Provn
    How it worksBrowse jobsFor companiesBlogLog in

    © 2026 Provn Inc. All rights reserved.

    About•Blog•Terms of Service•Privacy Policy

    Made with love in Seattle

    Challenges/Arrivia/Security Engineer/Multi-Brand Data Protection Design

    Multi-Brand Data Protection Design

    Data Governance
    DLP
    DSPM
    Encryption
    Key Management
    AI Governance
    Compliance
    Estimated Time:
    45 minutes
    Status:Not started

    What You'll Be Doing

    Description

    Arrivia is the product of a merger of three brands — ICE, SOR Technology, and WMPH Vacations — each of which brought its own data systems into the combined company. You've just joined as Director, Data Security & Governance, reporting to the CIO. Your first mandate: discover, classify, and protect wherever data lives across this newly combined estate — the program the team calls "DSPM + classification + DLP modernization," with encryption/key-management standardization as the next phase.

    Below is the current data inventory your team has pulled together in week one. It's incomplete and messy — exactly what you'd expect right after a three-way merger.

    RepositoryType / LocationWhat's actually in it
    loyalty-member-profiles-dbPostgres on AWS RDSMember PII (name, email, phone, address), loyalty tier, account status — shared across all three brands
    redemption-transactions-logS3 bucketRedemption events: timestamp, partner ID, points redeemed, member ID (no name/contact fields)
    payment-tokenization-vaultOn-prem, HSM-backed (legacy WMPH system)Tokenized card references + last-4 digits, used to settle redemption payments
    partner-fulfillment-exportWeekly SFTP export to a third-party fulfillment vendorCSV of member name, shipping address, redemption SKU
    support-ticket-systemSaaS helpdesk (multi-brand)Free-text customer support tickets — agents sometimes paste card numbers or account details into ticket notes
    marketing-campaign-listsSaaS CRMEmail/segment lists, opt-in status, campaign engagement history
    hr-employee-recordsOn-prem HR system (legacy SOR Technology)Employee PII, payroll data, SSNs
    ai-support-copilot-corpusCloud vector store (RAG index)Built from support-ticket text and CRM notes; feeds an internal AI assistant that drafts replies for support agents
    web-session-analyticsCloud data warehouseClickstream/session logs, device IDs, IP addresses, joined to member ID
    legal-hold-archiveCold storageHistorical records under an active legal hold from a past partner dispute — cannot be deleted or altered regardless of normal retention rules

    Your manager needs a Data Protection & Governance Design — not code, not a slide deck of buzzwords — that a compliance officer, an engineering colleague, and the CIO could each act on.


    Constraints to Consider

    1. You cannot request new raw data fields or new repositories. Work with the inventory above — this is a constraint on classification and control design, not an invitation to ask for more data.
    2. You do not own the AI model registry or runtime guardrails. That belongs to Arrivia's App & AI Security team. Your scope for the ai-support-copilot-corpus repository is training-data/RAG-source controls and prompt/response DLP only — design within that boundary.
    3. You set cryptography standards; you don't rebuild Infrastructure's systems. Infrastructure owns backups and storage — you own the encryption/key-management standards they must apply. Don't propose replacing their systems.
    4. The legal-hold archive cannot be deleted or reclassified out of its hold, regardless of your retention schedule. Design your retention policy to explicitly account for this exception, not around it.
    5. Touch all required areas — don't go deep on one at the expense of the rest. You have 45 minutes total, including video. Breadth across the required areas, calibrated to what's achievable in that time, is what's being tested — not exhaustive depth on a single area.

    AI Usage Guidance

    We expect you to use AI tools. We evaluate how you use them — not whether you use them. Evidence of iteration, redirection, and critical evaluation scores higher than a polished output with no process documentation.

    The single highest-signal indicator: your video answer to the mandatory AI question. If you cannot name a specific moment where you redirected AI output, evaluators will assume you did not.

    Mandatory AI question for your video: Walk me through one moment where you disagreed with, pushed back on, or redirected what the AI gave you — and what you did instead. Name the specific moment. Explain what the AI produced that didn't meet the bar, what you did differently, and why.

    Speak naturally, as if briefing your CIO directly. Communication is assessed on how clearly you translate technical controls for a broad audience — not verbal polish, accent, or filler words.

    Submission: Upload each deliverable as a separate file directly on the Provn platform: your Data Protection & Governance Design, your README document (Sections A, B, and C), and your video walkthrough (MP4 or MOV).

    What You'll Accomplish

    Build a data classification scheme and DLP/DSPM control design that reflects the actual sensitivity of each repository — not a generic industry template

    Design concrete encryption, key-management, and tokenization standards, and data-access governance/retention controls, appropriate to a real multi-system data estate

    Apply data-governance judgment to an AI-era risk surface — training-data/RAG-source controls and prompt/response DLP — while respecting the boundary with an adjacent security function

    Show production/program-ownership judgment: an incident runbook for a live DLP/classification precision problem, appropriate to a leadership role that owns this in production

    Communicate technical data-protection decisions in a way a compliance officer, an engineer, and a CIO can each act on

    How Your Work Will Be Scored

    Data Classification, DLP & DSPM Program Design (24%): Classification tiers reflect each repository's actual data, DLP controls map to real egress channels, and DSPM is distinguished from DLPCryptography, Key Management & Data-Access Governance (20%): Concrete at-rest/in-transit encryption, key-lifecycle, and tokenization design, plus a workable access-governance and retention designAI Data Governance & Risk Judgment (16%): Training-data/RAG-source controls and prompt/response DLP are concrete and correctly scoped against the App & AI Security boundaryProduction Ownership & Incident Response (12%): The incident runbook is immediately actionable and distinguishes mitigation from root-cause fixCommunication & Documentation (8%): The design document and video translate technical controls for a broad audienceAI Fluency (10%): The AI Usage Log, Section B2 reasoning, and the video AI question together demonstrate genuine judgment about when and how to use AI for this type of problemResume & Background (10%): Evaluated separately from challenge artifacts

    What to Submit

    No submission guidelines provided.

    On this page

    Top of Page
    What You'll Be Doing
    How It's Scored
    What to Submit