alldigital/PSA
2
0
Fork 0
Code Issues Pull Requests Actions 15 Packages Projects Releases Wiki Activity
PSA/ee/docs/plans/2026-02-03-alga-psa-mobile-app/PRIVACY_REVIEW.md
Hermes 284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Details
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Details
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
Details
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
Details
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Details
Integration Tests / Check for relevant changes (push) Waiting to run
Details
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Details
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Details
Mobile checks / Mobile unit tests (push) Waiting to run
Details
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Details
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Details
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Details
Temporal Readiness / fast-readiness (push) Waiting to run
Details
Temporal Readiness / docker-parity (push) Waiting to run
Details
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Details
Unit Tests / Skipped-test budget (push) Waiting to run
Details
Unit Tests / Nx affected unit tests (push) Waiting to run
Details
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Details
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Details
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
Details
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Details
Initial import of AlgaPSA codebase from PSA server 
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz

Source: /opt/alga-psa on psa.joliet.tech
2026-06-22 16:12:17 -05:00

109 lines
4.6 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Mobile App Privacy Review Checklist + PII Inventory
Scope: `docs/plans/2026-02-03-alga-psa-mobile-app` (Ticketing MVP + SSO), always-connected React Native app in `ee/mobile/`.
Last updated: 2026-02-03
## Goals
- Enumerate what data the mobile app stores, transmits, and potentially exposes.
- Provide a checklist to run before any external beta/GA.
- Serve as an inventory for future DPIA/PIA and security review.
## Definitions
- **Secret**: access token, refresh token, OTT, auth `state`, device identifiers used for session binding.
- **PII**: user identity, customer contact names/emails/phones, ticket subjects and comment bodies.
- **Sensitive business data**: ticket contents (subjects, descriptions, internal notes), client names, SLA/due dates.
## Data Stored On Device (Local)
### Secure storage (`expo-secure-store`)
- Mobile session (`accessToken`, `refreshToken` or equivalent), tenant id, user identity snapshot used by UI.
- Pending auth state (`state`) and one-time-token (`ott`) during login handoff.
- Per-user ticket list filters (`alga.mobile.tickets.filters.{userId}`).
- Per-ticket comment drafts (keyed by ticket id).
- Settings toggles: biometric gate enabled, hide-sensitive-notifications enabled.
- Stable device id (used only as an audit/telemetry identifier).
### In-memory only
- Ticket list results, ticket detail cache (TTL) and comments list cache (TTL).
- Transient errors, network state.
## Data Transmitted Off Device (Network)
### Authentication
- System browser opens `GET {BASE_URL}/auth/signin` (Microsoft/Google SSO handled on the server).
- Deep link callback to app includes `state` + `ott` in URL query (must be treated as secrets).
- App exchanges OTT for mobile credential via `POST /api/v1/mobile/auth/exchange` (server-side).
- Refresh/revoke via `POST /api/v1/mobile/auth/refresh` and `POST /api/v1/mobile/auth/revoke`.
### Ticketing APIs (read)
- `GET /api/v1/tickets` (list/search/filter) includes ticket metadata; mobile requests a slim field set.
- `GET /api/v1/tickets/stats` aggregate counts only.
- `GET /api/v1/tickets/:id` includes ticket fields and attributes.
- `GET /api/v1/tickets/:id/comments` includes comment text, visibility, author display name, timestamps.
- `GET /api/v1/tickets/statuses` / `GET /api/v1/tickets/priorities` reference data.
### Ticketing APIs (write)
- `POST /api/v1/tickets/:id/comments` transmits comment body and visibility (`is_internal`).
- `PUT /api/v1/tickets/:id/status` status id.
- `PUT /api/v1/tickets/:id/assignment` `assigned_to` (nullable).
- `PUT /api/v1/tickets/:id` partial updates used for priority, due date, watchers.
- `POST /api/v1/time-entries` duration/notes and ticket association.
### Headers and metadata
- `x-api-key` carries the mobile session access token (treat as secret).
- `x-tenant-id` identifies tenant context.
- Mobile audit headers include platform/app version/build and a stable device id.
## Logging / Error Reporting
- Logger redacts known secret keys (tokens, `ott`, `state`) before printing.
- Crash reporting scaffold exists; provider TBD; must avoid sending request/response bodies by default.
## UI/UX Exposure Risks
- Ticket subjects and comment bodies may be visible on-screen; ensure:
- no screenshots are included in crash reports by default
- any future push notifications obey “Hide sensitive notifications”
- Clipboard actions copy ticket id/number only (avoid copying ticket subject/body by default).
## Privacy Review Checklist (Pre-release)
### Authentication & secrets
- [ ] Tokens stored only in secure storage (Keychain/Keystore); never logged.
- [ ] Deep link handler rejects unexpected schemes/paths; `ott` + `state` not stored in plain storage.
- [ ] Logout revokes server-side refresh token/session and clears local secret material.
- [ ] Refresh token rotation verified (server-side) and failures handled safely.
### Data minimization
- [ ] Ticket list uses slim DTOs/field selection.
- [ ] Ticket detail payload reviewed; remove unused fields where possible.
- [ ] Avoid transmitting full error objects that include payloads.
### Observability
- [ ] Analytics opt-out honored; no PII in event properties.
- [ ] Crash reporting excludes request/response bodies by default.
- [ ] Logging redaction rules cover tokens, `ott`/`state`, and ticket/comment content.
### UX controls
- [ ] “Hide sensitive notifications” setting documented and defaults validated.
- [ ] Biometric gate does not block logout/session expiry flows.
### Compliance/Docs
- [ ] Privacy policy / terms reachable from Settings.
- [ ] Data retention and deletion behavior documented (server-side).
Reference in New Issue View Git Blame Copy Permalink