.svg){kind=icon}
On July 8, 2025, the U.S. Department of Justice began enforcing the National Security Division's (NSD) new Data Security Program (DSP), which was made effective on April 8, 2025. It’s part of Executive Order 14117, designed to prevent countries of concern from accessing Americans’ most sensitive data.
The law governs "covered transactions," including the sale, transfer, or access provision of sensitive personal or government-related data. While these rules primarily target data brokers and companies selling datasets, many organizations may still fall out of compliance through seemingly routine workflows. Even allowing international contractors access to training datasets may qualify as a covered transaction, depending on how the rules are interpreted.
This guide will break down who needs to comply, what types of transactions are affected, and how Tonic.ai can help you increase security using data de-identification and synthetic data solutions.
Who needs to ensure Data Security Program compliance?
Any entity engaged in a transaction involving U.S. citizen data and a country of concern must comply. The rule defines “covered data transactions” as those involving the transfer, access, or processing of bulk U.S. sensitive personal or government-related data. This includes:
- U.S.-based organizations that collect, store, process, or share bulk sensitive personal data or government-related information, including contractors and grant recipients.
- Entities engaged in data brokerage or third-party data sharing activities, particularly those involving tracking technologies like cookies, SDKs, or analytics tools.
- Foreign individuals or organizations that participate in, facilitate, or attempt to circumvent restricted data transactions covered under the DSP.
Even if you’re not explicitly selling or licensing datasets, giving a covered contractor access to real user data during testing, training, or QA processes could fall within the scope.
Transactions governed by Data Security Program compliance
Not all data movement triggers compliance obligations, but if your organization transacts with foreign entities or personnel and sensitive U.S. data is involved, you may be subject to the DSP. Below are the key transaction types that fall under its scope.
Data involving countries of concern
The DSP prohibits covered data transactions that involve countries of concern, including China, Russia, Iran, and North Korea. These restrictions apply when such countries gain access to, process, or receive transfers of regulated data types, regardless of how that access is structured.
Data involving covered persons
Covered persons are defined as individuals who are citizens or residents of countries of concern. Granting these individuals access to bulk U.S. sensitive personal data or government-related data—even as part of a business transaction or service agreement—qualifies as a covered transaction under the rule.
Government data
Sensitive government-related data includes information shared through federal contracts, R&D projects, or agency partnerships. Sharing this data across borders, intentionally or inadvertently, without proper controls, can trigger enforcement.
Bulk U.S. sensitive personal data
The DSP specifically identifies certain types of personal data as sensitive, especially when it is aggregated at scale. This includes:
- Health data (including biometric and mental health information)
- Financial information
- Precise geolocation data
- Communications metadata
- Government-issued identifiers
- Any combination of identifiers enabling re-identification
NSD Data Security Program compliance requirements
To comply with the DSP, you need to take proactive steps to restrict foreign access to sensitive data and maintain defensible records of data sharing. Your compliance program is required to be in place by October 6, 2025.
Audit data access and storage
Start by mapping your datasets. Know exactly where sensitive data lives, how it moves through your systems, and who has access to it. Pay particular attention to software environments used for testing or development, where controls may be looser than in production. International access points should be tightly logged and reviewed.
Conduct due diligence
If you’re entering into a vendor agreement or service contract that involves access to covered data, conduct risk-based due diligence. Screen the counterparty to determine whether they are located in or associated with a country of concern, or whether they qualify as a “covered person” under the DSP. Where applicable, provide access to de-identified or synthetic data in place of real-world data, and document compliance steps as part of your internal controls.
Maintain detailed records
The DOJ has made it clear that compliance isn’t just about limiting exposure—it’s also about proving you did so. Maintain audit logs and documentation that show how datasets were prepared, what controls were in place, and who accessed them.
How Tonic.ai enables Data Security Program compliance
Tonic.ai helps organizations reduce their exposure to compliance risk by providing industry-leading solutions for securely replacing, de-identifying, or transforming sensitive datasets before they’re shared or put to use in development and AI workflows—especially across borders.
De-identification
Tonic Structural and Tonic Textual offer intuitive platforms for automatically redacting, masking, or tokenizing sensitive fields in your structured and unstructured datasets. This allows teams to work with realistic data that preserves the structure, relationships, and context of production data without ever exposing real user identities or regulated fields.
Synthetic data generation
Tonic.ai’s suite of products also offer model-based data synthesis for generating artificial datasets that reflect the shape and statistical distribution of real-world data, without being tied back to real-world individuals. This means you can feel confident that you and your vendors are working with high-quality, testable datasets that don’t expose personal information.
Built-in auditability
Every action in the Tonic platform is logged—from redactions to synthetic generation. These audit trails and privacy reports can be exported to satisfy compliance requirements and give legal teams full transparency into how datasets are handled.
Get Tonic.ai for Data Security Program compliance
Executive Order 14117 and the NSD’s Data Security Program mark a turning point in how organizations must think about global data sharing. With penalties on the table and enforcement underway, now is the time to reassess how your organization handles sensitive data across borders.
Tonic.ai gives you the tools to proactively eliminate exposure, satisfy compliance obligations, and move fast—without putting your company at risk.
Book a demo to see how Tonic can simplify compliance with de-identification and synthetic data.
Chiara Colombi is the Director of Product Marketing at Tonic.ai. As one of the company's earliest employees, she has led its content strategy since day one, overseeing the development of all product-related content and virtual events. With two decades of experience in corporate communications, Chiara's career has consistently focused on content creation and product messaging. Fluent in multiple languages, she brings a global perspective to her work and specializes in translating complex technical concepts into clear and accessible information for her audience. Beyond her role at Tonic.ai, she is a published author of several children's books which have been recognized on Amazon Editors’ “Best of the Year” lists.
.png)
Make your sensitive data usable for testing and development.
