Clarification Needed: Storing PII Data in AEM as a Cloud Service (Security, Compliance & Encryption)

Question

I wanted to understand whether this is advisable for PII data to be stored within AEM, and what the recommended best practices are.

Some of the questions we’re exploring:

Is it recommended to store PII in AEMaaCS, even in encrypted form?
How does Adobe protect sensitive data at rest and in transit within AEMaaCS?
Are there any Adobe guidelines on handling PII in JCR repositories?
How is it protected from any external attack threats?
Can we implement custom encryption (e.g., using an OSGi service) before storing data?
Are there recommended alternatives, such as storing the PII in a secured backend system instead of AEM?

Would appreciate insights from Adobe experts and the community on the right architectural approach for handling PII securely in AEMaaCS.

rk_pandian · Answer

Hello ​@RanjithR1, storage of PII data comes with a catch - the company that is storing the data might/will need a data protection license and should adhere to the localjurisdiction policies. So please check if this is applicable to your employer. Also,one good rule is, having no PII data is better than having PII data.Usually customer data is not saved in AEM (not recommended as well) and it is better to choose 3rd party storage for the same. You can choose any cloud database (like DynamoDB) or any CRM system (like Hubspot) as they can support more customer oriented outputs (like lead generation, unique visitors etc).While storing in 3rd party systems, you can follow the encryption process and standard safety measures. When AEM is dealing with content traffic and requests, the 3rd party system can deal with the CRUD operations of PII data. In this way, it would be decoupled and easy to maintain. Please check your business need and choose the right option.Hope this helps!Regards,Ramkumar

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded