This work addresses the challenge of enforcing GDPR compliance in untrusted cloud environments, where existing key-value stores often fall short due to high performance overhead or intrusive modifications. The authors propose GDPRuler, a transparent and trusted middleware that operates without altering underlying storage systems such as Redis or RocksDB. Deployed within confidential virtual machines, GDPRuler employs a declarative, policy-driven compliance monitor to enforce GDPR rules and maintain tamper-proof audit logs. By embedding verifiable compliance capabilities at the middleware layer and integrating compact metadata encoding, specialized query indexes, and an efficient logging mechanism, the system ensures data integrity while significantly reducing overhead. Experimental results demonstrate that GDPRuler achieves 61% of native throughput, incurs less than 20% metadata overhead, and accelerates compliance queries by 13–182×, with confidential virtual machines contributing 28%–32% performance overhead.

Privacy regulations such as the General Data Protection Regulation (GDPR) impose strict requirements on how personal data is stored, processed, and audited. While key-value stores (KVS) are widely used in latency-sensitive applications, their simple data model and untrusted cloud deployment environments make GDPR compliance particularly challenging. Existing approaches require invasive code modifications, impose high performance overheads, or overlook the integrity of compliance mechanisms themselves. This paper presents GDPRuler, a trusted middleware system that enables verifiable GDPR compliance for KVS on untrusted clouds without modifying their codebase. GDPRuler deploys a trusted GDPR monitor inside a Confidential Virtual Machine (CVM), which enforces GDPR policies, manages compliance metadata, and maintains tamper-evident audit logs. A declarative policy language translates core GDPR obligations into enforceable runtime rules. To ensure efficiency, GDPRuler encodes metadata compactly within KV records, builds dedicated metadata indexes for GDPR-specific queries, and logs only compliance-relevant events in a space-efficient format. We implement GDPRuler as a transparent proxy for unmodified Redis and RocksDB deployments. Evaluation with YCSB and GDPR-inspired workloads shows that GDPRuler enforces core compliance guarantees with low overheads: GDPRuler achieves ~61% of native KVS throughput with the CVM environment contributing 28%-32% of it, metadata storage overhead remains below 20%, and GDPR queries benefit from 13-182x speedup through metadata indexing. By embedding verifiable policy enforcement into a trusted middleware layer, GDPRuler offers a practical path toward GDPR-compliant KVS on untrusted cloud infrastructures.