Applications Inventory and Attributes

Primary Data Types Processed

[Multi-Value]

Description — The categories of business data this application primarily processes, stores, or transmits — for example Customer Data, Financial Transaction Data, Employee Records, Product Catalog Data, Operational Telemetry, or Regulatory Reporting Data.

Benefit(s) — Connects the application to the data governance program and provides the basis for determining which privacy regulations, retention policies, and security controls apply. Without data type identification at the application level, data governance programs cannot ensure governance coverage is complete across all data types and all processing locations.

Source — Manually Entered. Each value seeds the Data and Information Assets Inventory when a matching record does not yet exist.

Examples — Customer Data, Financial Transaction Data (Salesforce CRM and SAP S/4HANA), Employee Records, Compensation Data (Workday HCM), Product Catalog Data, Inventory Levels (Oracle SCM)

Notes — Each value in this set that does not yet have a corresponding Data and Information Assets Inventory record seeds a new record in that inventory.

Description — The classification of the most sensitive data this application handles, aligned with the organization's data classification policy: Public, Internal, Confidential, or Restricted.

Benefit(s) — The primary governance trigger for security control requirements, access restriction policies, audit obligations, and regulatory compliance measures at the data level. An application's data classification level determines the minimum security and governance treatment it must receive.

Source — Manually Entered — assessed by the Data Owner in accordance with the organization's data classification policy.

Examples — Restricted (payment processing system), Confidential (HR and compensation systems), Internal (project management and collaboration tools), Public (corporate website CMS)

Notes — Valid values: Public, Internal, Confidential, Restricted. Use the most sensitive classification that applies.

Description — The policy governing how long data processed by this application must be retained before it can be deleted or archived — reflecting regulatory retention requirements, legal hold obligations, and business operational requirements.

Benefit(s) — Regulatory and legal obligations specify minimum data retention periods that must be enforced at the application level. Without documented Data Retention Policy by application, organizations cannot demonstrate retention compliance to regulators or ensure that data is deleted on schedule when retention periods expire.

Source — Manually Entered — defined in conjunction with the Data Owner, Legal, and Compliance functions.

Master Data Domains Managed

[Multi-Value]

Description — The enterprise master data domains for which this application is the system of record or authoritative source — for example Customer Master, Product Master, Employee Master, Vendor Master, or Chart of Accounts.

Benefit(s) — Identifies applications that serve as authoritative data sources for the enterprise, whose data quality and availability directly affect the accuracy of every downstream system that consumes their master data. Applications that manage master data require proportionally greater data quality governance and availability investment.

Source — Manually Entered.

Notes — Populate only for applications that are the designated system of record for one or more master data domains. If the application is not a system of record for any master data domain, leave blank.

Data Residency Location(s)

[Multi-Value]

Description — The geographic locations or cloud regions where data processed by this application is stored — the physical or virtual locations where the application's primary data stores reside.

Benefit(s) — Enables compliance validation against data residency and sovereignty requirements that specify where specific data types may be stored. Cloud migration decisions, disaster recovery configurations, and backup locations must all be evaluated against Data Residency requirements.

Source — Manually Entered.

Notes — Express as jurisdiction or cloud region: for example, United States — AWS us-east-1, European Union — Azure West Europe, On-Premises — Chicago Data Center.