Hey, not an expert here but these are some of the most common things I see:
- Never store PII directly within the workflows. Instead pass pointers which reference the actual user data which is secure and encrypted.
- Limit archival length to make it easier to comply with deletion requests. In the future we plan to make it very easy to surgically remove records from archived histories, but it’s difficult today.
Now if you’re considering #1 I would first look into our DataConverter API. This allows you to automatically encrypt all worker traffic to the core service which means even Temporal server is dealing with the encrypted data. Our architecture does not care if the data is encrypted or not, so this is a great black box solution.
Another thing that is relevant is the length of your workflows. Many Temporal applications model each user as an infinite running workflow. If you happen to use this pattern some extra steps may need to be taken to fully comply with deletion requests (cancelling all associated workflows).
I know this is only a partial answer, so please feel free to push back with more questions.