PII Handling in SaaS for Technical Founders
Personal data is the raw material that makes most SaaS products work — and the liability that keeps founders up at night. GDPR fines have exceeded €4 billion since 2018. CCPA litigation continues to expand in scope. For technical founders, the instinct is to outsource compliance thinking to a lawyer and keep building. That instinct is wrong. The decisions that determine your PII risk profile are architectural decisions made in the first six months of product development — schema design, data flow choices, encryption patterns, deletion logic. By the time a lawyer reviews your privacy posture, the cost of fixing it is already baked in.
This guide gives technical founders the framework to make those decisions correctly from the start.
🗂 PII Classification: What Counts as Personal Data
The legal definition under GDPR is broad: any information relating to an identified or identifiable natural person. In practice, technical founders should operate with three tiers of sensitivity.
Tier 1 — Direct Identifiers
These fields identify a person unambiguously and carry the highest regulatory weight:
- → Full name
- → Email address
- → Phone number
- → Government ID numbers (SSN, passport, driver's license)
- → Biometric data
- → Precise geolocation
Tier 2 — Quasi-Identifiers
These fields can identify a person when combined with other data:
- → IP address (considered personal data under GDPR)
- → Device identifiers and browser fingerprints
- → Job title combined with company name
- → Date of birth
- → General location (city, zip code)
Tier 3 — Sensitive Categories
GDPR Article 9 imposes stricter rules on specific categories regardless of identifiability:
- → Health and medical information
- → Racial or ethnic origin
- → Political opinions
- → Sexual orientation
- → Trade union membership
- → Financial account data (overlaps with PCI DSS)
Tag your database columns and data model fields with their tier. This classification drives every downstream decision: what to encrypt, what to log, what to delete, and what to redact in logs.
🗺 PII Data Flow Mapping
Before you can protect PII, you need to know where it lives. Data flow mapping is the exercise of tracing personal data from collection through every system it touches to final deletion. For technical founders, this is a code audit as much as a process exercise.
Where to Look
- → Signup and authentication flows (email, name, phone)
- → Third-party analytics SDKs embedded in your frontend (many send IP and device data automatically)
- → Error monitoring tools — Sentry and similar tools can capture PII in stack traces and request payloads
- → Log aggregation systems — application logs frequently contain email addresses, IDs, and IP addresses
- → Transactional email providers — user emails are stored in Mailgun/SendGrid/Postmark
- → CRM and customer success tools fed by your product events
- → Database backups — PII that is deleted from the primary database persists in backups unless you have a backup redaction process
Building the Data Map
Document each PII field with: the data source, where it is stored (table/column/service), what processes can access it, any third parties it is shared with, and the retention period. This document is both a compliance artifact (GDPR requires Records of Processing Activities) and an engineering reference.
🔐 Storage and Encryption Practices
Encryption for PII operates at two levels: encryption at rest and encryption in transit. Both are table stakes. The more interesting design decisions involve field-level encryption and tokenization.
Encryption at Rest
Enable storage-level encryption for your database (all major cloud databases provide this). This protects against physical media theft but does not protect against a compromised database connection or application-layer breach. Storage encryption is necessary but not sufficient for PII protection.
Field-Level Encryption
For Tier 1 and Tier 3 PII fields, implement application-level field encryption using envelope encryption: each row's sensitive fields are encrypted with a data encryption key (DEK), and the DEK is encrypted with a key encryption key (KEK) stored in a key management service (AWS KMS, GCP Cloud KMS, HashiCorp Vault).
-- Conceptual schema
CREATE TABLE users (
id UUID PRIMARY KEY,
email_encrypted BYTEA, -- AES-256-GCM encrypted
email_hash TEXT, -- HMAC for lookups
name_encrypted BYTEA,
created_at TIMESTAMPTZ
);Store an HMAC of the email alongside the encrypted value so you can perform equality lookups without decrypting. Never query by decrypting at the database layer — decrypt at the application layer after retrieval.
Tokenization
For fields that need to be referenced across systems (user IDs passed to third-party tools), use tokenization: replace the real PII with an opaque token, and store the token-to-PII mapping in a dedicated vault. The third-party system receives only the token; your vault holds the real data. This is more operationally complex but provides strong isolation — a breach of the third-party system exposes tokens, not real PII.
🔒 Access Controls for PII Fields
Most SaaS applications grant the application database user SELECT access to all tables. This means every part of the application — the billing module, the reporting module, the admin panel — can read PII even when it has no business reason to do so. Applying least-privilege access to PII fields requires deliberate architecture.
Database Role Segregation
Create separate database roles with column-level SELECT grants. The reporting role does not have access to email_encrypted or name_encrypted. The analytics role has access to anonymized aggregate views, not the underlying PII columns.
Application-Layer Access Control
In your application code, enforce PII access through a centralized accessor pattern rather than allowing direct model access throughout the codebase. Every PII field read goes through a function that: checks whether the requesting context (user role, request type) is authorized, logs the access if the field is Tier 1 or Tier 3, and decrypts if using field-level encryption.
Audit Logging for PII Access
Log every access to Tier 1 and Tier 3 PII fields: who accessed it, what they accessed, and why (the request context). This is a HIPAA requirement for covered entities, a practical security control for all SaaS, and an incident response tool when a data exposure is reported. See Audit Logging System Design for implementation details.
🗑 Deletion and Erasure Patterns
GDPR Article 17 grants users the right to erasure. CCPA grants the right to deletion. Technically compliant deletion is harder than it looks — data is replicated, cached, logged, and backed up in ways that make a simple DELETE FROM users WHERE id = ? insufficient.
Soft Delete vs. Hard Delete
Many SaaS applications use soft delete (setting a deleted_at timestamp) for operational reasons. Soft delete does not satisfy erasure rights — the data still exists. Implement a two-phase process: soft delete for operational purposes (30-day recovery window), followed by hard deletion or anonymization after the window expires.
Anonymization as an Alternative to Deletion
For data that must be retained for business or legal reasons (financial records, audit trails), anonymization satisfies erasure rights. Replace identifying fields with anonymous placeholders: email becomes a hash, name becomes deleted_user, and the record retains its relational integrity without containing personal data. Ensure the hash is not reversible (use a one-way HMAC with a rotation key, not a plain hash of the email).
The Deletion Checklist
A complete erasure operation must address every location where the PII exists:
- → Primary database rows (hard delete or anonymize)
- → Search indexes (Elasticsearch, Algolia) — delete indexed documents
- → Cache layers (Redis) — flush cached user data
- → Object storage (S3/GCS) — delete user-associated files and uploads
- → Third-party systems — trigger deletion via API (email provider, CRM, analytics)
- → Database backups — document that backups may contain pre-deletion data for up to your backup retention period; GDPR accepts this with proper documentation
- → Application logs — either purge logs containing the user's PII or document log retention as a separate lawful basis
Right to Erasure Request Handling
Build the erasure workflow before you need it. The GDPR response window is 30 days. Build an internal admin tool that initiates the erasure process, logs each deletion step, and records the completion timestamp. You want this to be a one-click operation for your support team, not a manual database operation.
⚖️ GDPR and CCPA Basics for Technical Founders
A complete GDPR or CCPA analysis is outside the scope of a technical article. What technical founders need to know are the architectural implications of the key requirements.
| Requirement | GDPR | CCPA | Technical Implication |
|---|---|---|---|
| Erasure right | Article 17 — 30 days | Section 1798.105 — 45 days | Deletion pipeline across all data stores |
| Data portability | Article 20 — machine-readable format | Section 1798.100 — structured data export | Data export API in JSON/CSV |
| Breach notification | 72 hours to supervisory authority | Not specified — 30-day cure period | Incident detection and alerting pipeline |
| Processing records | Article 30 — required for most controllers | Not directly required | Data flow map documentation |
| Data minimization | Article 5(1)(c) — collect only what you need | Implied by deletion rights | Schema review: remove unnecessary PII fields |