Seven built-in protections prevent configuration errors and ensure compliance. 
// Automatically enforced at every layer
{
  consent_state: {
    data_processing: "granted",
    ads_personalization: "denied"  // Blocks ad platform delivery
  }
}

// Cannot be bypassed - hardcoded in infrastructure
if (!consent.ads_personalization) {
  block_platform_delivery();
}

2. PII Protection

Plaintext PII is blocked at the edge. This protection cannot be disabled.
// Edge validation
validateEvent(event) {
  if (containsPlaintextEmail(event)) {
    return { error: "Plaintext PII detected", status: 400 };
  }
  // Auto-hash if properly formatted
  event.email = sha256(normalize(event.email));
}

3. Configuration Validation

// Workspace-wide validation before deployment
{
  validations: [
    "attribution_model_consistency",  // Same model across platforms
    "platform_compatibility",         // Model supported by platform
    "utm_uniqueness",                 // No duplicate UTMs
    "required_fields_present"        // All required fields mapped
  ]
}

// Example validation failure
{
  error: "Attribution model 'fractional' not supported by Meta",
  resolution: "Use 'first_touch' or 'last_touch' for Meta"
}

4. Identity Field Restrictions

// Only these identity fields accepted
const ALLOWED_IDENTIFIERS = {
  email: "string",      // SHA-256 hashed
  phone: "string",      // SHA-256 hashed  
  user: "string",       // External user ID
  organization: "string" // Company ID for B2B
};

// Custom fields rejected
{
  custom_field: "value"  // ❌ Blocked - platforms can't use this
}

5. UTM Collision Prevention

// Configuration blocked if UTMs overlap
{
  meta: { utm_source: "social" },
  tiktok: { utm_source: "social" }  // ❌ Collision detected
}

// Must use unique values
{
  meta: { utm_source: "meta" },
  tiktok: { utm_source: "tiktok" }  // ✅ Valid
}

6. Credential Locking

// Credentials locked to active streams
{
  credential_id: "cred_123",
  active_streams: ["meta_conversions", "meta_audiences"],
  deletable: false  // Cannot delete while streams active
}

// Must stop streams first
stopStream("meta_conversions");
stopStream("meta_audiences");
// Now credential can be deleted

7. Error Handling

Automatic error classification and handling: 
{
  retryable_errors: {
    network_timeout: { backoff: "exponential", max_attempts: 3 },
    rate_limit: { backoff: "exponential", max_attempts: 5 },
    server_error_5xx: { backoff: "linear", max_attempts: 3 }
  },
  permanent_errors: {
    invalid_credentials: { action: "pause_and_alert" },
    expired_lookback: { action: "skip_and_log" },
    invalid_data: { action: "skip_and_log" }
  }
}