Erase personal data in an immutable event store

When doing event sourcing, we need to store events. These events are (at least conceptually) immutable and undeletable. But these events may contain personal data, and according to the GDPR privacy regulation, data subjects have a right to erasure. Axon Framework doesn't require event sourcing, but it does enable it. The vast majority of Axon Framework chooses to work with event sourcing because it has great business benefits. The Axon Data Protection module offers a clean, easy-to-implement way to erase data from an immutable event store. It will help you be compliant while still avoiding nasty hacks and workarounds that would compromise your architecture.

Easy to implement, using annotations

For many organizations, becoming compliant with GDPR is a huge effort already. Having to do complex rewrites of existing applications to implement the right-to-erasure is not a nice perspective. Luckily, with the Axon Data Protection module, you won't have to. It has been designed from the ground up to be easy to implement in existing applications without impacting any existing business logic. The main mechanism to configure the module is to use Java annotations: a standardized way to provide additional behavior to existing Java. In this case, the behavior that particular fields always need encryption.

Based on industry standards

The notion of cryptographic erasure hasn't been invented by AxonIQ. The technology has been widely used for many years, particularly in the context of hard drive security. Self-encrypting hard drives that can erase themselves by changing the encryption are widely available. Industry standards such as NIST SP 800-88 Rev 1 and ISO/IEC 27040 support this notion as well. The Axon Data Protection module brings this cryptographic erasure functionality to the application level, using the same strong, standardized cryptography, in particular AES-256.

Delete what must be deleted; keep what you can keep

To comply with GDPR's right to erasure, you might consider deleting entire events or even bigger chunks of data. This is easier to do than clearing individual data fields but has significant drawbacks: you lose more valuable information than would be necessary, and technically the absence of entire events may introduce unforeseen problems. The Axon Data Protection module provides you with fine-grained control: when the right to erasure is exercised, only delete what really needs to be deleted. Both your main applications and any event-driven analytics system will be minimally impacted. The control is so fine-grained that it allows you to delete the month and day-in-month parts of a date-of-birth while keeping the year part for anonymous analytics.

Supports a wide range of key management systems

When using the Axon Data Protection module, you will need to store cryptographic keys someplace. There are many potential ways of doing that, and some organizations have internal standards on how it should be done. The Axon Data Protection module offers a wide range of key management systems out-of-the-box, including relational databases, hardware security modules, and HashiCorp Vault. Also, it can easily be adapted to support new key management systems if the system your organization uses isn't supported yet.