Data Classification

Control agent access to data based on sensitivity levels.

Overview

Data classification ensures agents only access data appropriate to their authorization level.

Classification Levels

Level	Description	Examples
`public`	Publicly available	Marketing materials, public docs
`internal`	Internal use only	Internal policies, procedures
`confidential`	Restricted access	Business strategies, financials
`restricted`	Highly sensitive	Trade secrets, M&A data
`phi`	Protected Health Info	Medical records, patient data

Configuring Classifications

At Agent Creation

bash

curl -X POST https://api.gateflow.ai/v1/mcp/agents \
  -H "Authorization: Bearer gw_prod_admin_key" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Public Support Bot",
    "permissions": {
      "tools": ["llm/chat", "retrieval/search"],
      "data_classification": ["public"]
    }
  }'

Multiple Levels

bash

curl -X POST https://api.gateflow.ai/v1/mcp/agents \
  -H "Authorization: Bearer gw_prod_admin_key" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Internal Research Agent",
    "permissions": {
      "tools": ["llm/chat", "retrieval/search", "document/process"],
      "data_classification": ["public", "internal", "confidential"]
    }
  }'

Classifying Data

Document Upload

python

import requests

# Upload with classification
response = requests.post(
    "https://api.gateflow.ai/v1/files",
    headers={"Authorization": "Bearer gw_prod_..."},
    files={"file": open("financial_report.pdf", "rb")},
    data={
        "purpose": "document",
        "classification": "confidential",
        "metadata": '{"department": "finance"}'
    }
)

Document Processing

python

from gateflow_mcp import MCPClient

client = MCPClient(agent_id="agent_research", api_key="gf-agent-...")

result = client.call_tool(
    name="document/process",
    arguments={
        "file": file_b64,
        "filename": "strategy.pdf",
        "classification": "restricted",
        "collection": "executive-docs"
    }
)

Collection Classification

bash

curl -X POST https://api.gateflow.ai/v1/management/collections \
  -H "Authorization: Bearer gw_prod_admin_key" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "hr-documents",
    "classification": "internal",
    "description": "HR policies and procedures"
  }'

Access Control

Search Filtering

Agents automatically see only permitted data:

python

# Agent with "public" + "internal" classification
result = client.call_tool(
    name="retrieval/search",
    arguments={"query": "company policies"}
)

# Results only include public and internal documents
# Confidential and restricted documents are filtered out

Explicit Classification Filter

python

result = client.call_tool(
    name="retrieval/search",
    arguments={
        "query": "financial projections",
        "filters": {
            "classification": {"$in": ["internal"]}
        }
    }
)

Classification Errors

When an agent tries to access data above their level:

json

{
  "error": {
    "type": "permission_error",
    "code": "classification_denied",
    "message": "Agent does not have access to 'confidential' classified data",
    "requested_classification": "confidential",
    "agent_classifications": ["public", "internal"],
    "document_id": "doc_xyz789"
  }
}

PHI Handling

HIPAA-Compliant Agent

bash

curl -X POST https://api.gateflow.ai/v1/mcp/agents \
  -H "Authorization: Bearer gw_prod_admin_key" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Medical Scribe",
    "permissions": {
      "tools": ["voice/pipeline", "llm/chat"],
      "data_classification": ["phi"],
      "pipelines": ["ambient-scribe"]
    },
    "compliance": {
      "hipaa": true,
      "audit_level": "full"
    }
  }'

PHI Document Processing

python

result = client.call_tool(
    name="document/process",
    arguments={
        "file": medical_record_b64,
        "filename": "patient_notes.pdf",
        "classification": "phi",
        "detect_pii": True,
        "compliance": {
            "hipaa": True,
            "patient_id": "patient_123"
        }
    }
)

Classification Inheritance

Documents inherit collection classification:

yaml

# Collection definition
collection:
  name: legal-contracts
  classification: confidential

# Documents uploaded to this collection
# automatically get "confidential" classification

Override at upload:

python

result = client.call_tool(
    name="document/process",
    arguments={
        "file": file_b64,
        "collection": "legal-contracts",
        "classification": "restricted"  # Override to higher level
    }
)

Cross-Classification Search

Agents can search across permitted classifications:

python

# Agent with public, internal, confidential access
result = client.call_tool(
    name="retrieval/search",
    arguments={
        "query": "quarterly results",
        "cross_collection": True  # Search all permitted collections
    }
)

# Results may include documents from multiple classifications
for r in result["results"]:
    print(f"{r['title']} [{r['classification']}]")

Audit Trail

All data access is logged:

bash

curl "https://api.gateflow.ai/v1/mcp/agents/agent_abc123/audit-log?classification=confidential" \
  -H "Authorization: Bearer gw_prod_admin_key"

json

{
  "entries": [
    {
      "timestamp": "2026-02-16T10:30:00Z",
      "action": "search",
      "classification": "confidential",
      "documents_accessed": 3,
      "query": "financial projections"
    }
  ]
}

Best Practices

Classify at ingest - Set classification when uploading
Use collections - Group documents by sensitivity
Minimum access - Grant lowest classification needed
Audit regularly - Review access patterns
Document policies - Clear classification guidelines

Classification Patterns

Public Support Bot

yaml

permissions:
  data_classification:
    - public

Internal Employee Bot

yaml

permissions:
  data_classification:
    - public
    - internal

Executive Assistant

yaml

permissions:
  data_classification:
    - public
    - internal
    - confidential
    - restricted

Healthcare Agent

yaml

permissions:
  data_classification:
    - phi
compliance:
  hipaa: true

Next Steps

Tool Permissions - Tool access
Model Allowlists - Model restrictions
Audit Logging - Access tracking

Data Classification ​

Overview ​

Classification Levels ​

Configuring Classifications ​

At Agent Creation ​

Multiple Levels ​

Classifying Data ​

Document Upload ​

Document Processing ​

Collection Classification ​

Access Control ​

Search Filtering ​

Explicit Classification Filter ​

Classification Errors ​

PHI Handling ​

HIPAA-Compliant Agent ​

PHI Document Processing ​

Classification Inheritance ​

Cross-Classification Search ​

Audit Trail ​

Best Practices ​

Classification Patterns ​

Public Support Bot ​

Internal Employee Bot ​

Executive Assistant ​

Healthcare Agent ​

Next Steps ​

Data Classification

Overview

Classification Levels

Configuring Classifications

At Agent Creation

Multiple Levels

Classifying Data

Document Upload

Document Processing

Collection Classification

Access Control

Search Filtering

Explicit Classification Filter

Classification Errors

PHI Handling

HIPAA-Compliant Agent

PHI Document Processing

Classification Inheritance

Cross-Classification Search

Audit Trail

Best Practices

Classification Patterns

Public Support Bot

Internal Employee Bot

Executive Assistant

Healthcare Agent

Next Steps