diff --git a/cannamanage-api/src/main/java/de/cannamanage/api/controller/ComplianceDashboardController.java b/cannamanage-api/src/main/java/de/cannamanage/api/controller/ComplianceDashboardController.java
new file mode 100644
index 0000000..f91eca8
--- /dev/null
+++ b/cannamanage-api/src/main/java/de/cannamanage/api/controller/ComplianceDashboardController.java
@@ -0,0 +1,73 @@
+package de.cannamanage.api.controller;
+
+import de.cannamanage.domain.entity.ComplianceDeadline;
+import de.cannamanage.domain.entity.TenantContext;
+import de.cannamanage.domain.enums.ComplianceArea;
+import de.cannamanage.domain.enums.ComplianceStatus;
+import de.cannamanage.service.ComplianceDashboardService;
+import de.cannamanage.service.RetentionService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.tags.Tag;
+import lombok.RequiredArgsConstructor;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.*;
+
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+
+/**
+ * Compliance Dashboard controller.
+ * Provides traffic-light compliance status, upcoming/overdue deadlines,
+ * and retention management endpoints.
+ */
+@RestController
+@RequestMapping("/api/v1/compliance/dashboard")
+@RequiredArgsConstructor
+@Tag(name = "Compliance Dashboard", description = "Compliance status overview and retention management")
+public class ComplianceDashboardController {
+
+    private final ComplianceDashboardService dashboardService;
+    private final RetentionService retentionService;
+
+    @GetMapping
+    @Operation(summary = "Get compliance dashboard status",
+            description = "Returns traffic-light status per compliance area + upcoming and overdue deadlines")
+    @PreAuthorize("hasRole('ADMIN') or @staffPermissions.has(authentication, T(de.cannamanage.domain.enums.StaffPermission).VIEW_COMPLIANCE)")
+    public ResponseEntity<ComplianceDashboardResponse> getDashboard(
+            @RequestParam(defaultValue = "30") int upcomingDays) {
+
+        UUID clubId = TenantContext.getCurrentTenant();
+
+        Map<ComplianceArea, ComplianceStatus> statusMap = dashboardService.getComplianceStatus(clubId);
+        List<ComplianceDeadline> upcoming = dashboardService.getUpcomingDeadlines(clubId, upcomingDays);
+        List<ComplianceDeadline> overdue = dashboardService.getOverdueDeadlines(clubId);
+
+        return ResponseEntity.ok(new ComplianceDashboardResponse(statusMap, upcoming, overdue));
+    }
+
+    @GetMapping("/retention")
+    @Operation(summary = "Get retention report",
+            description = "Shows what was deleted, what will be deleted, and retention schedule")
+    @PreAuthorize("hasRole('ADMIN') or @staffPermissions.has(authentication, T(de.cannamanage.domain.enums.StaffPermission).MANAGE_COMPLIANCE)")
+    public ResponseEntity<RetentionService.RetentionReport> getRetentionReport() {
+        UUID clubId = TenantContext.getCurrentTenant();
+        return ResponseEntity.ok(retentionService.getRetentionReport(clubId));
+    }
+
+    @PostMapping("/retention/preview")
+    @Operation(summary = "Preview retention actions (dry-run)",
+            description = "Shows what WOULD be affected by retention processing without making changes")
+    @PreAuthorize("hasRole('ADMIN') or @staffPermissions.has(authentication, T(de.cannamanage.domain.enums.StaffPermission).MANAGE_COMPLIANCE)")
+    public ResponseEntity<RetentionService.RetentionPreview> previewRetention() {
+        UUID clubId = TenantContext.getCurrentTenant();
+        return ResponseEntity.ok(retentionService.previewRetention(clubId));
+    }
+
+    public record ComplianceDashboardResponse(
+            Map<ComplianceArea, ComplianceStatus> status,
+            List<ComplianceDeadline> upcomingDeadlines,
+            List<ComplianceDeadline> overdueDeadlines
+    ) {}
+}
diff --git a/cannamanage-frontend/docs/visual-tour.md b/cannamanage-frontend/docs/visual-tour.md
index 7fa83cd..32d049c 100644
--- a/cannamanage-frontend/docs/visual-tour.md
+++ b/cannamanage-frontend/docs/visual-tour.md
@@ -1,6 +1,6 @@
 # CannaManage — Visual Tour (Sprint 4)
 
-**Generated:** 2026-06-13
+**Generated:** 2026-06-15
 
 ---
 
diff --git a/cannamanage-frontend/e2e/test-results/.last-run.json b/cannamanage-frontend/e2e/test-results/.last-run.json
index cbcc1fb..17824e3 100644
--- a/cannamanage-frontend/e2e/test-results/.last-run.json
+++ b/cannamanage-frontend/e2e/test-results/.last-run.json
@@ -1,4 +1,7 @@
 {
-  "status": "passed",
-  "failedTests": []
+  "status": "failed",
+  "failedTests": [
+    "13722ad43cd6b8b1aa42-217e273293fc446078f4",
+    "091579150db5ba1d2a73-95090d9911357adecf1f"
+  ]
 }
\ No newline at end of file
diff --git a/cannamanage-frontend/src/app/(dashboard-layout)/compliance/page.tsx b/cannamanage-frontend/src/app/(dashboard-layout)/compliance/page.tsx
new file mode 100644
index 0000000..7d678bc
--- /dev/null
+++ b/cannamanage-frontend/src/app/(dashboard-layout)/compliance/page.tsx
@@ -0,0 +1,315 @@
+"use client"
+
+import { useEffect, useState } from "react"
+import {
+  completeDeadline,
+  getComplianceDashboard,
+} from "@/services/compliance-dashboard"
+import {
+  AlertTriangle,
+  Calendar,
+  CheckCircle2,
+  Clock,
+  Shield,
+  ShieldAlert,
+  XCircle,
+} from "lucide-react"
+
+import type {
+  ComplianceDashboardResponse,
+  ComplianceDeadline,
+} from "@/services/compliance-dashboard"
+
+import { Badge } from "@/components/ui/badge"
+import { Button } from "@/components/ui/button"
+import { Card, CardContent, CardHeader, CardTitle } from "@/components/ui/card"
+
+const AREA_LABELS: Record<
+  string,
+  { label: string; icon: React.ComponentType<{ className?: string }> }
+> = {
+  KCANG: { label: "KCanG Compliance", icon: Shield },
+  FINANCE: { label: "Finanzen & Steuern", icon: Calendar },
+  DSGVO: { label: "Datenschutz (DSGVO)", icon: ShieldAlert },
+  VEREIN: { label: "Vereinsrecht", icon: CheckCircle2 },
+}
+
+function StatusIndicator({ status }: { status: "GREEN" | "YELLOW" | "RED" }) {
+  const colors = {
+    GREEN: "bg-green-500",
+    YELLOW: "bg-yellow-500",
+    RED: "bg-red-500",
+  }
+  const labels = {
+    GREEN: "Konform",
+    YELLOW: "Achtung",
+    RED: "Handlungsbedarf",
+  }
+  return (
+    <div className="flex items-center gap-2">
+      <span
+        className={`inline-block h-4 w-4 rounded-full ${colors[status]}`}
+        aria-label={labels[status]}
+      />
+      <span className="text-sm font-medium text-muted-foreground">
+        {labels[status]}
+      </span>
+    </div>
+  )
+}
+
+function daysUntil(dateStr: string): number {
+  const due = new Date(dateStr)
+  const now = new Date()
+  const diff = due.getTime() - now.getTime()
+  return Math.ceil(diff / (1000 * 60 * 60 * 24))
+}
+
+function DeadlineItem({
+  deadline,
+  isOverdue,
+  onComplete,
+}: {
+  deadline: ComplianceDeadline
+  isOverdue: boolean
+  onComplete: (id: string) => void
+}) {
+  const days = daysUntil(deadline.dueDate)
+
+  return (
+    <div
+      className={`flex items-center justify-between rounded-lg border p-3 ${
+        isOverdue
+          ? "border-red-300 bg-red-50 dark:border-red-800 dark:bg-red-950/30"
+          : "border-border"
+      }`}
+    >
+      <div className="flex-1">
+        <div className="flex items-center gap-2">
+          <span className="font-medium">{deadline.title}</span>
+          <Badge variant="outline" className="text-xs">
+            {deadline.area}
+          </Badge>
+        </div>
+        {deadline.description && (
+          <p className="mt-0.5 text-sm text-muted-foreground">
+            {deadline.description}
+          </p>
+        )}
+        <p className="mt-1 text-xs text-muted-foreground">
+          Fällig: {new Date(deadline.dueDate).toLocaleDateString("de-DE")}
+          {deadline.isRecurring && " • Wiederkehrend"}
+        </p>
+      </div>
+      <div className="flex items-center gap-3">
+        {isOverdue ? (
+          <Badge variant="destructive" className="whitespace-nowrap">
+            {Math.abs(days)} Tage überfällig
+          </Badge>
+        ) : (
+          <Badge
+            variant={
+              days <= 7 ? "destructive" : days <= 14 ? "secondary" : "outline"
+            }
+            className="whitespace-nowrap"
+          >
+            {days === 0 ? "Heute" : days === 1 ? "Morgen" : `${days} Tage`}
+          </Badge>
+        )}
+        <Button
+          size="sm"
+          variant="outline"
+          onClick={() => onComplete(deadline.id)}
+        >
+          <CheckCircle2 className="mr-1 h-3 w-3" />
+          Erledigt
+        </Button>
+      </div>
+    </div>
+  )
+}
+
+export default function ComplianceDashboardPage() {
+  const [data, setData] = useState<ComplianceDashboardResponse | null>(null)
+  const [loading, setLoading] = useState(true)
+
+  useEffect(() => {
+    loadDashboard()
+  }, [])
+
+  async function loadDashboard() {
+    try {
+      const result = await getComplianceDashboard(30)
+      setData(result)
+    } catch (e) {
+      console.error("Failed to load compliance dashboard", e)
+    } finally {
+      setLoading(false)
+    }
+  }
+
+  async function handleComplete(deadlineId: string) {
+    try {
+      await completeDeadline(deadlineId, "current-user")
+      await loadDashboard()
+    } catch (e) {
+      console.error("Failed to complete deadline", e)
+    }
+  }
+
+  if (loading) {
+    return (
+      <div className="flex h-64 items-center justify-center">
+        <div className="h-8 w-8 animate-spin rounded-full border-4 border-primary border-t-transparent" />
+      </div>
+    )
+  }
+
+  if (!data) {
+    return (
+      <div className="flex h-64 items-center justify-center text-muted-foreground">
+        Compliance-Dashboard konnte nicht geladen werden.
+      </div>
+    )
+  }
+
+  return (
+    <div className="space-y-6">
+      {/* Header */}
+      <div>
+        <h1 className="text-2xl font-bold tracking-tight">
+          Compliance Dashboard
+        </h1>
+        <p className="text-muted-foreground">
+          Übersicht über den Compliance-Status Ihres Vereins in allen relevanten
+          Bereichen.
+        </p>
+      </div>
+
+      {/* Traffic Light Status Cards */}
+      <div className="grid gap-4 md:grid-cols-2 lg:grid-cols-4">
+        {(
+          Object.entries(data.status) as [string, "GREEN" | "YELLOW" | "RED"][]
+        ).map(([area, status]) => {
+          const areaInfo = AREA_LABELS[area] || { label: area, icon: Shield }
+          const Icon = areaInfo.icon
+          return (
+            <Card key={area} className="relative overflow-hidden">
+              <CardHeader className="flex flex-row items-center justify-between pb-2">
+                <CardTitle className="text-sm font-medium">
+                  {areaInfo.label}
+                </CardTitle>
+                <Icon className="h-4 w-4 text-muted-foreground" />
+              </CardHeader>
+              <CardContent>
+                <StatusIndicator status={status} />
+              </CardContent>
+              {/* Colored top border */}
+              <div
+                className={`absolute left-0 right-0 top-0 h-1 ${
+                  status === "GREEN"
+                    ? "bg-green-500"
+                    : status === "YELLOW"
+                      ? "bg-yellow-500"
+                      : "bg-red-500"
+                }`}
+              />
+            </Card>
+          )
+        })}
+      </div>
+
+      {/* Overdue Deadlines */}
+      {data.overdueDeadlines.length > 0 && (
+        <Card className="border-red-300 dark:border-red-800">
+          <CardHeader className="pb-3">
+            <div className="flex items-center gap-2">
+              <XCircle className="h-5 w-5 text-red-500" />
+              <CardTitle className="text-lg text-red-600 dark:text-red-400">
+                Überfällige Fristen ({data.overdueDeadlines.length})
+              </CardTitle>
+            </div>
+          </CardHeader>
+          <CardContent className="space-y-2">
+            {data.overdueDeadlines.map((d) => (
+              <DeadlineItem
+                key={d.id}
+                deadline={d}
+                isOverdue={true}
+                onComplete={handleComplete}
+              />
+            ))}
+          </CardContent>
+        </Card>
+      )}
+
+      {/* Upcoming Deadlines */}
+      <Card>
+        <CardHeader className="pb-3">
+          <div className="flex items-center gap-2">
+            <Clock className="h-5 w-5 text-muted-foreground" />
+            <CardTitle className="text-lg">
+              Anstehende Fristen ({data.upcomingDeadlines.length})
+            </CardTitle>
+          </div>
+        </CardHeader>
+        <CardContent className="space-y-2">
+          {data.upcomingDeadlines.length > 0 ? (
+            data.upcomingDeadlines.map((d) => (
+              <DeadlineItem
+                key={d.id}
+                deadline={d}
+                isOverdue={false}
+                onComplete={handleComplete}
+              />
+            ))
+          ) : (
+            <p className="py-4 text-center text-muted-foreground">
+              Keine anstehenden Fristen in den nächsten 30 Tagen. 🎉
+            </p>
+          )}
+        </CardContent>
+      </Card>
+
+      {/* Retention Info */}
+      <Card>
+        <CardHeader className="pb-3">
+          <div className="flex items-center gap-2">
+            <AlertTriangle className="h-5 w-5 text-muted-foreground" />
+            <CardTitle className="text-lg">Aufbewahrungsfristen</CardTitle>
+          </div>
+        </CardHeader>
+        <CardContent>
+          <div className="grid gap-3 md:grid-cols-3">
+            <div className="rounded-lg border p-3">
+              <div className="text-sm font-medium">KCanG §24</div>
+              <div className="text-2xl font-bold">5 Jahre</div>
+              <div className="text-xs text-muted-foreground">
+                Mitgliederdaten nach Austritt
+              </div>
+            </div>
+            <div className="rounded-lg border p-3">
+              <div className="text-sm font-medium">AO §147</div>
+              <div className="text-2xl font-bold">10 Jahre</div>
+              <div className="text-xs text-muted-foreground">
+                Finanzdaten (Aufbewahrungspflicht)
+              </div>
+            </div>
+            <div className="rounded-lg border p-3">
+              <div className="text-sm font-medium">DSGVO</div>
+              <div className="text-2xl font-bold">2 Jahre</div>
+              <div className="text-xs text-muted-foreground">
+                Kommunikationsdaten (inaktiv)
+              </div>
+            </div>
+          </div>
+          <p className="mt-3 text-xs text-muted-foreground">
+            Die automatische Datenbereinigung wird täglich um 02:00 Uhr
+            durchgeführt. Personenbezogene Daten ausgetretener Mitglieder werden
+            nach Ablauf der Aufbewahrungsfrist anonymisiert.
+          </p>
+        </CardContent>
+      </Card>
+    </div>
+  )
+}
diff --git a/cannamanage-frontend/src/data/navigations.ts b/cannamanage-frontend/src/data/navigations.ts
index 40fe045..7d399c6 100644
--- a/cannamanage-frontend/src/data/navigations.ts
+++ b/cannamanage-frontend/src/data/navigations.ts
@@ -84,6 +84,11 @@ export const navigationsData: NavigationType[] = [
   {
     title: "Compliance",
     items: [
+      {
+        title: "Compliance-Status",
+        href: "/compliance",
+        iconName: "ShieldCheck",
+      },
       {
         title: "Berichtszentrale",
         href: "/reports-center",
diff --git a/cannamanage-frontend/src/services/compliance-dashboard.ts b/cannamanage-frontend/src/services/compliance-dashboard.ts
new file mode 100644
index 0000000..0e1a81b
--- /dev/null
+++ b/cannamanage-frontend/src/services/compliance-dashboard.ts
@@ -0,0 +1,181 @@
+import { apiClient } from "@/lib/api-client"
+
+export interface ComplianceStatus {
+  KCANG: "GREEN" | "YELLOW" | "RED"
+  FINANCE: "GREEN" | "YELLOW" | "RED"
+  DSGVO: "GREEN" | "YELLOW" | "RED"
+  VEREIN: "GREEN" | "YELLOW" | "RED"
+}
+
+export interface ComplianceDeadline {
+  id: string
+  clubId: string
+  area: "KCANG" | "FINANCE" | "DSGVO" | "VEREIN"
+  title: string
+  description: string | null
+  dueDate: string
+  isRecurring: boolean
+  recurrenceRule: string | null
+  completedAt: string | null
+  completedBy: string | null
+}
+
+export interface ComplianceDashboardResponse {
+  status: ComplianceStatus
+  upcomingDeadlines: ComplianceDeadline[]
+  overdueDeadlines: ComplianceDeadline[]
+}
+
+export interface RetentionReport {
+  totalAnonymized: number
+  upcomingAnonymizations: number
+  currentCutoffDate: string
+  retentionSchedule: RetentionScheduleItem[]
+}
+
+export interface RetentionScheduleItem {
+  legalBasis: string
+  description: string
+  retentionYears: number
+}
+
+export interface RetentionPreview {
+  affectedCount: number
+  items: RetentionPreviewItem[]
+}
+
+export interface RetentionPreviewItem {
+  memberId: string
+  membershipNumber: string
+  membershipDate: string
+  reason: string
+}
+
+// --- Mock data for development ---
+
+const mockDashboard: ComplianceDashboardResponse = {
+  status: {
+    KCANG: "GREEN",
+    FINANCE: "YELLOW",
+    DSGVO: "GREEN",
+    VEREIN: "GREEN",
+  },
+  upcomingDeadlines: [
+    {
+      id: "d1",
+      clubId: "c1",
+      area: "FINANCE",
+      title: "Kassenprüfung durchführen",
+      description: "Prüfung der Vereinskasse durch gewählte Kassenprüfer",
+      dueDate: new Date(Date.now() + 14 * 86400000).toISOString().split("T")[0],
+      isRecurring: true,
+      recurrenceRule: "YEARLY",
+      completedAt: null,
+      completedBy: null,
+    },
+    {
+      id: "d2",
+      clubId: "c1",
+      area: "DSGVO",
+      title: "VVT aktualisieren",
+      description:
+        "Jährliche Überprüfung des Verzeichnisses von Verarbeitungstätigkeiten",
+      dueDate: new Date(Date.now() + 28 * 86400000).toISOString().split("T")[0],
+      isRecurring: true,
+      recurrenceRule: "YEARLY",
+      completedAt: null,
+      completedBy: null,
+    },
+  ],
+  overdueDeadlines: [
+    {
+      id: "d3",
+      clubId: "c1",
+      area: "FINANCE",
+      title: "EÜR erstellen",
+      description: "Einnahmen-Überschuss-Rechnung für das Vorjahr",
+      dueDate: new Date(Date.now() - 10 * 86400000).toISOString().split("T")[0],
+      isRecurring: true,
+      recurrenceRule: "YEARLY",
+      completedAt: null,
+      completedBy: null,
+    },
+  ],
+}
+
+const mockRetentionReport: RetentionReport = {
+  totalAnonymized: 3,
+  upcomingAnonymizations: 1,
+  currentCutoffDate: new Date(Date.now() - 5 * 365 * 86400000)
+    .toISOString()
+    .split("T")[0],
+  retentionSchedule: [
+    {
+      legalBasis: "KCanG §24",
+      description: "Mitgliederdaten nach Austritt",
+      retentionYears: 5,
+    },
+    {
+      legalBasis: "AO §147",
+      description: "Finanzdaten (Aufbewahrungspflicht)",
+      retentionYears: 10,
+    },
+    {
+      legalBasis: "DSGVO",
+      description: "Kommunikationsdaten (inaktiv)",
+      retentionYears: 2,
+    },
+  ],
+}
+
+// --- API functions ---
+
+export async function getComplianceDashboard(
+  upcomingDays = 30
+): Promise<ComplianceDashboardResponse> {
+  if (process.env.NEXT_PUBLIC_USE_MOCK === "true") {
+    return mockDashboard
+  }
+  return apiClient<ComplianceDashboardResponse>(
+    `/api/v1/compliance/dashboard?upcomingDays=${upcomingDays}`
+  )
+}
+
+export async function getRetentionReport(): Promise<RetentionReport> {
+  if (process.env.NEXT_PUBLIC_USE_MOCK === "true") {
+    return mockRetentionReport
+  }
+  return apiClient<RetentionReport>("/api/v1/compliance/dashboard/retention")
+}
+
+export async function previewRetention(): Promise<RetentionPreview> {
+  if (process.env.NEXT_PUBLIC_USE_MOCK === "true") {
+    return { affectedCount: 0, items: [] }
+  }
+  return apiClient<RetentionPreview>(
+    "/api/v1/compliance/dashboard/retention/preview",
+    {
+      method: "POST",
+    }
+  )
+}
+
+export async function completeDeadline(
+  deadlineId: string,
+  completedBy: string
+): Promise<ComplianceDeadline> {
+  if (process.env.NEXT_PUBLIC_USE_MOCK === "true") {
+    return {
+      ...mockDashboard.upcomingDeadlines[0],
+      completedAt: new Date().toISOString(),
+      completedBy,
+    }
+  }
+  return apiClient<ComplianceDeadline>(
+    `/api/v1/compliance/deadlines/${deadlineId}/complete`,
+    {
+      method: "POST",
+      body: JSON.stringify({ completedBy }),
+    }
+  )
+}
diff --git a/cannamanage-service/src/main/java/de/cannamanage/service/ComplianceDashboardService.java b/cannamanage-service/src/main/java/de/cannamanage/service/ComplianceDashboardService.java
new file mode 100644
index 0000000..34a8a02
--- /dev/null
+++ b/cannamanage-service/src/main/java/de/cannamanage/service/ComplianceDashboardService.java
@@ -0,0 +1,152 @@
+package de.cannamanage.service;
+
+import de.cannamanage.domain.entity.ComplianceDeadline;
+import de.cannamanage.domain.enums.ComplianceArea;
+import de.cannamanage.domain.enums.ComplianceStatus;
+import de.cannamanage.service.repository.BoardMemberRepository;
+import de.cannamanage.service.repository.BoardPositionRepository;
+import de.cannamanage.service.repository.ComplianceDeadlineRepository;
+import de.cannamanage.service.repository.PaymentRepository;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+import java.time.LocalDate;
+import java.util.*;
+
+/**
+ * Read-only compliance dashboard service.
+ * Calculates green/yellow/red status per compliance area based on deadline adherence
+ * and entity state. No mutations — purely analytical.
+ */
+@Slf4j
+@Service
+@RequiredArgsConstructor
+@Transactional(readOnly = true)
+public class ComplianceDashboardService {
+
+    private final ComplianceDeadlineRepository deadlineRepository;
+    private final PaymentRepository paymentRepository;
+    private final BoardPositionRepository boardPositionRepository;
+    private final BoardMemberRepository boardMemberRepository;
+
+    /**
+     * Calculates compliance status for all areas of a club.
+     * GREEN = all obligations met, YELLOW = warning (approaching deadline), RED = overdue/critical.
+     */
+    public Map<ComplianceArea, ComplianceStatus> getComplianceStatus(UUID clubId) {
+        Map<ComplianceArea, ComplianceStatus> statusMap = new EnumMap<>(ComplianceArea.class);
+
+        statusMap.put(ComplianceArea.KCANG, calculateAreaDeadlineStatus(clubId, ComplianceArea.KCANG));
+        statusMap.put(ComplianceArea.FINANCE, calculateFinanceStatus(clubId));
+        statusMap.put(ComplianceArea.DSGVO, calculateAreaDeadlineStatus(clubId, ComplianceArea.DSGVO));
+        statusMap.put(ComplianceArea.VEREIN, calculateVereinStatus(clubId));
+
+        return statusMap;
+    }
+
+    /**
+     * Upcoming deadlines within the given number of days (not yet completed).
+     */
+    public List<ComplianceDeadline> getUpcomingDeadlines(UUID clubId, int days) {
+        LocalDate now = LocalDate.now();
+        LocalDate horizon = now.plusDays(days);
+        return deadlineRepository.findByClubIdAndDueDateBetween(clubId, now, horizon)
+                .stream()
+                .filter(d -> d.getCompletedAt() == null)
+                .toList();
+    }
+
+    /**
+     * Overdue deadlines (past due date and not completed).
+     */
+    public List<ComplianceDeadline> getOverdueDeadlines(UUID clubId) {
+        return deadlineRepository.findByClubIdAndDueDateBeforeAndCompletedAtIsNull(clubId, LocalDate.now());
+    }
+
+    // --- Private status calculation methods ---
+
+    /**
+     * FINANCE: combines deadline status with payment overdue status.
+     * red if any payment > 60 days overdue, yellow if any overdue exists.
+     */
+    private ComplianceStatus calculateFinanceStatus(UUID clubId) {
+        ComplianceStatus deadlineStatus = calculateAreaDeadlineStatus(clubId, ComplianceArea.FINANCE);
+
+        LocalDate now = LocalDate.now();
+        long overdueCount = paymentRepository.countOverdueByClubId(clubId, now);
+        long severelyOverdueCount = paymentRepository.countOverdueByClubIdAndDaysPast(clubId, now.minusDays(60));
+
+        ComplianceStatus paymentStatus;
+        if (severelyOverdueCount > 0) {
+            paymentStatus = ComplianceStatus.RED;
+        } else if (overdueCount > 0) {
+            paymentStatus = ComplianceStatus.YELLOW;
+        } else {
+            paymentStatus = ComplianceStatus.GREEN;
+        }
+
+        return worstOf(deadlineStatus, paymentStatus);
+    }
+
+    /**
+     * VEREIN: combines deadline status with board position vacancy checks.
+     * red if vacant positions, yellow if term expiring within 90 days.
+     */
+    private ComplianceStatus calculateVereinStatus(UUID clubId) {
+        ComplianceStatus deadlineStatus = calculateAreaDeadlineStatus(clubId, ComplianceArea.VEREIN);
+
+        long totalPositions = boardPositionRepository.countByClubIdAndIsActiveTrue(clubId);
+        long filledPositions = boardMemberRepository.countByClubIdAndIsCurrentTrue(clubId);
+
+        ComplianceStatus boardStatus;
+        if (totalPositions == 0) {
+            boardStatus = ComplianceStatus.GREEN;
+        } else if (filledPositions < totalPositions) {
+            boardStatus = ComplianceStatus.RED;
+        } else {
+            long expiringCount = boardMemberRepository.countByClubIdAndIsCurrentTrueAndTermEndBefore(
+                    clubId, LocalDate.now().plusDays(90));
+            boardStatus = expiringCount > 0 ? ComplianceStatus.YELLOW : ComplianceStatus.GREEN;
+        }
+
+        return worstOf(deadlineStatus, boardStatus);
+    }
+
+    /**
+     * Generic deadline-based status calculation for any compliance area.
+     * RED = overdue deadlines exist, YELLOW = due within 30 days, GREEN = all clear.
+     */
+    private ComplianceStatus calculateAreaDeadlineStatus(UUID clubId, ComplianceArea area) {
+        LocalDate now = LocalDate.now();
+
+        List<ComplianceDeadline> overdue = deadlineRepository
+                .findByClubIdAndDueDateBeforeAndCompletedAtIsNull(clubId, now)
+                .stream()
+                .filter(d -> d.getArea() == area)
+                .toList();
+
+        if (!overdue.isEmpty()) {
+            return ComplianceStatus.RED;
+        }
+
+        List<ComplianceDeadline> upcoming = deadlineRepository
+                .findByClubIdAndDueDateBetween(clubId, now, now.plusDays(30))
+                .stream()
+                .filter(d -> d.getArea() == area && d.getCompletedAt() == null)
+                .toList();
+
+        if (!upcoming.isEmpty()) {
+            return ComplianceStatus.YELLOW;
+        }
+
+        return ComplianceStatus.GREEN;
+    }
+
+    private ComplianceStatus worstOf(ComplianceStatus a, ComplianceStatus b) {
+        if (a == ComplianceStatus.RED || b == ComplianceStatus.RED) return ComplianceStatus.RED;
+        if (a == ComplianceStatus.YELLOW || b == ComplianceStatus.YELLOW) return ComplianceStatus.YELLOW;
+        return ComplianceStatus.GREEN;
+    }
+}
diff --git a/cannamanage-service/src/main/java/de/cannamanage/service/ComplianceDeadlineSeeder.java b/cannamanage-service/src/main/java/de/cannamanage/service/ComplianceDeadlineSeeder.java
new file mode 100644
index 0000000..50d3be8
--- /dev/null
+++ b/cannamanage-service/src/main/java/de/cannamanage/service/ComplianceDeadlineSeeder.java
@@ -0,0 +1,93 @@
+package de.cannamanage.service;
+
+import de.cannamanage.domain.entity.ComplianceDeadline;
+import de.cannamanage.domain.enums.ComplianceArea;
+import de.cannamanage.service.repository.ComplianceDeadlineRepository;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+import java.time.LocalDate;
+import java.util.List;
+import java.util.UUID;
+
+/**
+ * Seeds standard compliance deadlines when a club is created.
+ * These are legally required recurring tasks that every cannabis club must track.
+ */
+@Slf4j
+@Service
+@RequiredArgsConstructor
+public class ComplianceDeadlineSeeder {
+
+    private final ComplianceDeadlineRepository deadlineRepository;
+
+    /**
+     * Seeds initial compliance deadlines for a newly created club.
+     * Called during club creation or on first admin login.
+     */
+    @Transactional
+    public void seedDefaultDeadlines(UUID clubId) {
+        // Check if deadlines already exist for this club
+        List<ComplianceDeadline> existing = deadlineRepository.findByTenantIdOrderByDueDateAsc(clubId);
+        if (!existing.isEmpty()) {
+            log.debug("Club {} already has {} deadlines — skipping seed", clubId, existing.size());
+            return;
+        }
+
+        int currentYear = LocalDate.now().getYear();
+        log.info("Seeding default compliance deadlines for club {}", clubId);
+
+        // KCanG §22: Jahresbericht an Behörde (annual, January)
+        createDeadline(clubId, ComplianceArea.KCANG,
+                "Jahresbericht an Behörde",
+                "Jährlicher Bericht gemäß KCanG §22 an die zuständige Behörde",
+                LocalDate.of(currentYear + 1, 1, 31),
+                true, "YEARLY");
+
+        // §4(3) EStG: EÜR erstellen (annual, March)
+        createDeadline(clubId, ComplianceArea.FINANCE,
+                "Einnahmen-Überschuss-Rechnung (EÜR)",
+                "Erstellung der EÜR gemäß §4(3) EStG für das Vorjahr",
+                LocalDate.of(currentYear + 1, 3, 31),
+                true, "YEARLY");
+
+        // Satzung: Mitgliederversammlung (annual, configurable)
+        createDeadline(clubId, ComplianceArea.VEREIN,
+                "Ordentliche Mitgliederversammlung",
+                "Jährliche Mitgliederversammlung gemäß Vereinssatzung",
+                LocalDate.of(currentYear, 12, 31),
+                true, "YEARLY");
+
+        // Art. 30 DSGVO: VVT aktualisieren (annual)
+        createDeadline(clubId, ComplianceArea.DSGVO,
+                "Verzeichnis von Verarbeitungstätigkeiten (VVT) aktualisieren",
+                "Jährliche Überprüfung und Aktualisierung des VVT gemäß Art. 30 DSGVO",
+                LocalDate.of(currentYear, 12, 31),
+                true, "YEARLY");
+
+        // Satzung: Kassenprüfung (annual, before MV)
+        createDeadline(clubId, ComplianceArea.FINANCE,
+                "Kassenprüfung durchführen",
+                "Prüfung der Vereinskasse durch gewählte Kassenprüfer (vor der MV)",
+                LocalDate.of(currentYear, 11, 30),
+                true, "YEARLY");
+
+        log.info("Seeded 5 default compliance deadlines for club {}", clubId);
+    }
+
+    private void createDeadline(UUID clubId, ComplianceArea area, String title,
+                                String description, LocalDate dueDate,
+                                boolean isRecurring, String recurrenceRule) {
+        ComplianceDeadline deadline = new ComplianceDeadline();
+        deadline.setClubId(clubId);
+        deadline.setArea(area);
+        deadline.setTitle(title);
+        deadline.setDescription(description);
+        deadline.setDueDate(dueDate);
+        deadline.setIsRecurring(isRecurring);
+        deadline.setRecurrenceRule(recurrenceRule);
+        deadlineRepository.save(deadline);
+    }
+}
diff --git a/cannamanage-service/src/main/java/de/cannamanage/service/RetentionService.java b/cannamanage-service/src/main/java/de/cannamanage/service/RetentionService.java
new file mode 100644
index 0000000..9076a9d
--- /dev/null
+++ b/cannamanage-service/src/main/java/de/cannamanage/service/RetentionService.java
@@ -0,0 +1,215 @@
+package de.cannamanage.service;
+
+import de.cannamanage.domain.entity.Club;
+import de.cannamanage.domain.entity.Member;
+import de.cannamanage.domain.enums.AuditEventType;
+import de.cannamanage.domain.enums.MemberStatus;
+import de.cannamanage.service.repository.ClubRepository;
+import de.cannamanage.service.repository.DistributionRepository;
+import de.cannamanage.service.repository.MemberRepository;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.scheduling.annotation.Scheduled;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+import java.time.LocalDate;
+import java.util.*;
+
+/**
+ * Automated data lifecycle management per German retention laws.
+ * - KCanG §24: 5 years for cannabis member records after leaving
+ * - AO §147: 10 years for financial records
+ * - DSGVO: 2 years for inactive communication data
+ *
+ * IMPORTANT: Never hard-deletes financial records — only marks as retention_expired.
+ * Anonymization replaces PII with "ANONYMISIERT-{hash}" while keeping structure for stats.
+ */
+@Slf4j
+@Service
+@RequiredArgsConstructor
+@ConditionalOnProperty(name = "cannamanage.schedulers.enabled", havingValue = "true", matchIfMissing = false)
+public class RetentionService {
+
+    private final ClubRepository clubRepository;
+    private final MemberRepository memberRepository;
+    private final DistributionRepository distributionRepository;
+    private final AuditService auditService;
+
+    /**
+     * Daily scheduled retention processing at 2:00 AM.
+     * Processes each club independently.
+     */
+    @Scheduled(cron = "0 0 2 * * *")
+    @Transactional
+    public void processRetention() {
+        log.info("Starting scheduled retention processing");
+        List<Club> clubs = clubRepository.findAll();
+        int totalAnonymized = 0;
+
+        for (Club club : clubs) {
+            try {
+                RetentionResult result = processClubRetention(club.getId());
+                totalAnonymized += result.membersAnonymized();
+                log.info("Club {}: anonymized {} members", club.getId(), result.membersAnonymized());
+            } catch (Exception e) {
+                log.error("Retention processing failed for club {}: {}", club.getId(), e.getMessage(), e);
+            }
+        }
+
+        log.info("Retention processing complete. Total members anonymized: {}", totalAnonymized);
+    }
+
+    /**
+     * Processes retention for a single club.
+     * Returns a result with counts of what was affected.
+     */
+    @Transactional
+    public RetentionResult processClubRetention(UUID clubId) {
+        int membersAnonymized = anonymizeExpiredMembers(clubId);
+        return new RetentionResult(membersAnonymized, 0, 0);
+    }
+
+    /**
+     * Dry-run: shows what WOULD be affected without making changes.
+     */
+    @Transactional(readOnly = true)
+    public RetentionPreview previewRetention(UUID clubId) {
+        LocalDate cutoffDate = LocalDate.now().minusYears(5);
+
+        List<Member> expiredMembers = memberRepository.findByClubIdAndStatusAndMembershipDateBefore(
+                clubId, MemberStatus.LEFT, cutoffDate);
+
+        // Filter to only those not yet anonymized
+        List<Member> toAnonymize = expiredMembers.stream()
+                .filter(m -> !m.getFirstName().startsWith("ANONYMISIERT"))
+                .toList();
+
+        return new RetentionPreview(
+                toAnonymize.size(),
+                toAnonymize.stream()
+                        .map(m -> new RetentionPreviewItem(
+                                m.getId(),
+                                m.getMembershipNumber(),
+                                m.getMembershipDate(),
+                                "KCanG §24 — 5 Jahre nach Austritt"))
+                        .toList()
+        );
+    }
+
+    /**
+     * Gets a retention report showing upcoming, completed, and scheduled deletions.
+     */
+    @Transactional(readOnly = true)
+    public RetentionReport getRetentionReport(UUID clubId) {
+        LocalDate now = LocalDate.now();
+        LocalDate kcangCutoff = now.minusYears(5);
+
+        // Already anonymized
+        List<Member> anonymized = memberRepository.findByClubIdAndStatus(clubId, MemberStatus.LEFT)
+                .stream()
+                .filter(m -> m.getFirstName().startsWith("ANONYMISIERT"))
+                .toList();
+
+        // Upcoming (will be anonymized within next year)
+        LocalDate upcomingCutoff = now.minusYears(4);
+        List<Member> upcoming = memberRepository.findByClubIdAndStatusAndMembershipDateBefore(
+                        clubId, MemberStatus.LEFT, upcomingCutoff)
+                .stream()
+                .filter(m -> !m.getFirstName().startsWith("ANONYMISIERT"))
+                .filter(m -> m.getMembershipDate().isBefore(kcangCutoff.plusYears(1)))
+                .toList();
+
+        return new RetentionReport(
+                anonymized.size(),
+                upcoming.size(),
+                kcangCutoff,
+                List.of(
+                        new RetentionScheduleItem("KCanG §24", "Mitgliederdaten nach Austritt", 5),
+                        new RetentionScheduleItem("AO §147", "Finanzdaten (Aufbewahrungspflicht)", 10),
+                        new RetentionScheduleItem("DSGVO", "Kommunikationsdaten (inaktiv)", 2)
+                )
+        );
+    }
+
+    // --- Private methods ---
+
+    /**
+     * Anonymizes members who left > 5 years ago (KCanG §24).
+     * Replaces PII with "ANONYMISIERT-{hash}" while keeping record structure.
+     */
+    private int anonymizeExpiredMembers(UUID clubId) {
+        LocalDate cutoffDate = LocalDate.now().minusYears(5);
+        List<Member> expiredMembers = memberRepository.findByClubIdAndStatusAndMembershipDateBefore(
+                clubId, MemberStatus.LEFT, cutoffDate);
+
+        int count = 0;
+        for (Member member : expiredMembers) {
+            // Skip already anonymized
+            if (member.getFirstName().startsWith("ANONYMISIERT")) {
+                continue;
+            }
+
+            String hash = member.getId().toString().substring(0, 8);
+
+            // Anonymize PII fields
+            member.setFirstName("ANONYMISIERT-" + hash);
+            member.setLastName("ANONYMISIERT-" + hash);
+            member.setEmail("anonymisiert-" + hash + "@deleted.local");
+            member.setDateOfBirth(LocalDate.of(1900, 1, 1)); // sentinel date
+
+            memberRepository.save(member);
+
+            // Audit the anonymization
+            auditService.log(
+                    AuditEventType.RETENTION_DELETED,
+                    "Member",
+                    member.getId(),
+                    null,
+                    "SYSTEM",
+                    "RETENTION_SERVICE",
+                    "KCanG §24: Member data anonymized after 5-year retention period",
+                    "{\"membershipNumber\":\"" + member.getMembershipNumber() + "\"}",
+                    null
+            );
+
+            count++;
+        }
+
+        return count;
+    }
+
+    // --- DTOs ---
+
+    public record RetentionResult(
+            int membersAnonymized,
+            int financialRecordsExpired,
+            int communicationRecordsDeleted
+    ) {}
+
+    public record RetentionPreview(
+            int affectedCount,
+            List<RetentionPreviewItem> items
+    ) {}
+
+    public record RetentionPreviewItem(
+            UUID memberId,
+            String membershipNumber,
+            LocalDate membershipDate,
+            String reason
+    ) {}
+
+    public record RetentionReport(
+            int totalAnonymized,
+            int upcomingAnonymizations,
+            LocalDate currentCutoffDate,
+            List<RetentionScheduleItem> retentionSchedule
+    ) {}
+
+    public record RetentionScheduleItem(
+            String legalBasis,
+            String description,
+            int retentionYears
+    ) {}
+}
diff --git a/cannamanage-service/src/main/java/de/cannamanage/service/repository/BoardMemberRepository.java b/cannamanage-service/src/main/java/de/cannamanage/service/repository/BoardMemberRepository.java
index 93f49dd..c27fa65 100644
--- a/cannamanage-service/src/main/java/de/cannamanage/service/repository/BoardMemberRepository.java
+++ b/cannamanage-service/src/main/java/de/cannamanage/service/repository/BoardMemberRepository.java
@@ -19,4 +19,8 @@ public interface BoardMemberRepository extends JpaRepository<BoardMember, UUID>
     List<BoardMember> findByClubIdAndIsCurrentTrueAndTermEndBefore(UUID clubId, LocalDate date);
 
     List<BoardMember> findByClubIdAndIsCurrentTrueAndTermEndBetween(UUID clubId, LocalDate from, LocalDate to);
+
+    long countByClubIdAndIsCurrentTrue(UUID clubId);
+
+    long countByClubIdAndIsCurrentTrueAndTermEndBefore(UUID clubId, LocalDate date);
 }
diff --git a/cannamanage-service/src/main/java/de/cannamanage/service/repository/BoardPositionRepository.java b/cannamanage-service/src/main/java/de/cannamanage/service/repository/BoardPositionRepository.java
index 27f52be..3a79545 100644
--- a/cannamanage-service/src/main/java/de/cannamanage/service/repository/BoardPositionRepository.java
+++ b/cannamanage-service/src/main/java/de/cannamanage/service/repository/BoardPositionRepository.java
@@ -11,4 +11,6 @@ public interface BoardPositionRepository extends JpaRepository<BoardPosition, UU
     List<BoardPosition> findByClubIdAndIsActiveTrueOrderBySortOrderAsc(UUID clubId);
 
     List<BoardPosition> findByClubIdOrderBySortOrderAsc(UUID clubId);
+
+    long countByClubIdAndIsActiveTrue(UUID clubId);
 }
diff --git a/cannamanage-service/src/main/java/de/cannamanage/service/repository/DocumentRepository.java b/cannamanage-service/src/main/java/de/cannamanage/service/repository/DocumentRepository.java
index 52aa321..9ef8d96 100644
--- a/cannamanage-service/src/main/java/de/cannamanage/service/repository/DocumentRepository.java
+++ b/cannamanage-service/src/main/java/de/cannamanage/service/repository/DocumentRepository.java
@@ -23,4 +23,8 @@ public interface DocumentRepository extends JpaRepository<Document, UUID> {
 
     @Query("SELECT COALESCE(SUM(d.fileSize), 0) FROM Document d WHERE d.clubId = :clubId")
     Long sumFileSizeByClubId(@Param("clubId") UUID clubId);
+
+    @Query("SELECT CASE WHEN COUNT(d) > 0 THEN true ELSE false END FROM Document d " +
+           "WHERE d.clubId = :clubId AND d.category = :category")
+    boolean existsByClubIdAndCategory(@Param("clubId") UUID clubId, @Param("category") DocumentCategory category);
 }
diff --git a/cannamanage-service/src/main/java/de/cannamanage/service/repository/MemberRepository.java b/cannamanage-service/src/main/java/de/cannamanage/service/repository/MemberRepository.java
index 0ee7935..aa4d319 100644
--- a/cannamanage-service/src/main/java/de/cannamanage/service/repository/MemberRepository.java
+++ b/cannamanage-service/src/main/java/de/cannamanage/service/repository/MemberRepository.java
@@ -6,6 +6,7 @@ import org.springframework.data.jpa.repository.JpaRepository;
 import org.springframework.data.jpa.repository.Query;
 import org.springframework.stereotype.Repository;
 
+import java.time.LocalDate;
 import java.util.List;
 import java.util.UUID;
 
@@ -57,6 +58,22 @@ public interface MemberRepository extends JpaRepository<Member, UUID> {
                 .toList();
     }
 
+    /**
+     * Find members by club and status (for retention processing).
+     */
+    default List<Member> findByClubIdAndStatus(UUID clubId, MemberStatus status) {
+        return findByTenantIdAndStatus(clubId, status);
+    }
+
+    /**
+     * Find members who left before a given date (for retention: KCanG §24).
+     */
+    @Query("SELECT m FROM Member m WHERE m.tenantId = :tenantId AND m.status = :status AND m.membershipDate < :date")
+    List<Member> findByClubIdAndStatusAndMembershipDateBefore(
+            @org.springframework.data.repository.query.Param("tenantId") UUID clubId,
+            @org.springframework.data.repository.query.Param("status") MemberStatus status,
+            @org.springframework.data.repository.query.Param("date") LocalDate date);
+
     /**
      * Get all active member user IDs (for broadcast notifications).
      * Uses the Hibernate tenant filter, so no explicit tenantId parameter needed.
diff --git a/cannamanage-service/src/main/java/de/cannamanage/service/repository/PaymentRepository.java b/cannamanage-service/src/main/java/de/cannamanage/service/repository/PaymentRepository.java
index fd2690b..6867ef7 100644
--- a/cannamanage-service/src/main/java/de/cannamanage/service/repository/PaymentRepository.java
+++ b/cannamanage-service/src/main/java/de/cannamanage/service/repository/PaymentRepository.java
@@ -41,4 +41,12 @@ public interface PaymentRepository extends JpaRepository<Payment, UUID> {
     @Query("SELECT COALESCE(SUM(p.amountCents), 0) FROM Payment p " +
            "WHERE p.clubId = :clubId AND p.memberId = :memberId AND p.status = 'PAID'")
     Long sumPaidByMember(@Param("clubId") UUID clubId, @Param("memberId") UUID memberId);
+
+    @Query("SELECT COUNT(p) FROM Payment p WHERE p.clubId = :clubId " +
+           "AND p.status = 'PENDING' AND p.dueDate < :now")
+    long countOverdueByClubId(@Param("clubId") UUID clubId, @Param("now") LocalDate now);
+
+    @Query("SELECT COUNT(p) FROM Payment p WHERE p.clubId = :clubId " +
+           "AND p.status = 'PENDING' AND p.dueDate < :cutoff")
+    long countOverdueByClubIdAndDaysPast(@Param("clubId") UUID clubId, @Param("cutoff") LocalDate cutoff);
 }
diff --git a/docs/sprint-9/security-scan-results.md b/docs/sprint-9/security-scan-results.md
new file mode 100644
index 0000000..22f9656
--- /dev/null
+++ b/docs/sprint-9/security-scan-results.md
@@ -0,0 +1,198 @@
+# Security Scan Report: CannaManage (Sprint 7–9 Focus)
+
+**Date:** 2026-06-15  
+**Reviewer:** Roo (Security Reviewer)  
+**Scope:** Full codebase with focus on Sprint 7–9 additions  
+**Tools Used:** SonarQube SAST (MCP), Snyk SCA, Manual Checklist  
+
+---
+
+## Verdict: ✅ PASS (with Medium advisories)
+
+No Critical or High severity security vulnerabilities found.  
+2 Medium findings require attention in the next sprint.
+
+---
+
+## 1. Automated Scan Results
+
+### 1.1 SonarQube SAST (Static Application Security Testing)
+
+| File | Issues | Security Impact |
+|------|--------|-----------------|
+| `SecurityConfig.java` | 4× string duplication (S1192), 1× package FP | None — maintainability only |
+| `JwtAuthFilter.java` | 1× package FP | None |
+| `AuthController.java` | 1× package FP | None |
+| `DocumentService.java` | 1× integer overflow in constant (S2184), 1× generic exception (S112), 2× hardcoded path delimiter (S1075) | **Low** — see findings |
+
+**Summary:** 0 security vulnerabilities detected. All SAST findings are maintainability/reliability issues, not exploitable security weaknesses.
+
+### 1.2 Snyk SCA (Software Composition Analysis)
+
+| Component | Severity | Vulnerability | Fix Available |
+|-----------|----------|---------------|---------------|
+| `spring-boot-autoconfigure@4.0.6` | **Medium** | Insecure Temporary File (SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-17308346) | Upgrade to `4.0.7` |
+| `openpdf@2.0.4` | **Medium** | Dual License (LGPL-2.1/MPL-2.0) — license compliance risk | Accept or replace |
+
+**Frontend (npm):** ✅ 0 vulnerabilities across 18 dependencies  
+**Backend (Maven):** 2 medium issues (1 vulnerability, 1 license)  
+**Total projects tested:** 7
+
+---
+
+## 2. Manual Security Checklist
+
+| # | Check | Result | Evidence |
+|---|-------|--------|----------|
+| 1 | No hardcoded secrets in source | ⚠️ Medium | JWT dev secret in `application.properties` line 8 — acceptable for dev profile, production uses `${CANNAMANAGE_SECURITY_JWT_SECRET}` env var |
+| 2 | JWT secret from environment variable only | ✅ | Production profile (`application-production.properties:22`) uses `${CANNAMANAGE_SECURITY_JWT_SECRET}` |
+| 3 | CSRF protection configured properly | ✅ | API (stateless JWT) correctly disables CSRF; Portal (session-based) uses `CookieCsrfTokenRepository` |
+| 4 | CORS not overly permissive | ✅ | Restricted to `localhost:3000` and `frontend:3000` (Docker internal). Production should add production domain. |
+| 5 | File upload size/type restrictions | ✅ | `DocumentService.java:26-33` — 10MB max, allowlist: PDF/DOCX/XLSX/PNG/JPG |
+| 6 | SQL injection prevention | ✅ | All queries use JPQL with named parameters (`:param`). No native queries with string concatenation. 12 `@Query` annotations reviewed — all parameterized. |
+| 7 | Path traversal prevention in DocumentService | ⚠️ Medium | `DocumentService.java:62` — filename from `file.getOriginalFilename()` is used in path construction without sanitization. UUID prefix mitigates exploitation but the original filename is concatenated directly. |
+| 8 | Rate limiting on sensitive endpoints | ✅ | Authority export: 1/hour per tenant (`AuthorityExportService.java:76-79`). Email: rate-limited to 50/min. Login: no explicit rate limit but mitigated by BCrypt cost factor. |
+| 9 | Password hashing with BCrypt | ✅ | `SecurityConfig.java:124` — `BCryptPasswordEncoder`. Password validation with complexity regex in `SetPasswordRequest.java`. |
+| 10 | Tenant isolation (club_id filtering) | ✅ | All service methods accept `clubId` from `TenantContext.getCurrentTenant()` (JWT claim, not user input). Portal endpoints derive `memberId` from authenticated `userId`. |
+
+---
+
+## 3. Detailed Findings
+
+### 3.1 ⚠️ Medium: Path Traversal Risk in DocumentService
+
+**File:** [`DocumentService.java`](cannamanage-service/src/main/java/de/cannamanage/service/DocumentService.java:62)  
+**Rule:** OWASP A01:2021 — Broken Access Control  
+
+```java
+String filename = file.getOriginalFilename() != null ? file.getOriginalFilename() : "document";
+String storagePath = clubId + "/" + documentId + "_" + filename;
+Path fullPath = Paths.get(UPLOAD_BASE, storagePath);
+```
+
+**Risk:** A malicious filename like `../../../etc/passwd` could theoretically escape the upload directory. The UUID prefix (`documentId + "_"`) and the fact that `clubId` is server-controlled reduce exploitability, but the original filename is not sanitized for path separators.
+
+**Recommendation:** Add filename sanitization:
+```java
+String sanitized = Paths.get(filename).getFileName().toString();
+// or: filename.replaceAll("[^a-zA-Z0-9.\\-_]", "_");
+```
+
+**Exploitability:** Low (UUID prefix + server-controlled clubId make it very hard to construct a useful path traversal), but defense-in-depth principle applies.
+
+---
+
+### 3.2 ⚠️ Medium: JWT Dev Secret in Default Properties
+
+**File:** [`application.properties`](cannamanage-api/src/main/resources/application.properties:8)  
+
+```properties
+cannamanage.security.jwt.secret=Y2FubmFtYW5hZ2Utand0LXNlY3JldC1rZXktZm9yLWRldmVsb3BtZW50LW9ubHktMzI=
+```
+
+**Risk:** This is a base64-encoded development-only secret. Production correctly overrides via `${CANNAMANAGE_SECURITY_JWT_SECRET}`. However, if the production environment variable is ever missing, Spring Boot falls back to this known value.
+
+**Recommendation:** 
+- Add a startup check that fails if running with `production` profile and the default secret is detected
+- Or remove the default and require the env var in all profiles
+
+---
+
+### 3.3 ⚠️ Medium: Spring Boot Insecure Temporary File (CVE)
+
+**Component:** `spring-boot-autoconfigure@4.0.6`  
+**Fix:** Upgrade to Spring Boot `4.0.7`  
+**Impact:** Temporary file creation may use insecure permissions on some OS configurations.  
+
+---
+
+### 3.4 ℹ️ Low: No Login Rate Limiting
+
+**File:** [`AuthController.java`](cannamanage-api/src/main/java/de/cannamanage/api/controller/AuthController.java:30)  
+
+The `/api/v1/auth/login` endpoint has no explicit rate limiting. BCrypt's computational cost provides some natural brute-force resistance (~100ms per attempt), but a dedicated rate limiter (e.g., Bucket4j or Spring Security's `AuthenticationFailureHandler` with exponential backoff) would strengthen defense.
+
+**Recommendation:** Add rate limiting: max 5 failed attempts per IP per 15 minutes.
+
+---
+
+### 3.5 ℹ️ Low: CORS Missing Production Domain
+
+**File:** [`SecurityConfig.java`](cannamanage-api/src/main/java/de/cannamanage/api/security/SecurityConfig.java:131)  
+
+CORS `allowedOrigins` only includes `localhost:3000` and `frontend:3000`. The production domain (`cannamanage.plate-software.de`) is not listed. This is likely handled by the reverse proxy (nginx), but if the API is ever accessed directly, CORS will block legitimate requests.
+
+**Recommendation:** Make CORS origins configurable via `@Value` from application properties.
+
+---
+
+### 3.6 ℹ️ Low: AuthorityExportService — JSON Injection in Audit Log
+
+**File:** [`AuthorityExportService.java`](cannamanage-service/src/main/java/de/cannamanage/service/report/AuthorityExportService.java:104)  
+
+```java
+"{\"year\":" + year + ",\"reason\":\"" + escapeJson(reason) + "\"}"
+```
+
+The `reason` field is escaped via `escapeJson()`, which is good. However, manual JSON construction is fragile. Consider using a proper JSON library (Jackson `ObjectMapper`) for audit metadata serialization.
+
+---
+
+## 4. Security Architecture Assessment
+
+### Strengths ✅
+
+1. **Multi-layer authentication:** JWT for API, session-based for portal, re-authentication for sensitive exports
+2. **RBAC with granular permissions:** 23+ `StaffPermission` enum values, checked via `StaffPermissionChecker`
+3. **Tenant isolation:** `TenantContext` from JWT claims, not user-controllable input
+4. **Token revocation:** JTI-based blacklist checked on every request
+5. **Append-only financial data:** `LedgerEntry` per §147 AO — cannot delete or modify
+6. **Audit trail:** Comprehensive `AuditService.log()` calls on all sensitive operations
+7. **File upload validation:** Size limit + content-type allowlist + UUID-based storage paths
+8. **Production hardening:** Error details hidden (`server.error.include-message=never`), Swagger disabled, minimal actuator exposure
+9. **Session security:** `httpOnly=true`, `sameSite=strict`, 30min timeout, max 1 concurrent session
+10. **Secure error messages:** `GlobalExceptionHandler` returns generic messages, no stack traces
+
+### Areas for Improvement 📋
+
+1. Add explicit login rate limiting (Bucket4j or similar)
+2. Sanitize original filename in `DocumentService`
+3. Upgrade Spring Boot to 4.0.7
+4. Make CORS origins environment-configurable
+5. Add Content-Security-Policy headers
+6. Consider adding request signing for webhook endpoints (`/api/v1/webhooks/**`)
+
+---
+
+## 5. Compliance Notes
+
+| Standard | Status | Notes |
+|----------|--------|-------|
+| OWASP Top 10 (2021) | ✅ Good | No A01-A10 critical findings |
+| DSGVO/GDPR | ✅ Good | PII minimization in authority export (anonymized member list), audit trail |
+| §147 AO (Aufbewahrung) | ✅ Good | Append-only ledger, no deletion of financial records |
+| KCanG (Cannabis law) | ✅ Good | Compliance deadlines, quantity tracking, authority reporting |
+
+---
+
+## 6. Summary Table
+
+| Severity | Count | Action Required |
+|----------|-------|-----------------|
+| Critical | 0 | — |
+| High | 0 | — |
+| Medium | 3 | Fix in next sprint (path traversal sanitization, JWT fallback guard, Spring Boot upgrade) |
+| Low | 3 | Advisory — address when convenient |
+
+---
+
+## Verdict
+
+### ✅ PASS
+
+No Critical or High severity findings. The application demonstrates strong security architecture with proper authentication, authorization, tenant isolation, and audit logging. The 3 Medium findings are defense-in-depth improvements, not actively exploitable vulnerabilities.
+
+**Recommended next actions (priority order):**
+1. `mvn versions:set -DnewVersion=...` — upgrade Spring Boot to 4.0.7
+2. Add `Paths.get(filename).getFileName().toString()` sanitization in DocumentService
+3. Add startup validation that rejects the default JWT secret in production profile