We are considering to use Canton and Fabric for a project, where the client wants Hyperledger Fabric, and GDPR requirements apply.
In a pure Fabric implementation Fabric’s Private Data Collection feature can be used to comply with GDPR.
In the Canton documentation describing the Canton Fabric domain I couldn’t find any info about this topic:
https://www.canton.io/docs/stable/user-manual/usermanual/domains/fabric.html
Indeed, we’ve been discussing to use PDC for such purposes. However, the current Fabric integration does rely on Channels and not on PDCs.
Therefore, adding support for PDCs is a question of prioritization and enterprise client demand.
Best,
Ratko
Thank you @Ratko_Veprek can you imagine such a solution that we separate the GDPR sensitive data from the non GDPR sensitive data, and handle the GDPR sensitive data in a PostgreSQL domain, from where the data can be pruned, and the GDPR non sensitive data in a Fabric domain?
@Ratko_Veprek another question: does Canton encrypt the data which are stored in the persistent storage layer (PSQL. Fabric)?
The domain only sees encrypted contract payloads (but it sees the transaction metadata). So it knows that participant A is doing some transaction with B and C, but it has no idea what the transaction is (no knowledge about package, template, contract data, contract ids, involved parties).
The participants store their data in Postgres / Oracle / H2 (unstable). Postgres and Oracle can be configured to encrypt the data at rest, but that’s an database configuration question, not a Canton configuration property.
That’s difficult to judge. It really depends on your workflows. You could indeed run the system with two domains and ensure with appropriate party allocations that the personal sensitive data can not be transferred to Fabric. If it works depends on the workflows you intend to run. But it seems to be a bit of a complex workaround.
Thank you for your answers!