vercel-data-handling
Implement data handling, PII protection, and GDPR/CCPA compliance for Vercel deployments. Use when handling sensitive data in serverless functions, implementing data redaction, or ensuring privacy compliance on Vercel. Trigger with phrases like "vercel data", "vercel PII", "vercel GDPR", "vercel data retention", "vercel privacy", "vercel compliance".
Best use case
vercel-data-handling is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Implement data handling, PII protection, and GDPR/CCPA compliance for Vercel deployments. Use when handling sensitive data in serverless functions, implementing data redaction, or ensuring privacy compliance on Vercel. Trigger with phrases like "vercel data", "vercel PII", "vercel GDPR", "vercel data retention", "vercel privacy", "vercel compliance".
Teams using vercel-data-handling should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/vercel-data-handling/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How vercel-data-handling Compares
| Feature / Agent | vercel-data-handling | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Implement data handling, PII protection, and GDPR/CCPA compliance for Vercel deployments. Use when handling sensitive data in serverless functions, implementing data redaction, or ensuring privacy compliance on Vercel. Trigger with phrases like "vercel data", "vercel PII", "vercel GDPR", "vercel data retention", "vercel privacy", "vercel compliance".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Vercel Data Handling
## Overview
Handle sensitive data correctly on Vercel: PII redaction in logs, GDPR-compliant data processing in serverless functions, secure cookie management, and data residency configuration. Covers both what Vercel stores and what your application should protect.
## Prerequisites
- Understanding of GDPR/CCPA requirements
- Vercel Pro or Enterprise (for data residency options)
- Logging infrastructure with PII awareness
## Instructions
### Step 1: Understand What Vercel Stores
| Data Type | Where | Retention | Control |
|-----------|-------|-----------|---------|
| Runtime logs | Vercel servers | 1hr (free), 30d (Plus) | Log drains |
| Build logs | Vercel servers | 30 days | Automatic |
| Analytics data | Vercel | Aggregated, no PII | Disable in dashboard |
| Deployment source | Vercel | Until deleted | Manual deletion |
| Environment variables | Vercel (encrypted) | Until deleted | Scoped access |
### Step 2: PII Redaction in Logs
```typescript
// lib/redact.ts — redact PII before logging
const PII_PATTERNS: [RegExp, string][] = [
[/\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/g, '[EMAIL]'],
[/\b\d{3}[-.]?\d{3}[-.]?\d{4}\b/g, '[PHONE]'],
[/\b\d{3}-\d{2}-\d{4}\b/g, '[SSN]'],
[/\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b/g, '[CARD]'],
[/\b(?:Bearer|token|key|secret|password)\s*[:=]\s*\S+/gi, '[CREDENTIAL]'],
];
export function redact(text: string): string {
let result = text;
for (const [pattern, replacement] of PII_PATTERNS) {
result = result.replace(pattern, replacement);
}
return result;
}
// Usage — always redact before console.log
import { redact } from '@/lib/redact';
export async function POST(request: Request) {
const body = await request.json();
console.log('Request received:', redact(JSON.stringify(body)));
// Process safely...
}
```
### Step 3: GDPR-Compliant API Routes
```typescript
// api/users/[id]/route.ts — data subject request handlers
import { NextRequest, NextResponse } from 'next/server';
import { db } from '@/lib/db';
// Right to Access (GDPR Art. 15)
export async function GET(
request: NextRequest,
{ params }: { params: { id: string } }
) {
const user = await db.user.findUnique({
where: { id: params.id },
include: { posts: true, preferences: true },
});
if (!user) return NextResponse.json({ error: 'Not found' }, { status: 404 });
return NextResponse.json({
personalData: {
name: user.name,
email: user.email,
createdAt: user.createdAt,
posts: user.posts,
preferences: user.preferences,
},
exportedAt: new Date().toISOString(),
});
}
// Right to Erasure (GDPR Art. 17)
export async function DELETE(
request: NextRequest,
{ params }: { params: { id: string } }
) {
// Soft delete — anonymize instead of hard delete for audit trail
await db.user.update({
where: { id: params.id },
data: {
email: `deleted-${params.id}@redacted.local`,
name: '[DELETED]',
deletedAt: new Date(),
},
});
// Also delete from log drain provider if applicable
console.log(`GDPR deletion completed for user ${params.id}`);
return NextResponse.json({ deleted: true });
}
```
### Step 4: Secure Cookie Management
```typescript
// lib/cookies.ts — GDPR-aware cookie handling
import { cookies } from 'next/headers';
export function setSessionCookie(token: string): void {
cookies().set('session', token, {
httpOnly: true, // Not accessible via JavaScript
secure: true, // HTTPS only
sameSite: 'lax', // CSRF protection
maxAge: 60 * 60 * 24, // 24 hours
path: '/',
});
}
export function setConsentCookie(consent: Record<string, boolean>): void {
cookies().set('consent', JSON.stringify(consent), {
httpOnly: false, // Needs client-side access
secure: true,
sameSite: 'lax',
maxAge: 60 * 60 * 24 * 365, // 1 year
path: '/',
});
}
// Middleware — block analytics if consent not given
export function middleware(request: Request) {
const consent = request.headers.get('cookie')?.includes('consent');
if (!consent) {
// Strip analytics query params, skip tracking middleware
}
}
```
### Step 5: Data Residency Configuration
Vercel allows configuring where your serverless functions execute:
```json
// vercel.json — restrict function execution to EU regions
{
"regions": ["cdg1", "lhr1"],
"functions": {
"api/**/*.ts": {
"regions": ["cdg1"]
}
}
}
```
EU regions for GDPR data residency:
| Region | Location | Code |
|--------|----------|------|
| Paris | France | `cdg1` |
| London | UK | `lhr1` |
| Frankfurt | Germany | `fra1` |
### Step 6: Audit Logging
```typescript
// lib/audit-log.ts — track data access for compliance
interface AuditEntry {
action: 'read' | 'create' | 'update' | 'delete' | 'export';
resource: string;
resourceId: string;
userId: string;
ip: string;
timestamp: string;
}
export async function auditLog(entry: Omit<AuditEntry, 'timestamp'>): Promise<void> {
const record: AuditEntry = {
...entry,
timestamp: new Date().toISOString(),
};
// Write to database audit table
await db.auditLog.create({ data: record });
// Also log for log drain capture (structured JSON)
console.log(JSON.stringify({ type: 'audit', ...record }));
}
// Usage in API route:
export async function GET(request: NextRequest) {
await auditLog({
action: 'read',
resource: 'user',
resourceId: params.id,
userId: session.userId,
ip: request.headers.get('x-forwarded-for') ?? 'unknown',
});
}
```
## Data Classification Guide
| Category | Examples | Handling on Vercel |
|----------|----------|-------------------|
| PII | Email, name, phone, IP | Redact from logs, encrypt at rest |
| Secrets | API keys, tokens, passwords | Use `type: sensitive` env vars, never log |
| Financial | Card numbers, bank info | Never process in functions — use Stripe/payment provider |
| Health | Medical records | Requires BAA — contact Vercel Enterprise |
| Business | Metrics, usage stats | Aggregate before logging |
## Output
- PII redaction applied to all log output
- GDPR data subject request endpoints implemented
- Secure cookie handling with consent management
- Data residency configured via function regions
- Audit logging for compliance trail
## Error Handling
| Error | Cause | Solution |
|-------|-------|----------|
| PII in Vercel logs | Not redacting before console.log | Use `redact()` wrapper on all log calls |
| GDPR data request timeout | Large data export in function | Paginate or use background processing |
| Cookies not secure | Missing `secure: true` flag | Always set httpOnly and secure flags |
| Function running in wrong region | Region not set in vercel.json | Specify `regions` per function |
## Resources
- [Vercel Privacy Policy](https://vercel.com/legal/privacy-policy)
- [Vercel Data Processing Agreement](https://vercel.com/legal/dpa)
- [GDPR Overview](https://gdpr.eu/)
- [Vercel Function Regions](https://vercel.com/docs/functions/configuring-functions)
- [Vercel Security](https://vercel.com/security)
## Next Steps
For enterprise RBAC, see `vercel-enterprise-rbac`.Related Skills
generating-test-data
Generate realistic test data including edge cases and boundary conditions. Use when creating realistic fixtures or edge case test data. Trigger with phrases like "generate test data", "create fixtures", or "setup test database".
managing-database-tests
Test database testing including fixtures, transactions, and rollback management. Use when performing specialized testing. Trigger with phrases like "test the database", "run database tests", or "validate data integrity".
encrypting-and-decrypting-data
Validate encryption implementations and cryptographic practices. Use when reviewing data security measures. Trigger with 'check encryption', 'validate crypto', or 'review security keys'.
scanning-for-data-privacy-issues
Scan for data privacy issues and sensitive information exposure. Use when reviewing data handling practices. Trigger with 'scan privacy issues', 'check sensitive data', or 'validate data protection'.
windsurf-data-handling
Control what code and data Windsurf AI can access and process in your workspace. Use when handling sensitive data, implementing data exclusion patterns, or ensuring compliance with privacy regulations in Windsurf environments. Trigger with phrases like "windsurf data privacy", "windsurf PII", "windsurf GDPR", "windsurf compliance", "codeium data", "windsurf telemetry".
webflow-data-handling
Implement Webflow data handling — CMS content delivery patterns, PII redaction in form submissions, GDPR/CCPA compliance for ecommerce data, and data retention policies. Trigger with phrases like "webflow data", "webflow PII", "webflow GDPR", "webflow data retention", "webflow privacy", "webflow CCPA", "webflow forms data".
vercel-webhooks-events
Implement Vercel webhook handling with signature verification and event processing. Use when setting up webhook endpoints, processing deployment events, or building integrations that react to Vercel deployment lifecycle. Trigger with phrases like "vercel webhook", "vercel events", "vercel deployment.ready", "handle vercel events", "vercel webhook signature".
vercel-upgrade-migration
Upgrade Vercel CLI, Node.js runtime, and Next.js framework versions with breaking change detection. Use when upgrading Vercel CLI versions, migrating Node.js runtimes, or updating Next.js between major versions on Vercel. Trigger with phrases like "upgrade vercel", "vercel migration", "vercel breaking changes", "update vercel CLI", "next.js upgrade on vercel".
vercel-security-basics
Apply Vercel security best practices for secrets, headers, and access control. Use when securing API keys, configuring security headers, or auditing Vercel security configuration. Trigger with phrases like "vercel security", "vercel secrets", "secure vercel", "vercel headers", "vercel CSP".
vercel-sdk-patterns
Production-ready Vercel REST API patterns with typed fetch wrappers and error handling. Use when integrating with the Vercel API programmatically, building deployment tools, or establishing team coding standards for Vercel API calls. Trigger with phrases like "vercel SDK patterns", "vercel API wrapper", "vercel REST API client", "vercel best practices", "idiomatic vercel API".
vercel-reliability-patterns
Implement reliability patterns for Vercel deployments including circuit breakers, retry logic, and graceful degradation. Use when building fault-tolerant serverless functions, implementing retry strategies, or adding resilience to production Vercel services. Trigger with phrases like "vercel reliability", "vercel circuit breaker", "vercel resilience", "vercel fallback", "vercel graceful degradation".
vercel-reference-architecture
Implement a Vercel reference architecture with layered project structure and best practices. Use when designing new Vercel projects, reviewing project structure, or establishing architecture standards for Vercel applications. Trigger with phrases like "vercel architecture", "vercel project structure", "vercel best practices layout", "how to organize vercel project".