Skip to content
Corngate

Documentation centre

Data classification

What is public, permissioned and private — and why exact coordinates never publish by default.

Rendered from docs/DATA_CLASSIFICATION.md in the repository — the file is the source of truth. All documents

Three classes. Every field in the schema belongs to exactly one; when in doubt, a field is private until classified otherwise.

Public (world-readable, cache-friendly)

  • Registry reference, asset type, name, summary, verification status
  • Region / district / locality (administrative location)
  • Generalised geometry only: centroid ~1 km, tree points ~100 m, simplified parcel boundaries
  • Species, planting year, health class, measurement summaries
  • Claim roles + public-safe party display names + claim statuses (e.g. "Krapa Stool — customary interest holder — document verified")
  • Evidence index entries marked public/permissioned: title, kind, capture date, sha256 hash — not the file
  • Inspection summaries, version history, dispute existence + reference + status
  • Certificate state incl. simulated flag; for real issuance: contract, token id, tx hash, metadata CID
  • Sponsorship dedication + sponsor name only with recorded consent (show_publicly)

Permissioned (institutions/staff, granted + time-boxed + logged)

  • Evidence files themselves (survey plans, leases, attestations, agreements) via short-lived signed URLs from private storage
  • Precise parcel boundaries and tree points
  • Full inspection data payloads (structured measurements)
  • Farm data room: buyers, insurance detail, production records, risk notes
  • Dispute case detail beyond the public summary

Private (Corngate staff need-to-know; never in client bundles)

  • Party legal names, contact details, identity documents
  • Claimant declarations and consents (content)
  • User accounts, role grants, audit log
  • Payment records; sponsor identity when show_publicly = false
  • All secrets/keys (see docs/KEY_MANAGEMENT section in THREAT_MODEL.md)

Enforcement

  1. Schema: precise geometry and private fields live in tables with no anonymous RLS policy; the public site reads the registry_public view / public policies only.
  2. Storage: evidence bucket is private (migration 0005); registrants can write only inside their own pending/{uid}/ prefix, register_asset refuses paths outside the caller's prefix, and reviewer access is a short-lived signed URL issued server-side after a role check (verifier review today; data_room_grants for institutional access). Files carry a sha256 recorded at upload.
  3. Chain/IPFS: only Public-class fields may appear in token metadata. Blockchain data cannot be deleted — therefore metadata is reviewed against this document before any pin/mint, and precise coordinates are never pinned.
  4. Fixtures: the seeded demo data in src/lib/data/fixtures/ contains only Public-class equivalents (already generalised, display names only, simulated certificates).