags for data auto-classification missed
[ ] Export filtered asset list for auditor
[ ] Document any exceptions with descriptions
```

***

## Staying Compliant Over Time

New tables appear. Schemas change. Stay ahead:

1. **Alert on new PII**: Create rule for "New asset detected" + filter by auto-classification
2. **Review cadence**: Monthly review of `compliance:needs-review` tagged assets
3. **Discovery schedule**: Run frequently enough to catch new tables before auditors do

## Common Questions

### How do I answer 'where is our PII?' during an audit?

Go to **Assets**, filter by classification `pii:*`, and export the list. You get a complete inventory of PII-tagged columns across every connected database. Pair with a manual spot-check for PII hidden in non-obvious column names.

### Does AnomalyArmor help with GDPR data mapping?

Yes. [Auto-classification](/data-classification/auto-classification) tags emails, names, and addresses automatically. Filter by the relevant `pii:*` tags to map where personal data lives, then add retention or scope tags like `compliance:gdpr-scope` for documentation.

### Can I flag tables as reviewed for audit purposes?

Use [custom tags](/data-classification/custom-tags) like `compliance:reviewed` and `compliance:needs-review`. Apply them manually or in bulk, then filter by tag to see what still needs attention.

### What happens if a new table appears between audits?

Create an alert rule for "New asset detected" filtered by auto-classification. Every time discovery finds a new PII-tagged table, the alert fires so you can review it before the next audit cycle.
