Purpose
This guide covers data protection in the Rentiva infrastructure, GDPR/KVKK compliance, and incident response processes.
π Security & Privacy Operations
Rentiva operates under the "Security by Design" principle, maintaining strict control over data from the moment it is collected to the moment it is destroyed.
π‘οΈ Security Layers and Toolsβ
π Access Control (AuthHelper)β
All admin and API access passes through AuthHelper::verify_request().
- Capability Checks: Operational actions can be restricted with the custom
rentiva_financial_managercapability instead ofmanage_options. - API Key Rotation: API keys should be rotated every 90 days as a precaution against potential compromise.
π‘οΈ Input Security (SecurityHelper)β
Every value entering the database passes through SecurityHelper::validate_* methods:
- XSS Protection: HTML content is filtered through a whitelist via
wp_kses. - SQLi Protection: Raw SQL is prohibited; all queries are parameterized using
$wpdb->prepare().
βοΈ Data Privacy (Privacy & GDPR)β
π§Ή Data Anonymizationβ
When a user account is deleted or the legal retention period expires:
PrivacyManager::anonymize_user_data()is triggered, masking names, email addresses, and IP addresses asdeleted_u_{id}.- Rule: Financial
Ledgerrecords are anonymized but not deleted, in order to preserve accounting integrity.
π Data Retention Policyβ
- Web Logs: Automatically purged after 30 days.
- Audit Logs: Retained as read-only for 2 years as required by law.
π¨ Incident Response Protocolβ
When a data breach or anomaly is detected:
- Isolation: Affected IP addresses are globally blocked via
RateLimiter. - Snapshot: The current state of the database is backed up for forensic analysis.
- Analysis:
AdvancedLoggerrecords are scanned to determine the scope of the breach. - Notification: Affected users and authorities are notified within the legal timeframe (72 hours for GDPR).
π Security Flow Diagramβ
Section Summaryβ
- Security operations follow the "Least Privilege" principle.
Ledgerdata is the most sensitive part of the system; direct intervention is prohibited.- Privacy and security are guaranteed through continuous monitoring.
Changelogβ
| Date | Version | Note |
|---|---|---|
| 23.04.2026 | 4.27.2 | English translation added. |
| 19.03.2026 | 4.21.2 | Page updated with SecurityHelper and anonymization protocols. |