Case Study: Capgemini achieves GDPR-compliant event sourcing with HashiCorp Vault

GDPR Compliant Event Sourcing With HashiCorp Vault

Capgemini was building a microservice platform for Norwegian health-related services that would eventually need to handle sensitive personal and health data under strict GDPR requirements. Their challenge was to reconcile immutable event sourcing with obligations such as the right to be forgotten, data retention, and strong access control. They turned to HashiCorp Vault to help secure sensitive data and support a privacy-by-design approach.

HashiCorp implemented a solution using Vault’s transit secrets engine, key derivation, and secret management to encrypt personal data at rest and in transit, including double encryption with per-user and per-retention-period keys. By deleting keys instead of event records, Capgemini could make personal data unreadable across events, logs, and backups while preserving application state. The approach also provided a way to demonstrate correct encryption through JSON schema validation and logging, helping Capgemini build a GDPR-compliant event-sourcing platform with zero-trust security principles.

Capgemini

Bjørn Lilleeng

Security Architect