The ideal solution(from GDPR perspective) would be to do it before it leaves the Auth0 environment. Even using AWS Log forwarder would mean that we are sending it to a third party (AWS).
If we are able to configure the payload in Auth0 we would never loose any data, because the full set would always be available via the log tool on the manage environment.
I’ll create a feature request.
Thanks for the feedback.