Handle regulated data

Query and process Veracity regulated and sensitive data correctly with AI-generated code, ensuring access controls and regulatory obligations are enforced.

Query and process regulated and sensitive data correctly when you use AI-generated code, so that access controls, consent requirements, and regulatory obligations are enforced in your integration.

Veracity hosts data — including maritime emissions reporting, energy trading data, and operational asset data — subject to regulatory frameworks, contractual obligations, and data sharing agreements. An AI agent (a program such as Cursor, GitHub Copilot, or Claude Code that uses an LLM to read your code, run commands, and call APIs) generates integration code from training data. That training data does not include Veracity's access control model or the regulatory rules that govern how this data may be used. AI-generated queries that look structurally correct can silently omit the access checks that make them legally compliant.

Before you start

You need:

  • A Veracity developer account with access to the relevant data product
  • Confirmed data access rights for the assets, sites, or organisations whose data you are querying
  • The Veracity Development MCP Server configured in your agent, so it can retrieve current API documentation

Review data access rights before generating code

  1. Identify the data product and dataset you need before you prompt your agent. Veracity grants data access per dataset and per organisation. Confirm you have access to the specific assets, sites, or company records you intend to query.

  2. Do not ask your agent to generate code that assumes access. Phrase your prompt as: "Generate a query for [dataset name] where my service account has confirmed read access, scoped to the assets or organisations I am authorised to access." If you do not constrain the scope, the agent may generate code that queries all records and relies on the API to reject unauthorised calls: which shifts the access check to runtime rather than design time.

  3. Ask your agent to retrieve the current API specification before writing query code. Using the Veracity Development MCP Server, your agent can look up the exact endpoint, required parameters, and access scope for the dataset you need. Instruct the agent: "Check the Veracity documentation for the correct endpoint and access requirements before writing this query."

Handle regulated data in code

  1. Do not cache regulated or sensitive data in application memory or local storage beyond what is needed for the immediate operation. AI-generated code often includes local caching as a performance optimisation. Review every caching pattern the agent produces and remove or constrain any cache that stores regulated or sensitive values.

  2. Confirm that AI-generated filtering code operates on data the caller is authorised to access, not on a full dataset that is then filtered client-side. Server-side filtering enforced by the API is the correct pattern. If the agent generates a client-side filter over a full dataset response, rewrite the query to pass filters as API parameters.

  3. Log access to regulated data at the point of query, not only at the point of use. AI-generated integrations commonly log at the display or export layer. Veracity regulated datasets may require an audit trail that starts at the API call. Add a logging step at query time in any code the agent produces.

  4. Do not include regulated data values (asset identifiers, sensitive figures, proprietary scores, or other regulated values specific to your business area) in prompts you send to your agent. If you need the agent to help you process or transform such data, work with anonymised or synthetic records in development, and apply the same code to real data only in a controlled runtime environment.

Verify the integration

Before deploying AI-generated code that accesses regulated data:

  • Run the integration against your development credentials and confirm that it returns only records within your authorised scope.
  • Introduce a record outside your authorised scope into the test dataset and confirm the integration returns an access error, not the record.
  • Review the generated code for any pattern that stores regulated data values in logs, error messages, or analytics payloads.

Limitations

  • The Veracity Development MCP Server provides current API documentation but does not have visibility into your specific data access grants. Access rights must be confirmed separately in the Veracity developer portal.
  • AI agents cannot determine whether a regulatory rule applies to a given dataset without being explicitly told. Always specify the regulatory context in your prompt.
  • Synthetic or anonymised test data for regulated datasets is not provided by Veracity. You are responsible for creating compliant test fixtures.