diff --git a/technical_docs/data-classification-table.md b/technical_docs/data-classification-table.md new file mode 100644 index 0000000..f117835 --- /dev/null +++ b/technical_docs/data-classification-table.md @@ -0,0 +1,47 @@ +| **File /   Folder** | **Data Field** | **Data Group** | **Classification   Level** | **Justification** | **Recommended   Security Action** | +|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:|:-----------------------------------:|:------------------------------:|:--------------------------:|:--------------------------------------------------------------------------------:|:--------------------------------------------------------------------------------------------------------------------------------------------------------:| +| **database/supabaseClient.js** | **SUPABASE_URL, SUPABASE_ANON_KEY** | Configuration Data | **Sensitive** | **Contains Supabase credentials for database access.** | Encrypt data at rest and in transit; implement RLS; restrict access to   authorized roles; use token-based authentication and strong password hashing. | +| database/ingredient-allergy-trigger.sql | user_id, allergy_id, ingredient_id | Health Data | **Sensitive** | **Links user health data and allergy information.** | Encrypt data at rest and in transit; implement RLS; restrict access to   authorized roles; use token-based authentication and strong password hashing. | +| database/recipe-allergy-trigger.sql | user_id, recipe_id, allergy | Health Data | **Sensitive** | **Contains medical-related triggers for user recipes.** | Encrypt data at rest and in transit; implement RLS; restrict access to   authorized roles; use token-based authentication and strong password hashing. | +| database/recipe-dislike-trigger.sql | user_id, disliked_ingredients | Personalization Data | Confidential | Handles user preferences for disliked items. | Restrict access based on roles; log and monitor access; avoid storing in   plaintext; sanitize output before displaying or logging. | +| **services/authService.js** | **email, password, token, MFA** | Authentication Data | **Sensitive** | **Processes login and MFA credentials; critical for   authentication security.** | Encrypt data at rest and in transit; implement RLS; restrict   access to authorized roles; use token-based authentication and strong   password hashing. | +| services/errorLogService.js | error_message, user_id | System Log Data | Internal | Logs backend errors, may include identifiers. | Limit access to internal teams only; monitor for unauthorized access;   ensure secure API gateway configuration. | +| logs/apiLogs.log | api_log_entries | System Logs | Internal | Contains traces of user API interactions for debugging. | Limit access to internal teams only; monitor for unauthorized access;   ensure secure API gateway configuration. | +| logs/systemLogs.log | system_log_entries | System Logs | Internal | Stores system-level activities; limited access. | Limit access to internal teams only; monitor for unauthorized access;   ensure secure API gateway configuration. | +| **controllers/authController.js** | **email, password, token** | Authentication Data | **Sensitive** | **Handles user login process with sensitive credentials.** | Encrypt data at rest and in transit; implement RLS; restrict   access to authorized roles; use token-based authentication and strong   password hashing. | +| **controllers/signupController.js** | **name, email, password** | Personal Data | **Sensitive** | **Handles user registration and credential storage.** | Encrypt data at rest and in transit; implement RLS; restrict   access to authorized roles; use token-based authentication and strong   password hashing. | +| controllers/loginController.js | email, password | Authentication Data | **Sensitive** | Validates user login, high confidentiality required. | Encrypt data at rest and in transit; implement RLS; restrict   access to authorized roles; use token-based authentication and strong   password hashing. | +| controllers/userProfileController.js | user_id, profile_info | Personal Data | Confidential | Manages user profile data and updates. | Restrict access based on roles; log and monitor access; avoid storing in   plaintext; sanitize output before displaying or logging. | +| **controllers/mealplanController.js** | **mealPlan, date, preferences** | Health Data | **Sensitive** | Stores personal meal and dietary data. | Encrypt data at rest and in transit; implement RLS; restrict access to   authorized roles; use token-based authentication and strong password hashing. | +| controllers/recipeController.js | recipe, ingredients | Health Data | Confidential | Processes recipe details linked to users. | Restrict access based on roles; log and monitor access; avoid storing in   plaintext; sanitize output before displaying or logging. | +| controllers/uploadController.js | uploaded_file, user_id | Personal Data | Confidential | Handles user-uploaded content, potentially identifiable. | Restrict access based on roles; log and monitor access; avoid storing in   plaintext; sanitize output before displaying or logging. | +| controllers/contactusController.js | email, message | Communication Data | Confidential | Stores messages from contact forms. | Restrict access based on roles; log and monitor access; avoid storing in   plaintext; sanitize output before displaying or logging. | +| controllers/feedbackController.js | feedback_message, user_id | Communication Data | Confidential | Contains feedback records tied to user IDs. | Restrict access based on roles; log and monitor access; avoid storing in   plaintext; sanitize output before displaying or logging. | +| **models/addUser.js** | **email, password, name** | Personal + Authentication | **Sensitive** | Handles user registration data. | Encrypt data at rest and in transit; implement RLS; restrict   access to authorized roles; use token-based authentication and strong   password hashing. | +| models/getUser.js | user_id, name, email | Personal Data | Confidential | Retrieves user data with identifiable fields. | Restrict access based on roles; log and monitor access; avoid storing in   plaintext; sanitize output before displaying or logging. | +| **models/getUserCredentials.js** | **email, password_hash** | Authentication Data | **Sensitive** | Stores encrypted password hashes for authentication. | Encrypt data at rest and in transit; implement RLS; restrict   access to authorized roles; use token-based authentication and strong   password hashing. | +| **models/addMfaToken.js** | **user_id, mfa_token** | Authentication / Security | **Sensitive** | Handles MFA token logic for user verification. | Encrypt data at rest and in transit; implement RLS; restrict   access to authorized roles; use token-based authentication and strong   password hashing. | +| **models/mealPlan.js** | **mealPlan, user_id, date** | Health Data | **Sensitive** | Stores personalized meal plans. | Encrypt data at rest and in transit; implement RLS; restrict access to   authorized roles; use token-based authentication and strong password hashing. | +| **models/healthPlanModel.js** | **health_metrics, BMI, diet_info** | Health Data | **Sensitive** | Contains detailed health information. | Encrypt data at rest and in transit; implement RLS; restrict access to   authorized roles; use token-based authentication and strong password hashing. | +| **models/healthSurveyModel.js** | **survey_answers, user_id** | Health Data | **Sensitive** | Holds health survey responses linked to users. | Encrypt data at rest and in transit; implement RLS; restrict access to   authorized roles; use token-based authentication and strong password hashing. | +| models/getRecipeIngredients.js | recipe_id, ingredients | Health / Dietary Data | Confidential | Processes recipe ingredients linked to user preferences. | Restrict access based on roles; log and monitor access; avoid storing in   plaintext; sanitize output before displaying or logging. | +| models/addAppointment.js | appointment_time, user_id | Personal Data | Confidential | Manages appointment and user schedules. | Restrict access based on roles; log and monitor access; avoid storing in   plaintext; sanitize output before displaying or logging. | +| models/chatbotHistory.js | message, timestamp, user_id | Communication Data | Confidential | Stores user chatbot messages for support purposes. | Restrict access based on roles; log and monitor access; avoid storing in   plaintext; sanitize output before displaying or logging. | +| **validators/loginValidator.js** | **email, password, token** | Authentication Data | **Sensitive** | Validates login credentials and MFA tokens. | Encrypt data at rest and in transit; implement RLS; restrict   access to authorized roles; use token-based authentication and strong   password hashing. | +| **validators/signupValidator.js** | **name, email, password** | Personal + Authentication | **Sensitive** | Validates sign-up inputs containing personal info. | Encrypt data at rest and in transit; implement RLS; restrict   access to authorized roles; use token-based authentication and strong   password hashing. | +| validators/mealplanValidator.js | mealPlan, recipe, ingredients | Health / Personalization Data | Confidential | Validates meal and health-related inputs. | Restrict access based on roles; log and monitor access; avoid storing in   plaintext; sanitize output before displaying or logging. | +| validators/userPreferencesValidator.js | preferences, restrictions | Personalization Data | Confidential | Validates user dietary preferences. | Restrict access based on roles; log and monitor access; avoid storing in   plaintext; sanitize output before displaying or logging. | +| validators/feedbackValidator.js | message, email | Communication Data | Confidential | Validates contact form messages. | Restrict access based on roles; log and monitor access; avoid storing in   plaintext; sanitize output before displaying or logging. | +| **validators/smsValidator.js** | **phone, otp_code** | Authentication / Communication | **Sensitive** | Validates OTPs and SMS codes for MFA. | Encrypt data at rest and in transit; implement RLS; restrict   access to authorized roles; use token-based authentication and strong   password hashing. | +| | | | | | | +| | | | | | | +| **Classification summary:** | | | | | | +| | | | | | | +| The   NutriHelp data classification process identified and categorized all critical   backend data assets based on sensitivity, confidentiality, and potential   impact of exposure. Sensitive data, such as authentication credentials, MFA   tokens, health records, and Supabase configuration keys were classified as   Sensitive, requiring strong encryption, access restriction, and secure   transmission. Files containing user profile information, feedback, uploads,   and personalization data were labelled Confidential, with role-based access   and sanitization controls recommended. System logs and internal configuration   files were deemed Internal, to be monitored and access-limited to authorized   personnel only. No public data assets were identified. | | | | | | +| Overall, the   classification ensures that NutriHelp’s data is protected according to its   sensitivity level, forming the foundation for subsequent security   enhancements like encryption enforcement, RLS policies, and access auditing. | | | | | | +| | | | | | | +| **Signature:** | | | | | | +| | | | | | | +| **Himanshi Shrivastava** | | | | | | +| Junior SOC   analyst, Cybersecurity Team and NutriHelp – Co-Team lead. | | | | | | +| | | | | | | \ No newline at end of file