Privacy-preserving by default

Trust, data governance, and audit

CivicSyn is public/cooperative coordination infrastructure for essential goods and services. Local nodes coordinate demand, capacity, inventory, delivery, funding, and governance. The system recommends; people decide; every decision leaves evidence.

View public dashboard Start a pilot

Food security first

The first domain connects kitchens, food banks, delivery partners, agencies, co-ops, and public reviewers around transparent allocation decisions.

  • D1: current operational truth
  • R2: raw evidence and public exports
  • Queues: ingestion, recommendations, audit
  • Durable Objects: locks, incidents, workflows

Public classes

1

Data classes safe to publish directly.

Aggregate-only classes

1

Partner data published only as summaries or totals.

Restricted/private classes

3

Operational, personal, or incident records requiring protected access.

Data classification policy

  • Public data public_data · public · retention policy-defined

    Safe to publish directly, including open dashboard totals, public proposal metadata, public export catalog rows, and allocation explanations.

  • Partner-confidential data partner_confidential · aggregated_only · retention 1095

    Raw partner submissions, facility details, operational notes, and source uploads are restricted to authorized partner/admin roles and public only in aggregate.

  • Operational-sensitive data operational_sensitive · restricted · retention 1095

    Allocation workflow internals, provider capacity risk, DLQ records, and admin decision evidence are limited to authorized operational roles.

  • Restricted incident data restricted_incident_data · restricted · retention 1825

    Incident-room details, participant records, and emergency response notes are restricted; public APIs expose only approved summaries.

  • Personal data personal_data · private · retention 730

    Names, emails, exact addresses, and other personal identifiers must be suppressed, hashed, or summarized before public export.

Public/private boundary

CivicSyn publishes public data directly, aggregates partner-confidential data, and suppresses personal/restricted incident details from public payloads.

The system is intentionally evidence-heavy, but public pages receive only public-safe fields and links served through API handlers.

Data-governance JSON

R2 lifecycle intent

  • Tenant storage prefix · operational_sensitive · retention 1825 days · access signed_url_only
  • Tenant storage prefix · operational_sensitive · retention 1825 days · access signed_url_only
  • Dead-letter queue payloads · operational_sensitive · retention 1095 days · access private
  • Decision and review evidence · operational_sensitive · retention 1825 days · access signed_url_only
  • Published public exports · public_data · retention policy-defined days · access public
  • Geospatial source data · partner_confidential · retention 1095 days · access signed_url_only
  • Optimization run evidence · operational_sensitive · retention 1095 days · access private
  • Raw partner uploads · partner_confidential · retention 1095 days · access private

Redaction rules

  • incident · public summary · public_safe_summary · restricted_incident_data
  • public_payload · exact address fields · suppress · personal_data
  • public_payload · email fields · suppress · personal_data
  • public_payload · evidence object-key fields · suppress · operational_sensitive
  • public_payload · raw object-key fields · suppress · partner_confidential

Audit logs

Admin actions, partner reports, recommendation reviews, allocation approvals, objections, overrides, incidents, evidence reads, and agent approvals create audit rows with correlation IDs.

Human approval

CivicSyn can summarize evidence and draft decision-support explanations, but human operators approve, reject, publish, or override with reasons before operational decisions move forward.