InterviewStack.io LogoInterviewStack.io

Security and Privacy in Product and Program Design Questions

How to integrate security and privacy into product and program planning. Includes mapping data flows through systems, identifying where personally identifiable information is created and stored, applying privacy by design principles such as data minimization and lifecycle management, specifying compliance requirements like GDPR or industry specific regulations, and planning access controls and auditability. Also covers how security and privacy requirements constrain scope, timelines, resourcing, and cross functional collaboration and when to escalate to specialist teams.

MediumTechnical
50 practiced
Design the API and storage model for consent management supporting per-purpose consents, consent versioning, timestamped consent receipts, and revocation with auditability. Specify schema fields (e.g., user_id, purpose_id, consent_version, granted_at, metadata), APIs for checking consent in downstream services, caching strategies for performance, and approaches to maintain immutable receipts for auditors.
EasyTechnical
70 practiced
You are implementing a new registration endpoint that collects: full_name, email, phone, birthdate, and profile_picture. Map the data flow and list where each PII is created, stored, transformed, cached, or logged across these components: frontend, backend API, auth service, user-profile DB, CDN, search/analytics. Provide a concise textual data-flow diagram description and identify three high-risk storage points you would prioritize for mitigation.
MediumTechnical
50 practiced
Implement (or provide clear pseudocode) for a Node.js logging helper that redacts PII from a JSON object before emitting logs. The helper should accept a list of redaction paths (e.g., ['user.email','payment.card.number']), support nested objects and arrays, preserve the original object structure, and avoid mutating the input. Show example input/output and discuss time/space complexity.
MediumSystem Design
45 practiced
Design a role-based access control (RBAC) model for a microservices architecture where both humans and services call internal APIs. Specify how roles, permissions, and scopes are encoded into tokens, how tokens are minted and validated, and strategies for temporary elevated access and emergency revocation. Discuss caching token decisions and consistency concerns.
EasyTechnical
45 practiced
Explain the difference between symmetric and asymmetric encryption and provide three concrete product examples where each technique is appropriate (e.g., symmetric for data-at-rest, asymmetric for key exchange and signing). Briefly discuss secure key storage options (HSM/KMS, secrets manager) and why storing keys in code is dangerous.

Unlock Full Question Bank

Get access to hundreds of Security and Privacy in Product and Program Design interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.