cdpse-d2-applications-and-software-apis-and-services

APIs and Services

isaca-cdpse · framework · Gold standard

Drawn fromCDPSE Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is APIs and Services

APIs (Application Programming Interfaces) and Services are the programmatic contracts through which software systems exchange data. In privacy architecture, they are the primary layer where personal data flows between components—internal microservices, third-party processors, partner platforms, and end users. A privacy-architected API enforces four core properties: data minimization (returning only the fields a caller needs), purpose limitation (rejecting requests inconsistent with the consented use case), authentication and authorization (verifying who can access which records), and auditability (logging every data access event for regulatory accountability). In the CDPSE Privacy Architecture domain, APIs are not merely technical constructs—they are governance artifacts that encode an organization's privacy obligations into executable software behavior.

Where it stops · what it isn't

—IS: REST, GraphQL, gRPC, and SOAP endpoints through which personal data transits, including internal service-to-service APIs, customer-facing APIs, and third-party integration points.
—IS: The privacy controls applied at the API layer—field-level response filtering, rate limiting, consent enforcement, audit logging, data residency routing, and authorization models (OAuth 2.0, RBAC, ABAC).
—IS NOT: Underlying database or storage layer privacy controls (covered under Data Lifecycle Management), though the API layer must enforce policies originating there.
—IS NOT: Network-layer security (TLS/firewall configuration) in isolation—mTLS is a transport prerequisite, not an API privacy control.
—IS NOT: General application security testing (DAST/SAST)—API privacy architecture addresses design-time policy enforcement, not post-deployment scanning.
—IS NOT: UI/UX consent capture design—consent must be collected at the presentation layer, but the API layer enforces it; this cubelet addresses enforcement, not capture design.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

Privacy Architecture — Applications and Software

REQUIRES

Data Flow Mapping and ClassificationConsent and Preference ManagementIdentity and Access Management (IAM)

ENABLES

Third-Party Risk ManagementData Subject Rights Fulfillment (DSAR Automation)

RELATED TO

Application Security TestingData Minimization and Retention Policies

CONSTRAINS

Microservices and Distributed System Architecture

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.