SilverStripe is an application framework which can be used to process and store data. Any data can be sensitive, particularly if it is considered personal data. Many regulatory frameworks such as the EU General Data Protection Regulation (GDPR) can be interpreted to regard basic data points such as email and IP addresses as personally identifiable data.
This document is aiding implementors and auditors in determining the impact of using the SilverStripe Framework and CMS to build online services. Since every website and app built with SilverStripe will be different, it can only provide starting points.
The SilverStripe CMS does not provide any built-in mechanisms for users to submit personal data, or register a user account. CMS authors are created by administrators through the CMS UI. Since even the email address required to create such an account can be considered personal data, you’ll need to get consent from existing and new CMS authors, or cover this through other contractual arrangements with the individuals.
The primary location where SilverStripe can be configured to store personal data is the database. Under different regulations, individuals can have the "right to be forgotten", and can ask website operators to remove their data. Most of the time, CMS administrators can action this without any technical help through the CMS (through the “Security” section, or specialised UIs like user defined forms).
Be careful with Versioned records containing personal data: These might require development effort to completely remove. Note that CMS users aren’t versioned by default, so you can completely remove them through the UI.
Transmission and Processing
SilverStripe recommends the use of encryption in transit (e.g. TLS/SSL), and at rest (e.g. database encryption), but does not enforce these.
SilverStripe will default to using PHP sessions for tracking logged-in users,
which uniquely link users to their device/browser through a session cookie.
If the user chooses the "Remember me" feature on login,
this unique link will persist across sessions.
The default cookie lifetime for this feature is 48h.
SilverStripe\Security\Member::$auto_login_token_lifetime for details.
SilverStripe is configured by default to record login attempts, in order to lock out users
after a defined number of attempts, and hence limit the attack surface of the login process.
This is predicated on tracking the IP address of the attempt, which can be considered personal data.
IP addresses related to these attempts are stored indefinitely unless manually purged
SilverStripe\Security\Security::$lock_out_after_incorrect_logins for details.
Logging and Exceptions
SilverStripe provides a logging mechanism, which depending on your usage, configuration and hosting environment might store personal data outside of the SilverStripe database. The core system stores personal data for members, but does not log it.
As a PHP application, SilverStripe can also throw exceptions. These can include metadata such as method arguments and session data. If your application is configured to catch exceptions and log them (e.g. via a SaaS product), you could inadvertently store personal data in other systems. One mitigation is to create whitelists based on parameter naming, see the silverstripe/raygun module for an example implementation.