Lindy Data Handling

Overview

Lindy agents process data through triggers, LLM calls, actions, knowledge bases, and memory. Data flows through Lindy's managed infrastructure with AES-256 encryption at rest and in transit. This skill covers data classification, PII handling, prompt-level data controls, and regulatory compliance.

Prerequisites

• Understanding of data types processed by your agents
• Knowledge of applicable regulations (GDPR, CCPA, HIPAA)
• For HIPAA: Business Associate Agreement (BAA) with Lindy (Enterprise plan)

Lindy Data Architecture

Component	Data Storage	Retention
Tasks	Task inputs, outputs, step data	Visible in dashboard
Memory	Persistent snippets across tasks	Until manually deleted
Context	Per-task accumulated context	Task lifetime only
Knowledge Base	Uploaded files, crawled sites	Until manually removed
Integrations	OAuth tokens, connection data	Until disconnected
Computer Use	Browser session, screenshots	30 days after last use

Instructions

Step 1: Classify Data in Agent Workflows

Map what data each agent processes:

Data Category	Examples	Handling
Public	Product info, FAQs, pricing	No restrictions
Internal	Sales reports, meeting notes	Limit to authorized agents
Confidential	Customer emails, CRM data	Access controls + audit
Restricted	PII, PHI, payment data	Minimize exposure + compliance

Step 2: PII Controls in Agent Prompts

Add data handling instructions directly to agent prompts:

## Data Handling Rules
- Never include full email addresses in summaries — use "[name]@[domain]"
- Redact phone numbers in logs — show only last 4 digits
- Do not forward customer personal information to Slack channels
- When storing to spreadsheet, omit columns: email, phone, address
- If asked to share customer data externally, decline and escalate

Step 3: Knowledge Base Data Safety

Knowledge base files are searchable by the agent. Control what goes in:

DO upload:

• Product documentation
• FAQ articles
• Policy documents
• Public knowledge articles

DO NOT upload:

• Customer databases with PII
• Credentials or API keys
• Internal HR documents (unless agent specifically needs them)
• Financial records with account numbers

Resync considerations: KB auto-refreshes every 24 hours. If you upload sensitive content by mistake, remove it AND trigger a manual Resync.

Step 4: Secure Memory Usage

Agent memories persist across all future tasks. Be deliberate:

Safe memory: "Customer prefers email communication over phone"
Safe memory: "Billing questions should escalate to finance@company.com"

Risky memory: "John Smith's SSN is 123-45-6789"  ← NEVER store PII in memory
Risky memory: "API key for Stripe: sk_live_xxxx"  ← NEVER store secrets

Add to agent prompt:

## Memory Rules
- Never store personally identifiable information (PII) in memory
- Never store credentials, API keys, or passwords in memory
- Memories should contain preferences, patterns, and procedures only

Step 5: Computer Use Data Isolation

If using Computer Use (browser automation):

• Sessions persist for 30 days with saved credentials
• Enable Incognito mode for sessions handling sensitive data
• Use dedicated (not shared) computer assignments for sensitive agents
• Review screenshots captured during execution for data exposure

Step 6: Integration Account Isolation

• Authorize dedicated service accounts per agent (not personal accounts)
• Use Gmail with a team alias, not an individual inbox
• Create read-only database credentials where possible
• Revoke access immediately when an agent is decommissioned

Step 7: Regulatory Compliance

GDPR (EU Data Protection):

• Document what personal data each agent processes
• Ensure agents only process data with valid legal basis
• Implement data subject access/deletion capabilities
• Agent prompt includes "do not retain personal data beyond task completion"
• Review Lindy's data processing agreement

CCPA (California Consumer Privacy):

• Identify agents processing California resident data
• Ensure opt-out mechanisms exist for data processing
• Agent prompt prevents selling/sharing personal information

HIPAA (Healthcare):

• Enterprise plan with BAA in place
• Agents only access minimum necessary PHI
• No PHI in agent memory or knowledge base
• Audit trail enabled for all PHI access
• Agent prompt includes PHI handling restrictions

Step 8: Data Retention Management

Agent Prompt Addition:
## Data Retention
- Do not reference data from tasks older than 30 days
- Clear task context after each run (do not accumulate indefinitely)
- When updating memory, remove outdated entries
- Summarize customer interactions, do not store verbatim transcripts

Data Handling Checklist

• Each agent's data classification documented
• PII handling rules in every agent prompt
• Knowledge base audited for sensitive content
• Memory creation restricted (no PII, no secrets)
• Integration accounts isolated per agent
• Computer Use sessions set to dedicated + incognito where needed
• Regulatory compliance requirements mapped
• BAA in place if handling healthcare data
• Data retention policy defined and enforced in prompts

Error Handling

Issue	Cause	Solution
PII in Slack channel	Agent forwarded customer email	Add "never forward PII to Slack" to prompt
Sensitive file in KB	Uploaded by mistake	Remove file + trigger KB resync immediately
Memory contains PII	Agent auto-created memory	Delete memory + add "never store PII" to prompt
Audit finding	Agent accessing unnecessary data	Remove unused integrations from agent

Resources

• Lindy Security
• Lindy Privacy Policy
• GDPR Official
• Lindy Documentation

Next Steps

Proceed to

lindy-enterprise-rbac

for access control.