vercel-data-handling
Implement Vercel PII handling, data retention, and GDPR/CCPA compliance patterns. Use when handling sensitive data, implementing data redaction, configuring retention policies, or ensuring compliance with privacy regulations for Vercel integrations. Trigger with phrases like "vercel data", "vercel PII", "vercel GDPR", "vercel data retention", "vercel privacy", "vercel CCPA".
Install
mkdir -p .claude/skills/vercel-data-handling && curl -L -o skill.zip "https://mcp.directory/api/skills/download/6004" && unzip -o skill.zip -d .claude/skills/vercel-data-handling && rm skill.zipInstalls to .claude/skills/vercel-data-handling
About this skill
Vercel Data Handling
Overview
Handle sensitive data correctly on Vercel: PII redaction in logs, GDPR-compliant data processing in serverless functions, secure cookie management, and data residency configuration. Covers both what Vercel stores and what your application should protect.
Prerequisites
- Understanding of GDPR/CCPA requirements
- Vercel Pro or Enterprise (for data residency options)
- Logging infrastructure with PII awareness
Instructions
Step 1: Understand What Vercel Stores
| Data Type | Where | Retention | Control |
|---|---|---|---|
| Runtime logs | Vercel servers | 1hr (free), 30d (Plus) | Log drains |
| Build logs | Vercel servers | 30 days | Automatic |
| Analytics data | Vercel | Aggregated, no PII | Disable in dashboard |
| Deployment source | Vercel | Until deleted | Manual deletion |
| Environment variables | Vercel (encrypted) | Until deleted | Scoped access |
Step 2: PII Redaction in Logs
// lib/redact.ts — redact PII before logging
const PII_PATTERNS: [RegExp, string][] = [
[/\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/g, '[EMAIL]'],
[/\b\d{3}[-.]?\d{3}[-.]?\d{4}\b/g, '[PHONE]'],
[/\b\d{3}-\d{2}-\d{4}\b/g, '[SSN]'],
[/\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b/g, '[CARD]'],
[/\b(?:Bearer|token|key|secret|password)\s*[:=]\s*\S+/gi, '[CREDENTIAL]'],
];
export function redact(text: string): string {
let result = text;
for (const [pattern, replacement] of PII_PATTERNS) {
result = result.replace(pattern, replacement);
}
return result;
}
// Usage — always redact before console.log
import { redact } from '@/lib/redact';
export async function POST(request: Request) {
const body = await request.json();
console.log('Request received:', redact(JSON.stringify(body)));
// Process safely...
}
Step 3: GDPR-Compliant API Routes
// api/users/[id]/route.ts — data subject request handlers
import { NextRequest, NextResponse } from 'next/server';
import { db } from '@/lib/db';
// Right to Access (GDPR Art. 15)
export async function GET(
request: NextRequest,
{ params }: { params: { id: string } }
) {
const user = await db.user.findUnique({
where: { id: params.id },
include: { posts: true, preferences: true },
});
if (!user) return NextResponse.json({ error: 'Not found' }, { status: 404 });
return NextResponse.json({
personalData: {
name: user.name,
email: user.email,
createdAt: user.createdAt,
posts: user.posts,
preferences: user.preferences,
},
exportedAt: new Date().toISOString(),
});
}
// Right to Erasure (GDPR Art. 17)
export async function DELETE(
request: NextRequest,
{ params }: { params: { id: string } }
) {
// Soft delete — anonymize instead of hard delete for audit trail
await db.user.update({
where: { id: params.id },
data: {
email: `deleted-${params.id}@redacted.local`,
name: '[DELETED]',
deletedAt: new Date(),
},
});
// Also delete from log drain provider if applicable
console.log(`GDPR deletion completed for user ${params.id}`);
return NextResponse.json({ deleted: true });
}
Step 4: Secure Cookie Management
// lib/cookies.ts — GDPR-aware cookie handling
import { cookies } from 'next/headers';
export function setSessionCookie(token: string): void {
cookies().set('session', token, {
httpOnly: true, // Not accessible via JavaScript
secure: true, // HTTPS only
sameSite: 'lax', // CSRF protection
maxAge: 60 * 60 * 24, // 24 hours
path: '/',
});
}
export function setConsentCookie(consent: Record<string, boolean>): void {
cookies().set('consent', JSON.stringify(consent), {
httpOnly: false, // Needs client-side access
secure: true,
sameSite: 'lax',
maxAge: 60 * 60 * 24 * 365, // 1 year
path: '/',
});
}
// Middleware — block analytics if consent not given
export function middleware(request: Request) {
const consent = request.headers.get('cookie')?.includes('consent');
if (!consent) {
// Strip analytics query params, skip tracking middleware
}
}
Step 5: Data Residency Configuration
Vercel allows configuring where your serverless functions execute:
// vercel.json — restrict function execution to EU regions
{
"regions": ["cdg1", "lhr1"],
"functions": {
"api/**/*.ts": {
"regions": ["cdg1"]
}
}
}
EU regions for GDPR data residency:
| Region | Location | Code |
|---|---|---|
| Paris | France | cdg1 |
| London | UK | lhr1 |
| Frankfurt | Germany | fra1 |
Step 6: Audit Logging
// lib/audit-log.ts — track data access for compliance
interface AuditEntry {
action: 'read' | 'create' | 'update' | 'delete' | 'export';
resource: string;
resourceId: string;
userId: string;
ip: string;
timestamp: string;
}
export async function auditLog(entry: Omit<AuditEntry, 'timestamp'>): Promise<void> {
const record: AuditEntry = {
...entry,
timestamp: new Date().toISOString(),
};
// Write to database audit table
await db.auditLog.create({ data: record });
// Also log for log drain capture (structured JSON)
console.log(JSON.stringify({ type: 'audit', ...record }));
}
// Usage in API route:
export async function GET(request: NextRequest) {
await auditLog({
action: 'read',
resource: 'user',
resourceId: params.id,
userId: session.userId,
ip: request.headers.get('x-forwarded-for') ?? 'unknown',
});
}
Data Classification Guide
| Category | Examples | Handling on Vercel |
|---|---|---|
| PII | Email, name, phone, IP | Redact from logs, encrypt at rest |
| Secrets | API keys, tokens, passwords | Use type: sensitive env vars, never log |
| Financial | Card numbers, bank info | Never process in functions — use Stripe/payment provider |
| Health | Medical records | Requires BAA — contact Vercel Enterprise |
| Business | Metrics, usage stats | Aggregate before logging |
Output
- PII redaction applied to all log output
- GDPR data subject request endpoints implemented
- Secure cookie handling with consent management
- Data residency configured via function regions
- Audit logging for compliance trail
Error Handling
| Error | Cause | Solution |
|---|---|---|
| PII in Vercel logs | Not redacting before console.log | Use redact() wrapper on all log calls |
| GDPR data request timeout | Large data export in function | Paginate or use background processing |
| Cookies not secure | Missing secure: true flag | Always set httpOnly and secure flags |
| Function running in wrong region | Region not set in vercel.json | Specify regions per function |
Resources
- Vercel Privacy Policy
- Vercel Data Processing Agreement
- GDPR Overview
- Vercel Function Regions
- Vercel Security
Next Steps
For enterprise RBAC, see vercel-enterprise-rbac.
More by jeremylongshore
View all skills by jeremylongshore →You might also like
flutter-development
aj-geddes
Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.
drawio-diagrams-enhanced
jgtolentino
Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.
ui-ux-pro-max
nextlevelbuilder
"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."
godot
bfollington
This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.
nano-banana-pro
garg-aayush
Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.
fastapi-templates
wshobson
Create production-ready FastAPI projects with async patterns, dependency injection, and comprehensive error handling. Use when building new FastAPI applications or setting up backend API projects.
Related MCP Servers
Browse all servers
Nekzus Utility ServerNekzus Utility Server offers modular TypeScript tools for datetime, cards, and schema conversion with stdio transport co
Knowledge Graph MemoryBuild persistent semantic networks for enterprise & engineering data management. Enable data persistence and memory acro
Figma ContextUnlock seamless Figma to code: streamline Figma to HTML with Framelink MCP Server for fast, accurate design-to-code work
CipherCipher empowers agents with persistent memory using vector databases and embeddings for seamless context retention and t
Gemini CLIIntegrate with Gemini CLI for large-scale file analysis, secure code execution, and advanced context control using Googl
SlackPowerful MCP server for Slack with advanced API, message fetching, webhooks, and enterprise features. Robust Slack data
Stay ahead of the MCP ecosystem
Get weekly updates on new skills and servers.