AI智能体数据处理与合规指南

v20260423

lindy-data-handling

本技能提供了一套全面的指南，用于管理AI智能体工作流中的数据。内容涵盖数据分类（包括PII和PHI）、提示词控制、安全记忆使用以及数据隔离技术。帮助用户确保在使用AI代理处理敏感或受监管数据时，能够符合GDPR、HIPAA、CCPA等全球法规要求。

AI 智能体数据处理合规隐私 GDPR HIPAA 安全

获取技能

467 次下载

概览

Lindy Data Handling

Overview

Lindy agents process data through triggers, LLM calls, actions, knowledge bases, and memory. Data flows through Lindy's managed infrastructure with AES-256 encryption at rest and in transit. This skill covers data classification, PII handling, prompt-level data controls, and regulatory compliance.

Prerequisites

Understanding of data types processed by your agents
Knowledge of applicable regulations (GDPR, CCPA, HIPAA)
For HIPAA: Business Associate Agreement (BAA) with Lindy (Enterprise plan)

Lindy Data Architecture

Component	Data Storage	Retention
Tasks	Task inputs, outputs, step data	Visible in dashboard
Memory	Persistent snippets across tasks	Until manually deleted
Context	Per-task accumulated context	Task lifetime only
Knowledge Base	Uploaded files, crawled sites	Until manually removed
Integrations	OAuth tokens, connection data	Until disconnected
Computer Use	Browser session, screenshots	30 days after last use

Instructions

Step 1: Classify Data in Agent Workflows

Map what data each agent processes:

Data Category	Examples	Handling
Public	Product info, FAQs, pricing	No restrictions
Internal	Sales reports, meeting notes	Limit to authorized agents
Confidential	Customer emails, CRM data	Access controls + audit
Restricted	PII, PHI, payment data	Minimize exposure + compliance

Step 2: PII Controls in Agent Prompts

Add data handling instructions directly to agent prompts:

## Data Handling Rules
- Never include full email addresses in summaries — use "[name]@[domain]"
- Redact phone numbers in logs — show only last 4 digits
- Do not forward customer personal information to Slack channels
- When storing to spreadsheet, omit columns: email, phone, address
- If asked to share customer data externally, decline and escalate

Step 3: Knowledge Base Data Safety

Knowledge base files are searchable by the agent. Control what goes in:

DO upload:

Product documentation
FAQ articles
Policy documents
Public knowledge articles

DO NOT upload:

Customer databases with PII
Credentials or API keys
Internal HR documents (unless agent specifically needs them)
Financial records with account numbers

Resync considerations: KB auto-refreshes every 24 hours. If you upload sensitive content by mistake, remove it AND trigger a manual Resync.

Step 4: Secure Memory Usage

Agent memories persist across all future tasks. Be deliberate:

Safe memory: "Customer prefers email communication over phone"
Safe memory: "Billing questions should escalate to finance@company.com"

Risky memory: "John Smith's SSN is 123-45-6789"  ← NEVER store PII in memory
Risky memory: "API key for Stripe: sk_live_xxxx"  ← NEVER store secrets

Add to agent prompt:

## Memory Rules
- Never store personally identifiable information (PII) in memory
- Never store credentials, API keys, or passwords in memory
- Memories should contain preferences, patterns, and procedures only

Step 5: Computer Use Data Isolation

If using Computer Use (browser automation):

Sessions persist for 30 days with saved credentials
Enable Incognito mode for sessions handling sensitive data
Use dedicated (not shared) computer assignments for sensitive agents
Review screenshots captured during execution for data exposure

Step 6: Integration Account Isolation

Authorize dedicated service accounts per agent (not personal accounts)
Use Gmail with a team alias, not an individual inbox
Create read-only database credentials where possible
Revoke access immediately when an agent is decommissioned

Step 7: Regulatory Compliance

GDPR (EU Data Protection):

Document what personal data each agent processes
Ensure agents only process data with valid legal basis
Implement data subject access/deletion capabilities
Agent prompt includes "do not retain personal data beyond task completion"
Review Lindy's data processing agreement

CCPA (California Consumer Privacy):

Identify agents processing California resident data
Ensure opt-out mechanisms exist for data processing
Agent prompt prevents selling/sharing personal information

HIPAA (Healthcare):

Enterprise plan with BAA in place
Agents only access minimum necessary PHI
No PHI in agent memory or knowledge base
Audit trail enabled for all PHI access
Agent prompt includes PHI handling restrictions

Step 8: Data Retention Management

Agent Prompt Addition:
## Data Retention
- Do not reference data from tasks older than 30 days
- Clear task context after each run (do not accumulate indefinitely)
- When updating memory, remove outdated entries
- Summarize customer interactions, do not store verbatim transcripts

Data Handling Checklist

Each agent's data classification documented
PII handling rules in every agent prompt
Knowledge base audited for sensitive content
Memory creation restricted (no PII, no secrets)
Integration accounts isolated per agent
Computer Use sessions set to dedicated + incognito where needed
Regulatory compliance requirements mapped
BAA in place if handling healthcare data
Data retention policy defined and enforced in prompts

Error Handling

Issue	Cause	Solution
PII in Slack channel	Agent forwarded customer email	Add "never forward PII to Slack" to prompt
Sensitive file in KB	Uploaded by mistake	Remove file + trigger KB resync immediately
Memory contains PII	Agent auto-created memory	Delete memory + add "never store PII" to prompt
Audit finding	Agent accessing unnecessary data	Remove unused integrations from agent

Resources

Next Steps

Proceed to lindy-enterprise-rbac for access control.

信息

Category 人工智能

Name lindy-data-handling

版本 v20260423

大小 5.67KB

Source jeremylongshore/claude-code-plugins-plus-skills

更新时间 2026-04-28