ashfame
commented
3 years ago Hi @zachherbert One problem that I see with Option 1 is you would need to retain all backups ever taken to recover records and depending on how many records you need to check, you would need to restore multiple backups one by one or restore to multiple WordPress installs and consolidate data.
Option 2 sounds much better that you always keep data as is, but encrypt the data once the order reaches complete status. Must use asymmetrical encryption here, so that only public key can stay in the application. You wouldn't need any backup strategy for protecting PII anymore and you simply avoid having to keep all backups and restore multiples of them when the need to read data arises.
But based on your backup schedule, you will always backup some orders unencrypted (orders which haven't reached complete status). Not a big deal if you have a solid backup rotational process in place, which limits the exposure. Ideal would be to encrypt the order right away as it comes and decrypt it on the fulfilment process side when it ingests orders data.
Depending on where you want to decrypt the data, security mileage will vary. Client side decrypting in browser while browsing WordPress admin is not recommended as if private key for encryption once leaked, compromises everything. Done separately in a different install where WooCommerce data is mirrored (or the most recent backup restored), is much better. Offline computer even better. Air Gapped computer - almost the best. All about what security threats you wanna protect yourself against with.
Good idea nonetheless, all depending on what data one as a business needs to retain. Completely anonymising it is best.
If there is enough interest and the community can fund it, I can build this out.
Thank you @aantonop for putting this together; we think this plugin is a great idea and will significantly help Woocommerce stores implement good data retention practices.
We currently use WooCommerce's built-in features to clear our customer data 30 days after fulfilling the order. We have user accounts disabled, so we don't have to worry about retaining some data and clearing others.
We will be backing up the data to offline, encrypted storage before clearing. This is because we need to keep certain data for tax/accounting/customer service reasons.
Ideally, we'd like to brainstorm if it is possible to add the following features:
These two options would likely not be used simultaneously, but could be very powerful. Option 2 would provide another layer of security. I'm not sure, however, that it would be feasible or practical– because you'd want to do things like email the customer, send their shipping info to a carrier, etc.
Maybe Option 2 could be an alternative to clearing the data completely. Instead of clearing it, the plugin could replace the sensitive data with an encrypted version requiring a password.
Let me know what you think of these ideas!