How is Vault GDPR compliant?

HashiCorp Vault features—including mount filters, unified identity, and control groups—cover many of the GDPR requirements.


  • Andy Manoske
    Andy ManoskeVault Product Manager, HashiCorp


GDPR compliance is a very complex topic. It's a complex topic for a number of reasons:

First, there is no one single software solution that will render an organization GDPR compliant. Second, GDPR compliance varies depending upon the supervisory authority that you're talking to—i.e., the regulatory body that exists within various different parts of the European Union that will evaluate your compliance or non-compliance with GDPR in the event of a data breach or other type of serious situation.

Vault enables an organization to resolve many of the different provisions of GDPR, enumerated in articles, around how sensitive data is stored, how sensitive data is retrieved, and ultimately how encryption is leveraged to protect PII data for EU citizens, and EU PII data [that's] just simply resident to a large global infrastructure.

Vault mount filters: Protecting PII geographic movement

The first is something called mount filters. Mount filters are a series of features that allow you to physically protect which data is being moved between different clusters. Traditionally, clusters within Vault are configured from a geographical basis. You have one cluster in a certain geographic area. Another cluster in a certain geographical area. They're generally seen as ways to isolate risk associated with some kind of geographically focused event, either physically or geographically within relation to an availability zone or a region within a cloud infrastructure.

We can then, using mount filters, control which PII data moves between different geographies physically in a way that is required as part of GDPR, specifically articles that require that PII data only move between regions that have equal to or greater than protections enumerated within GDPR.

Vault unified identity: The principle of least privilege for PII

We can also use different features within Vault around how Vault handles identity, which is a suite of features called unified identity, to protect and make sure that individuals only have limited access to the secrets that are PII data for their specific role. A very important part of GDPR is this principle of least privilege that you are only using and have access to PII data for a single purpose for a certain period of time. Using the unified identity system within Vault as well as expiry periods for dynamic secrets allows you to ensure that least privilege is enforced.

Vault control groups: The dual access and controller provisions of GDPR

Finally, GDPR requires groups of controllers to certify that accessors—who are attempting to use and access PII data—do so in a way that is expressly permitted by these different controllers and administrators. Vault Enterprise has a feature called control groups, which allow different entities, different organizations, different groups, different applications to be required to certify that access is given for a specific path of secrets. This would allow you to implement the dual-access and -controller provisions of GDPR in a way that abides by the intent and purpose of having many individuals approve access to PII for a certain period of time.

More resources like this one