ENG-2375: Add privacy assessment and answer history store schema

[thabofletcher]

Ticket ENG-2375

Description Of Changes

Adds the database schema for the Privacy Assessment and Answer History Store feature. This provides the foundation for CPRA/DPIA risk assessments with version tracking for all answer changes, enabling audit trails and the ability to revert to previous versions.

The schema supports:

• Multiple assessment types (CPRA, DPIA, etc.) with versioned templates
• Questions grouped by regulatory requirements
• Full version history for every answer change
• Tracking of answer source (system, AI, user, Slack)
• Audit logging with diff tracking

Code Changes

• Added src/fides/api/models/privacy_assessment.py with 5 new SQLAlchemy models:
  • AssessmentTemplate - Versioned templates for assessment types
  • AssessmentQuestion - Questions with requirement grouping and ordering
  • PrivacyAssessment - Individual assessments linked to systems/declarations
  • AssessmentAnswer - Answers with current version reference
  • AnswerVersion - Immutable history of all answer changes with diffs
• Added Alembic migration with seed data for California CPRA Risk Assessment template (16 question groups, 31 questions)
• Updated src/fides/api/db/base.py to register new models
• Updated .fides/db_dataset.yml with annotations for new tables
• Added changelog entry

Steps to Confirm

1. Run nox -s dev to start the development environment
2. Verify migration runs successfully: docker exec fides-fides-1 alembic upgrade head
3. Verify tables exist: Check for assessment_template, assessment_question, privacy_assessment, assessment_answer, answer_version
4. Verify seed data: Query assessment_template for CPRA template and assessment_question for 31 questions
5. Run migration checks: nox -s pytest_api -- tests/ops/migration_tests/

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • No UX review needed
• Followup issues:
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • Migrations included - adds 5 new tables with seed data
• Documentation:
  • No documentation updates required (internal schema, API docs will come with fidesplus PR)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Feb 7, 2026 0:21am
fides-privacy-center	Ignored		Feb 7, 2026 0:21am

[greptile-apps]

Greptile Overview

Greptile Summary

Added comprehensive database schema for Privacy Assessment and Answer History Store feature supporting CPRA/DPIA risk assessments. The implementation includes 5 new tables with proper relationships, indexes, and cascade behaviors.

Key Changes:

• Created AssessmentTemplate model for versioned assessment definitions (CPRA, DPIA)
• Created AssessmentQuestion model with grouping by regulatory requirements
• Created PrivacyAssessment model linking assessments to systems/declarations
• Created AssessmentAnswer and AnswerVersion models for version tracking with audit trail
• Migration includes seed data: 2 templates (CPRA, GDPR DPIA) and 31 CPRA questions across 10 requirement groups
• Properly handles circular FK relationship between assessment_answer and answer_version using use_alter=True and post_update=True
• Previous review feedback addressed: uses server_default="t" for boolean columns
• All models follow codebase conventions: singular table names, proper indexes, and CASCADE delete behaviors

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• Schema-only change with well-designed models, proper FK constraints, comprehensive indexes, and correct migration patterns. Previous review comments have been addressed (server_default format). The circular FK relationship is properly handled with use_alter=True. Includes both upgrade and downgrade migrations.
• No files require special attention

Important Files Changed

Filename	Overview
src/fides/api/models/privacy_assessment.py	Added 5 well-structured SQLAlchemy models for privacy assessments with proper relationships, enums, and indexes
src/fides/api/alembic/migrations/versions/xx_2026_02_05_1500_b2c3d4e5f6g7_add_privacy_assessment_schema.py	Migration creates 5 tables with proper indexes, circular FK handling, seed data for CPRA/DPIA templates, and correct downgrade
.fides/db_dataset.yml	Added data category annotations for all 5 new tables with system.operations classification

[greptile-apps]

_{2 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[thabofletcher]

@greptileai

[greptile-apps]

_{3 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}