From day 1 we’ll have to store personally identifying information:
- User identifiers such as email addresses, openids or other authentication tokens, etc.
- User names and content of user profiles
- Connection logs
- Not exactly PII but related: passwords (if we use passwords)
How do we store all of this securely? Note that it’s not just about public relations, it’s also about legal requirements (e.g. GDPR). Where (in which jurisdiction) is it stored? Who has access?