🌍 Server Infrastructure

Web Server (Shop System):

• Location: Non-EU country
• Outside German and European jurisdiction
• No data storage after order completion
• All customer data is immediately pseudonymized

Email Server (Accounting Archive):

• Completely decentralized from web server
• Technically and physically separated
• Different provider, different infrastructure
• Only for invoice PDFs (legal 10-year retention requirement)
• Encrypted access via dedicated email address
• No connection to shop system

Why this separation?

• If web server is seized: No customer data available
• Maximum security through physical separation

🔐 Encryption

Standard: AES-256-GCM

• Same standard as online banking
• 256-bit key length
• GCM mode (Galois/Counter Mode) with authentication
• Prevents manipulation of encrypted data

What is encrypted?

• Invoice PDFs on the email server
• File deletion: Overwriting with encrypted random data

🔄 Automated Pseudonymization

When exactly does it happen?

• Trigger: Order status is set to "Completed"
• Timing: When package is shipped or shortly before shipping
• Automatic: No manual intervention required
• Irreversible: Original data is permanently deleted afterwards

Technical Method: HMAC-SHA256

• Hash-based message authentication
• With server-specific salt (SECURE_AUTH_SALT)
• 256-bit hash output

What is pseudonymized?

• Name: "John Doe" → "Customer K-A7F9B2C5"
• Email: "john@example.com" → "customer-a7f9b2c5@pseudonymized.local"
• Street: "Main Street 42" → "Street S-X3Y8Z4K9"
• City: "Berlin" → "City-O-B4C8D3F7"
• ZIP: "12345" → "12XXX"

What is preserved?

• Order number
• Product details
• Prices
• Order date

🗑️ Secure File Deletion

What is deleted?

• Invoice PDF from web server
• Shipping label PDF
• All order attachments

3-step deletion method:

1. Overwrite:
   • Generate random data (random_bytes)
   • Encrypt it with AES-256-GCM
   • Overwrite original file with encrypted data
   • Advantage: Even with partial recovery only data garbage
2. Sync command:
   • Forces writing data to physical hard drive
   • Prevents data from remaining only in cache
   • Command: exec('sync')
3. Delete:
   • unlink() - Removes file from file system
   • On SSDs: Triggers TRIM command
   • File system marks storage space as free

📦 Tracking Data (40-Day Rule)

Why 40 days?

• Legal withdrawal period: 14 days
• Typical complaint period: ~30 days
• Buffer for delayed deliveries or problem cases
• After 40 days: No more support requests expected

What is stored? (Days 1-40)

• Complete tracking number (e.g. "JJD000123456789DE")
• Complete ZIP code (e.g. "12345")
• Linked to: Order number and article

Automatic pseudonymization (from day 41):

• Tracking number: HMAC-SHA256 hash
  • Input: "JJD000123456789DE"
  • Output: "TRACK-A7F9B2C5"
  • Prefix "TRACK-" for recognizability
  • 8 character hash
• ZIP: Truncation to prefix
  • Input: "12345"
  • Output: "12XXX"
  • First 2 digits remain
  • Rest replaced with "XXX"
• Original data is permanently deleted

Cronjob:

• Runs daily at 04:00
• Checks all orders older than 40 days
• Automatically pseudonymizes tracking data

📧 Accounting Archive (10 Years)

Legal basis:

• § 147 AO (German Tax Code): 10-year retention requirement
• Applies to: Invoices
• No exceptions possible

What is archived?

• Invoice PDF in original format (contains: name, address, order details, amount)
• Is NOT pseudonymized

Storage location: Decentralized email server

• Dedicated email address for accounting only
• Automatic sending after invoice creation
• Invoices stored in original format (not pseudonymized)
• Not stored on web server
• Different provider than web hosting

🚫 No Customer Accounts

What was disabled?

• WooCommerce account registration completely disabled
• "Create account" option removed at checkout
• "My account" page disabled
• Login function for customers not available

Guest checkout only:

• For each order: Enter data anew
• No saved addresses
• No order history in frontend
• No "forgot password"

Why?

• Customer accounts = permanent data storage
• Contradicts pseudonymization concept
• Every active account would be a privacy risk
• In case of server seizure: Login data accessible

Admin access remains:

• WordPress admin login still possible
• For operators/employees only
• Separate credentials
• Not accessible to end customers