Why the GDPR Module?
An easy to use, standards-based library to erase personal data in an immutable event store.
Erase personal data in an immutable event store
When doing event sourcing, we need to store events. These event are (at least conceptually) immutable and undeletable. But these events may contain personal data, and according to the GDPR privacy regulation, data subjects have a right to erasure. Axon Framework doesn't require event sourcing, but it does enable it. The vast majority of Axon Framework chooses to work with event sourcing, because it has great business benefits. The GDPR Module offers a clean, easy to implement way to erase data from an immutable event store. It will help you be compliant while still avoiding nasty hacks and workarounds that would compromise your architecture.
Easy to implement, using annotations
For many organizations, becoming compliant with GDPR is a huge effort already. Having to do complex rewrites of existing applications, just to implement the right-to-erasure, is not a nice perspective. Luckily, with the AxonIQ GDPR Module, you won't have to. It has been designed from the ground up to be easy to implement in existing applications, without impacting any existing business logic. The main mechanism to configure the module is to use Java annotations: a standardized way to provide additional behavior to existing Java. In this case, the behavior that particular fields always need encryption.
Based on industry standards
The notion of cryptographic erasure hasn't been invented by AxonIQ. The technology has been widely used for many years, particularly in the context of hard drive security. Self-encrypting hard-drives, that can erase themselves by changing the encryption, are widely available. Industry standards such as NIST SP 800-88 Rev 1 and ISO/IEC 27040 support this notion has well. The AxonIQ GDPR Module brings this cryptographic erasure functionality to the application level, using the same strong, standardized cryptography, in particular AES-256.
Delete what must be deleted; keep what you can keep
To comply with GDPR's right to erasure, you might consider deleting entire events, or even bigger chunks of data. This is easier to do than clearing individual data fields, but has significant drawbacks: you lose more valuable information than would be necessary, and technically the absence of entire events may introduce unforeseen problems. The AxonIQ GDPR Module provides you with fine grained control: when the right to erasure is exercised, only delete what really needs to be deleted. Both your main applications and any events-driven analytics system will be minimally impacted. The control is so fine-grained, that it for instances allows you to delete the month and day-in-month parts of a date-of-birth, while keeping the year part for anonymous analytics.
Supports wide range of key management systems
When using the GDPR Module, you will need to store cryptographic keys in some place. There are many potential ways of doing that, and some organizations have internal standards on how it should be done. The GDPR Module offers a wide range of key management systems out-of-the-box, including relational databases, hardware security modules, and HashiCorp Vault. Also, it can easily be adopted to support new key management systems if the system your organization uses isn't supported yet.
The GDPR Module isn't a new run-time component to manage. It's just a Java library, distributed as a jar file together with sample test code, API docs and a reference guide. After installing the jar in your local Maven repository or your organization's artifact server, you can simply include it as a dependency in your project, and start using it. To store keys for real, you'll need to configure the module to use a database or some other key management system, but to make development easy, we have also included a no-configuration in-memory key management system for use during unit tests.
The GDPR has an explicit API method to encrypt and decrypt objects, but to make integration of the module in an Axon application even easier, it includes a FieldEncryptingSerializer. This serializer will encrypt before serialization, and decrypt before deserialization. This will minimize the amount of effort needed to integrate. Because the Serializer interface is Axon-specific, and because it has changed between Axon versions, we ship 4 versions of the GDPR Module: for use in Axon 4, Axon 3 or Axon 2, and for use without Axon Framework at all. And, as we know that many JVM developers are looking beyond vanilla Java nowadays, we have made sure that the library integrates easily with Kotlin en Scala as well.
Supporting complex objects
In simple cases, you may be looking to encrypt some individual String fields in an event object. In real-world cases, things could also get a lot more complex; events may contain other objects which contain personal data, or various collections thereof. And it may not just be about Strings; dates, numbers, byte arrays and other data types may contain personal data as well. The GDPR Module supports arbitrarily complex object graphs (including cyclic ones!), and handles all these cases well. It known how to deal with collections, distinguishing between immutable and mutable ones, and understands both the Java and Scala collection hierarchies.
So, what happens if you're decrypting an object while the encryption key has already been erased? It's up to you. By default, the module would in this case render String fields empty, set primitive fields to their type's default, and make other fields null. But alternatively, you might configure the module to set it to some other value, throw an exception, show part of the original cleartext, or anything else. It's flexible. Similarly, you may choose to use one key per object, or multiple keys, and you may use one of the standard ways to store keys, or implement your own. The module provides reasonable, easy-to-use default, while at the same time providing hooks to customize the behavior if desired.
Getting started with the GDPR Module
Follow these simple steps to integrate the module in your application
At this point, there is no automated free download of the GDPR Module. But if you contact us through the form on this website, or send an email to firstname.lastname@example.org, we'll happily provide you with access to a trial/evaluation version, including all the documentation, so you can get started.
Download, install, test
Once we've provided you with the download instructions, get the binaries and install them to either your local Maven repository (for individual developer) or a centralized Maven repository. To make everything work, make sure that you have the license key as well, and ensure that your system is configured to allow 256-bit AES encryption; some Java environments don't allow this by default. The module ships with several test projects. If everything is installed correctly, you should be able to build these.
Modify your project
Include the GDPR Module as a dependency in your project. Make sure you select the right version, based on the version of Axon Framework you use, if any. Assuming you're using Axon, update your serializer configuration to use the FieldEncryptingSerializer provided by the GDPR Module, and select a CryptoEngine implementation to use. Annotate your event classes with the GDPR Modules annotation. See the manual for all the options available.
Update old events
The operations performed by the GDPR Module are idempotent, and as a result the module works perfectly well if your event store contains a mixture of new, encrypted events, and old, plaintext events. Still, to enable cryptographic erasure of these old events, you may want to encrypt them as well. For this, simply read them, deserialize, serialize and store, potentially to a new event store.
and find out useful news on Axon releases, invitations to AxonIQ events and other news