Data Sensitivity Classifier. Know what you can ship to a model.

Risk tiers. Standard 4-tier model (Public, Internal, Confidential, Restricted). The classifier returns the highest tier triggered by any selected data type, then maps jurisdiction overlays on top (EU citizen data with GDPR raises GDPR-specific obligations regardless of where the data sits).

Framework triggers. Each data type carries a static set of likely frameworks. Selecting PHI lights up HIPAA; payment card data lights PCI DSS v4.0; EU citizen data or the EU/EEA jurisdiction lights GDPR; California or US-Global jurisdiction lights CCPA; financial reporting data lights SOX; children’s data lights COPPA; education records light FERPA. SOC 2 and ISO 27001 light up for any Confidential or Restricted tier as the standard buyer-side audit baseline.

Deployment patterns. Green/yellow/red ratings reflect what the upstream vendors themselves contract for. Anthropic’s public API and OpenAI’s public API do not sign HIPAA BAAs by default; their Bedrock and Azure-hosted equivalents do. Self-hosted open-weight on customer infra is the only fit for true air-gap requirements (some classified workloads, certain financial services). Orbit defaults to Anthropic on Bedrock for our own client builds; the green/yellow ratings here are vendor-neutral.

Protective practices. Drawn from OWASP’s LLM Top 10, NIST SP 800-53 Rev 5, ISO/IEC 27001:2022 controls, and Orbit’s shipped patterns. Tool links go to the vendor or open-source homepage where applicable.

It doesn’t model. Sector-specific rules (FedRAMP, FINRA, GLBA in finance, state privacy laws beyond California). Cross-border transfer mechanics like Standard Contractual Clauses. Insurance and data-breach reporting timelines. Use this as a starting filter, not a final answer.

Mappings last reviewed 2026-05-06.