Data Processing & Privacy

How OrgDrift handles your data.

OrgDrift is a privacy-aware verification platform. This page explains what we process, why, and the OrgDrift Trust & Data Governance Framework (ODGF) that governs every classification decision the engine makes.

Last updated: May 8, 2026

The short version

  • OrgDrift processes only the operational data needed for cross-system reconciliation.
  • CSV files are parsed in your browser. Source files do not leave your machine.
  • Every column is classified into one of five governance categories before processing.
  • Restricted personal data (SSN, DOB, banking, health) is hard-blocked by default — no UI override.
  • Optional identifiers (names, emails) are excluded by default. You may include them if needed.
  • Employee IDs are operational identifiers. They are SHA-256 hashed before comparison.
  • OrgDrift does not score, profile, or surveil employees.

1. What OrgDrift processes — and why

OrgDrift verifies that organizational changes recorded in one system actually propagated to the systems that depend on it: HRIS, CRM, ICM/SPM, payroll, and benefits administration. To do this, the engine reads CSV exports from those systems and compares the records side-by-side.

The engine processes only the operational data needed for that comparison — employee identifiers, status, role, cost center, country, hire/termination dates, manager linkage, plan assignments, and compensation amounts where the scan calls for it. It does not need names, emails, addresses, or government-issued identifiers to do its work, and it actively excludes them.

2. Browser-side processing

CSV ingestion runs entirely in your browser. The PapaParse library reads the file into memory; the OrgDrift engine compares the records; the output is rendered in the browser. The original file is not transmitted to OrgDrift servers during the scan.

Authenticated app surfaces (app.orgdrift.com) persist scan metadata — findings, exposure totals, hashed identifiers, and Control Execution Records — in your account so you can return to a prior scan. Raw source CSVs are not persisted server-side.

3. The OrgDrift field-classification standard

Every column in every uploaded file is evaluated against the OrgDrift Trust & Data Governance Framework and placed into one of five governance categories. The category determines whether the column may be compared, included as context, or carried into a paid CSV export.

Operational
Examples: employee_id, department, cost_center, country, hire_date, manager_id, payroll status, plan name, territory
Behavior: Allowed for reconciliation, context, and export. Default state.
Compensation-sensitive
Examples: pay_rate, base_salary, commission_amount, quota, bonus, payroll amount
Behavior: Allowed for reconciliation and exposure calculation. Raw values are flagged in the UI; customer chooses whether to include them in exports.
Optional Identifier
Examples: first_name, last_name, full_name, email, manager_name
Behavior: Excluded from scan context by default. Customer may include with a calm warning. Values are stripped to [REDACTED] before any comparison runs.
Restricted
Examples: SSN, national ID, date of birth, home address, personal phone, bank account, routing number, medical, dependent, emergency contact
Behavior: Hard-blocked. Excluded from comparison, context selection, and CSV export. There is no UI override path. If you need one of these fields for a specific reconciliation, edit the CSV before upload.
Derived
Examples: exposure amount, variance, severity, ODI score, OrgDrift Integrity Score
Behavior: Risk telemetry produced by OrgDrift. Safe to display and export.

These classifications are codified in a single rules module, not applied ad-hoc per scan. New canonical fields are reviewed against these categories before they ship.

4. Customer-controlled disclosure

For Optional Identifier and Compensation-sensitive fields, the customer controls inclusion. The Step 3 / Context Columns surface in Drift Studio shows every classification decision the engine made and lets you opt in or out per column.

For Restricted fields, OrgDrift hard-blocks inclusion — there is no UI affordance to add SSN, DOB, banking, or other regulated data into a scan. This is the cleanest legal posture and aligns with the ODGF principle of data minimization first.

5. Employee ID is an operational identifier

Employee ID, payroll ID, and worker ID are operational identifiers, not personal data. They are required to match records across systems and are preserved through paid CSV exports so customers can act on findings.

Inside the engine, employee IDs are SHA-256 hashed before comparison. The original IDs are never stored in finding payloads. The paid-export path re-attaches the operational ID from the source row so the customer can identify records in their own system.

6. Compensation-sensitive fields

Pay rate, base salary, commission amount, quota, and bonus values are compensation-sensitive: they are operational fields that drive the scan, but they are also what auditors and operators care about. OrgDrift uses them for reconciliation and for computing exposure totals — the dollar figure attached to a finding.

Default exports prefer derived figures (variance amount, exposure, severity band) over raw before/after pay values. Customers can opt to include the raw values; the UI labels them clearly as compensation-sensitive when they do.

7. No profiling, no scoring, no surveillance

OrgDrift verifies systems, not people. The engine does not score employees, profile behavior, monitor productivity, or generate surveillance insights. Findings are framed against the system pair (e.g. “HRIS termination not propagated to payroll”), not the individual.

8. AI & automation

Customer-uploaded data is not sold, is not used for advertising, and is not used for generalized AI or model training without explicit customer authorization. AI assistance inside the product (the VERA layer) operates within the customer's session and supports reconciliation and governance workflows. See the AI & Automation Disclosure for detail.

9. Telemetry and logging

Restricted personal data does not appear in OrgDrift logs, analytics, telemetry events, debugging traces, or monitoring systems. Engine source files carry an explicit ODGF do-not-log directive at the top, and source review checks for that rule on every change.

10. GDPR positioning

OrgDrift supports customer GDPR obligations through data minimization, customer-controlled processing, transparency, and privacy-aware operational workflows. OrgDrift does not claim blanket GDPR certification or compliance guarantees without formal legal review.

11. Contact

Questions about this standard, the classifier, or how a specific field is handled? Email ken.lannon@orgdrift.com.

← Back to OrgDrift© 2026 OrgDrift, LLC