When performing an XML RPC request, personal information (including some sensitive information) transferred within that request is logged.
If you use XML RPC calls for operating CloudBlue Commerce, you need to make CloudBlue Commerce aware that personal data is transferred within the request, and it should be masked when logged. To do this, you need to update the structure of the request as follows:
For example, you have a method that passes some personal information:
...
<value><string>some personal data</string></value>
...
To avoid logging that information and make it GDPR compliant, change it in the following way:
...
<struct><member><name>censored<name><value><string>some personal data</string></value></member></structure>
...
Such information will not be logged and the privileges of the user on whose behalf a request is called will be taken into consideration:
- If a user performing a read-only request has no permission to access personal information, and the response to that request contains personal information, such information will be masked in response.
- If a user performing a request to modify data has no permission to access personal information, such a request will be declined by CloudBlue Commerce.
Note: The personal information inside the XML RPC requests and responses that occur inside the system are not logged, unless you set the log level to local5, local6, or local7. We do not recommend using levels greater than four for production systems. If you use a level greater than four, you must implement the necessary data protection (such as encryption) to be complaint with GDPR policy.