Something went wrong!
Hang in there while we get back on track
B2B Schema with GDPR Compliance and Enterprise SSO
Comprehensive event tracking schema for a B2B collaboration platform with GDPR compliance (user ID hashing, EU data residency) and enterprise SSO audit logging. Includes 40+ events, Amplitude implementation with type-safe tracking, and 4-week rollout plan.
Input
What you provide to the skill
B2B SaaS collaboration platform with workspaces, documents, permissions. Need to track: document_viewed, document_shared, permission_changed, version_created. Analytics: Amplitude. Constraint: GDPR compliance, enterprise SSO logging.
Output
What the skill generates for you
EVENT TRACKING SCHEMA
NAMING CONVENTION: object_action (snake_case, past tense)
Examples:
- document_viewed (not ViewDocument, view_document)
- permission_changed (not PermissionUpdated, change_permission)
EVENT TAXONOMY
CATEGORY: ACCOUNT & AUTHENTICATION
| Event Name | Trigger | Properties | GDPR Notes |
|---|---|---|---|
| user_signed_up | Registration complete | signup_method, sso_provider | Hash email |
| user_logged_in | SSO login success | login_method, sso_provider, ip_location_country | IP as country only |
| sso_authentication_completed | SSO flow success | sso_provider, authentication_duration_ms | Audit trail |
| sso_authentication_failed | SSO flow failure | sso_provider, error_type | Audit trail |
CATEGORY: WORKSPACE
| Event Name | Trigger | Properties |
|---|---|---|
| workspace_created | Workspace saved | workspace_type, member_count, plan_tier |
| workspace_member_added | Member joins | workspace_id, member_role, invite_method |
| workspace_member_removed | Member removed | workspace_id, days_as_member |
CATEGORY: DOCUMENT
| Event Name | Trigger | Properties |
|---|---|---|
| document_created | Document saved | workspace_id, document_type, is_from_template |
| document_viewed | Document page load | document_id, workspace_id, user_role, view_duration_seconds |
| document_edited | Content change | document_id, characters_changed, collaboration_active |
| document_shared | Share action | document_id, share_method, recipient_count, permission_level |
| document_exported | Export action | document_id, export_format, file_size_kb |
CATEGORY: PERMISSIONS
| Event Name | Trigger | Properties | Audit |
|---|---|---|---|
| permission_changed | Permission updated | permission_level_from, permission_level_to, target_user_id, changed_by_user_id | Full audit |
| permission_granted | New permission | permission_level, target_user_id, granted_by_user_id | Full audit |
| permission_revoked | Permission removed | permission_level, target_user_id, revoked_by_user_id | Full audit |
| sharing_link_created | Public link created | link_type, expiration_enabled, password_protected | Security |
CATEGORY: VERSION CONTROL
| Event Name | Trigger | Properties |
|---|---|---|
| version_created | Save version | document_id, version_number, version_type |
| version_restored | Rollback | document_id, version_number, versions_rolled_back |
PROPERTY STANDARDS
Required on ALL events (Amplitude auto-captures):
- timestamp (automatic)
- user_id (hashed for GDPR)
- session_id (automatic)
Naming conventions:
- IDs: {object}_id (workspace_id, document_id)
- Counts: {thing}_count (member_count, recipient_count)
- Durations: {metric}_{unit} (view_duration_seconds)
- Booleans: has_{thing} or is_{state} (is_from_template)
- From/To: {thing}_from / {thing}_to (permission_level_from)
GDPR-Specific Properties:
- ip_location_country (NOT full IP address)
- Use hashed user_id for all events
- Never send: email addresses, full names, IP addresses
AMPLITUDE IMPLEMENTATION
// analytics/amplitude-config.ts
import * as amplitude from '@amplitude/analytics-browser';
import { createHash } from 'crypto';
amplitude.init('YOUR_API_KEY', {
serverUrl: 'https://analytics.eu.amplitude.com', // EU data residency
trackingOptions: {
ipAddress: false, // GDPR
city: false,
region: false,
},
});
export function hashUserId(userId: string): string {
return createHash('sha256').update(userId).digest('hex').substring(0, 16);
}
// analytics/events.ts
export const EVENTS = {
// Key metrics
DOCUMENT_VIEWED: 'document_viewed',
DOCUMENT_SHARED: 'document_shared',
PERMISSION_CHANGED: 'permission_changed',
VERSION_CREATED: 'version_created',
// Auth/SSO
USER_LOGGED_IN: 'user_logged_in',
SSO_AUTHENTICATION_COMPLETED: 'sso_authentication_completed',
SSO_AUTHENTICATION_FAILED: 'sso_authentication_failed',
// Workspace
WORKSPACE_CREATED: 'workspace_created',
WORKSPACE_MEMBER_ADDED: 'workspace_member_added',
} as const;
// analytics/tracker.ts
import { hashUserId } from './amplitude-config';
export class AnalyticsTracker {
static trackDocumentViewed(params: {
document_id: string;
workspace_id: string;
user_role: string;
view_duration_seconds?: number;
}) {
amplitude.track('document_viewed', params);
}
// Permission changed - includes audit trail
static trackPermissionChanged(params: {
document_id: string;
permission_level_from: string;
permission_level_to: string;
target_user_id: string;
changed_by_user_id: string;
}) {
amplitude.track('permission_changed', {
...params,
target_user_id: hashUserId(params.target_user_id),
changed_by_user_id: hashUserId(params.changed_by_user_id),
});
}
}
GDPR COMPLIANCE CHECKLIST
Data Minimization:
[x] Hash all user_id values before sending
[x] Store IP as country code only
[x] Never send email addresses in properties
[ ] Implement data export endpoint
[ ] Implement data deletion workflow
Technical Safeguards:
[x] Use EU Amplitude endpoint
[ ] Set up data retention policy (25 months)
[ ] Configure user data deletion on request
ENTERPRISE SSO LOGGING
Audit Events:
-
sso_authentication_completed - Every successful SSO login
- Includes: sso_provider, authentication_duration_ms
- Retention: 90 days minimum
-
sso_authentication_failed - Failed SSO attempts
- Includes: sso_provider, error_type
- Use for security monitoring
-
permission_changed - All permission modifications
- Includes: full audit trail with changed_by_user_id
GOVERNANCE PROCESS (B2B Team)
Event Approval Workflow:
- Developer creates feature requiring events
- Product Manager reviews event names
- Security/Compliance reviews GDPR compliance
- Analytics Lead approves implementation
- Merge after all approvals
New Event Checklist:
[ ] Follows object_action naming
[ ] No PII in properties (emails, IPs, names)
[ ] User IDs are hashed
[ ] Includes audit fields if security-related
PRIORITIZED ROLLOUT
Phase 1 - Core Analytics (Week 1):
- document_viewed
- document_created
- document_shared
- workspace_created
- user_logged_in
Phase 2 - Collaboration (Week 2):
6. version_created
7. permission_changed
8. document_edited
Phase 3 - Security/Compliance (Week 3):
9. sso_authentication_completed
10. sso_authentication_failed
11. permission_granted
12. permission_revoked
Phase 4 - Monetization (Week 4):
13. plan_upgraded
14. trial_started
15. workspace_member_added
About This Skill
Design consistent event tracking schemas with object-action naming conventions to prevent analytics chaos as your product scales.
View Skill DetailsMore Examples
E-commerce Schema Cleanup with Migration Plan
Cleanup plan for messy e-commerce event tracking. Maps 6 duplicate events to 2 standardized names, provides 3-week migration phases, Mixpanel implementation code, and governance process for a 4-developer team.
New Schema for Solo Founder To-Do App
Complete event tracking schema for a to-do list app starting fresh. Includes PostHog implementation, 15+ events organized by Account/List/Task categories, property standards, governance for solo founders, and prioritized rollout plan.