Hi everyone,
I’m exploring how to ensure GDPR compliance in an event-sourced system built with Axon Framework, particularly regarding the “right to be forgotten.” I came across a thread where it’s mentioned a Axon GDPR module that uses crypto-shredding (encrypting personal data in events and deleting keys when needed). I have few specific questions about applying this module - or similar solutions:
-
Compatibility with Axon Framework without Axon Server
Can the Axon GDPR module (or its modern equivalent) be used in projects that rely solely on Axon Framework, without Axon Server? For example, if we’re using a custom event store (e.g., JPA or JDBC), are there any dependencies or limitations to consider? I suppose not but still want to confirm it. -
Production System with Existing Data
If our project is already in production with an event store containing unencrypted historical data, how can we apply the GDPR module (or a GDPR-compliant approach)? Specifically:
- How do we handle existing events - do we need to replay and encrypt them, or is there a way to integrate the module without disrupting the current event log?
- Crypto-Shredding and Other GDPR-Compatible Options
Is the crypto-shredding approach (encrypting personal data and deleting the key) still considered compatible with GDPR’s? Additionally, are there other viable options to implement a GDPR-compliant solution in an event-sourced system in Axon?
I’d appreciate insights from anyone who’s implemented this, especially with recent Axon Framework versions or from Axon developer themselfs 
.
Thanks in advance!