Is Amazon Chime GDPR compliant? - aws-chime-sdk

We are building a video call application utilising Amazon Chime SDK. Our application serves customers in the UK and need to be GDPR compliant.
Amazon Chime's compliance info page doesn't explicitly state anything in relations to GDPR compliance. However AWS itself states it is, and Chime is a service under AWS.
So we are not sure if Chime itself is GDPR compliant. Could someonese please advice if have any relevant information to confirm or deny Chime's GDPR compliance conclusively.

After multiple attempts we did get a response - albeit vague - from AWS.
At the foundation of Amazon Chime security is Amazon Web Services
(AWS) Security. AWS regions and networks are built and operated to
meet the requirements of some of the world’s most security-sensitive
organizations. AWS constantly undergoes third-party audits by a
variety of public sector and private sector auditing organizations in
order to maintain its status under multiple compliance offerings, such
as the credit card industry’s PCI DSS Level 1, the U.S. Government’s
FedRAMP program, C5 Certification in Germany, and IRAP assessment by
the Australia Government. For more information, see the AWS Security
and AWS Compliance websites. Amazon Chime is designed and operated
according to the same AWS standards, has undergone the compliance
process required to be a HIPAA-eligible service, and is currently in
the process of being added to other relevant compliance programs.
The Amazon Chime SDK can be used by customers who incorporate GDPR
best practices and compliance using our Shared Responsibility Model.
So they seem to imply it can be used in a GDPR compliant way.
Additional info: Specific to chat feature, AWS advised us to use the data-messaging API route to ensure the data relay and retention within EU.
All chat messages in the Chime app are relayed and stored in us-east-1
(Virginia). The chat messages always leave the UK.
There is a data messaging API in the SDK that can be use to build
chat.
(https://aws.github.io/amazon-chime-sdk-js/modules/apioverview.html#9-send-and-receive-data-messages-optional)
These messages flow through the same region that is used to host the
meeting (London, for example) and they are persisted there for a few
minutes and until the end of the meeting so that they can be relayed
to other participants during that meeting.

I believe Amazon Chime is not GDPR compliant. The website provides no way to export existing user data. The documented approach to exporting history is to scroll back in the chat history and copy paste:
https://answers.chime.aws/questions/629/how-can-i-save-all-the-data-from-a-chat-room-or-co.html

Talk to your AWS technical POC. I am sure they can help you understand this better. AWS is a big ecosystem of services. Chime used with other services can be made GDPR compliant.
For instance, all Chime events are tracked via AWS EventBridge. Should be pretty easy to attribute and track all data for a specific user.

Related

IBM ACE and IBM API CONNECT

Can somehow explain me the difference in these products?
As far as I understand IBM ACE (AppConnect) gives you more or iPaas capabalities. It is allows you to make an API.
But from what I understand now is that API Connect is required for the actual API management. Proxy/policies etc.
Does anyone know you these products are licensed? Do you have to API connect for your APIs to be managed, governed etc?
This is not an exhaustive answer, but hopefully it'll point you in the right direction...
App Connect is for building integrations (flows) with various data sources. Could be databases, cloud services like GSuite or Salesforce, or even HTTP endpoints. Those flows could be triggered by events in one of those systems or by an API. You can also do things like turn a database schema into an API. You get the idea.
API Connect is for API governance, security, and socialization. In more concrete terms, it gives you tools for things like: adding authentication and/or authorization to all APIs, bundling APIs together, enforcing rate limits or quotas, providing a portal for sharing/selling your APIs with others, and so on.
You can create APIs using App Connect and stop there--it's usable/invokable without API Connect in the picture. API Connect provides enforcement policies to give you more flexibility in how you call that API and/or give others the ability to invoke the API. The two products complement each other, but an API management product would be required in order to manage and govern the APIs created by App Connect.
In terms of licensing, there are multiple available options. You can purchase the products as standalone software packages that you install and maintain yourself (see IBM Cloud Pak for Integration) or you can leverage the IBM-managed versions that IBM provides via IBM Cloud.
More information is available:
https://www.ibm.com/cloud/api-connect
https://www.ibm.com/cloud/app-connect
https://www.ibm.com/cloud/cloud-pak-for-integration

Can Amazon Lex be used with other platforms (eg. Google Home)?

I'm trying to figure out which open source framework to use to start building a conversational AI for our business. We are a financial technology company so security/ privacy is just as important as ability to build features quickly.
Amazon Lex seems to be a good choice, is it possible to use it with Google Home or other voice assistants?
Also, any additional advice on which platform to use/ architecture would be very much appreciated.
Thank you!
Yes Amazon Lex can work with other services. From the Lex website:
"With Amazon Lex, you can build, test, and deploy your chatbots directly from the Amazon Lex console. Amazon Lex enables you to easily publish your voice or text chatbots to mobile devices, web apps, and chat services such as Facebook Messenger, Slack, Kik, and Twilio SMS. Once published, your Amazon Lex bot processes voice or text input in conversation with your end-users. Amazon Lex is a fully managed service so as your user engagement increases, you don’t need to worry about provisioning hardware and managing infrastructure to power your bot experience."
The answer is a bit more complex than that! Adding a bit more here as this is coming up in Google searches:
Yes, it can integrate with Facebook Messenger, Slack, Kik and Twilio SMS — those have options direct in the Lex interface for linking those services. When it comes to Google Home, you'd need to create your own bridge between Amazon Lex and Google's Actions SDK.
So you'd take what the Google Actions SDK hears someone say when they speak to their Google Home (the fulfilment text), and then need to pass that onto Amazon Lex. To do that, you need to use Amazon Lex's postText or postContent functions (Lex Runtime docs on that). I haven't done this myself just yet, but I've heard of others doing similar and spotted this Stack Overflow post explaining it in a bit more detail when looking for an example.

Google Client Library for Java SDK and GDPR

I am using the Google Client Library for Java SDK in my Android app to interface with Google Drive.
Do Google act as a Data Controller or Data Processor by using this SDK? I need to know if I need to store any data to show the user has consented to my app interfacing with Google Drive in line with GDPR.
I know I need to ask permission for personalised or non-personalised ads but the Google Drive SDK and GDPR stuff is driving me crazy.
Thanks
Disclaimer I am not a legal type person this is my opinion from the guidelines that we have been given. You should also seek independent legal advice relating to your status and obligations under the GDPR, as only a lawyer can provide you with legal advice specifcally tailored to your situation.
For refrence I am going to quote from the following documents which as of my writing are the only thing Google has released with regard to GDPR that i am aware of ath this time
Google Cloud & the General Data Protection Regulation
GOOGLE CLOUD & THE GDPR WHITEPAPER
Google Cloud & the General Data Protection Regulation (GDPR)
G Suite1
and Google Cloud Platform customers will typically act as
the data controller for any personal data they provide to Google in
connection with their use of Google’s services. The data controller
determines the purposes and means of processing personal data,
while the data processor processes data on behalf of the data
controller. Google is a data processor and processes personal data
on behalf of the data controller when the controller is using G Suite
or Google Cloud Platform.
Data controllers are responsible for implementing appropriate
technical and organisational measures to ensure and demonstrate
that any data processing is performed in compliance with the GDPR.
Controllers’ obligations relate to principles such as lawfulness,
fairness and transparency, purpose limitation, data minimisation,
and accuracy, as well as fulfilling data subjects’ rights with respect
to their data.
If you are a data controller, you may find guidance related to your
responsibilities under GDPR by regularly checking the website of
your national or lead data protection authority under the GDPR (as
applicable)2, as well as by reviewing publications by data privacy
associations such as the International Association of Privacy
Professionals (IAPP).
You should also seek independent legal advice relating to your status
and obligations under the GDPR, as only a lawyer can provide you with
legal advice specifcally tailored to your situation. Please bear in mind
that nothing on this website is intended to provide you with, or should
be used as a substitute for legal advice.
Gsuite is Googles sweet of tools that being Drive, Calendar ... they are the data controller for the data behind the Google tools.
Controller vs. Processor
(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
IMO
If you are accessing a users data on Google Drive and changing it or doing anything with it then yes you are going to need to tell them what you are using their data for and log their consent. If you are saving their data anywhere then you are also going to have to give them the ability to delete that data.
There are some things you cant do for example if they want to delete all their files on drive thats not your responsibility that's Googles. You are only responsible for the data thats on your system and what you have done with it.
Using googles client library IMO doesn't have much to do with GDPR its what you are doing with the data that they return that matters. I did contact google a few months ago hoping to get some official guidelines with regard to GDPR and the client libraries. I have not heard anything as of yet.

Heroku HIPAA Compliance

Is it possible to run apps on Heroku that are HIPAA compliant? More specifically, I need two apps, one that stores member information and another that stores private health information of the members. I intend to encrypt sensitive data using both asymmetric and symmetric key encryption–asymmetric for the keys that link members with their sensitive data on the other app, and symmetric for specific fields in the members app, such as name, email address and phone. My main concern is that anyone at Heroku can break the asymmetric encryption, since they have access to both apps (and private keys). Am I correct to be concerned about this, or does the infrastructure of Amazon EC2 prevent Heroku staff from accessing both apps?
Amazon has a whitepaper on HIPAA compliance with AWS (just google AWS Hipaa compliance) where they talk about their HIPAA bona fides. For example, AWS sysadmins don't have direct login access to customer OS images.
To the best of my knowledge, Heroku has not shared details of how they secure their individual customer accounts.
HIPAA compliance involves a number of different areas, including more than just technology. Specifically regarding the technology requirements within HIPAA, there are a bunch of requirements, but the one that you most obviously can't meet with Heroku is this one:
164.314 Organizational requirements. (B) (B) In accordance with 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section;
You need a BAA from Heroku. HIPAA doesn't distinguish between encrypted and unencrypted data when it defines subcontractors and business associates. For a good sense of all that is required of HIPAA, here's a comprehensive list - https://catalyze.io/hipaa/. Hope that helps.
Heroku has told me they will not sign Business Associate Agreements at the moment, so if you store any PHI on the server it is not possible to be HIPAA compliant.
Heroku has announced their Shield accounts that will provide HIPAA compliance.
From the link
The Shield Private Dyno includes an encrypted ephemeral file system
and restricts SSL termination from using TLS 1.0 which is considered
vulnerable. Shield Private Postgres further guarantees that data is
always encrypted in transit and at rest. Heroku also captures a high
volume of security monitoring events for Shield dynos and databases
which helps meet regulatory requirements without imposing any extra
burden on developers.
That may or may not obviate the need for BAA's, MOU's, etc.

Multiple users on Amazon EC2

Is it possible to have multiple users to manage an Amazon EC2 environment? I want to give access to several additional people to create machines on my existing billing account.
Amazon just announced AWS Identity and Access Management - http://aws.amazon.com/iam/
As of right now, it's in 'preview' mode, but this will allow you to have multiple AWS management accounts.
A few months ago Amazon announced Consolidated Billing. I never used it, but I think that is what you're looking for:
Consolidated Billing enables you to see a combined view of AWS costs incurred by all accounts in your department or company, as well as obtain a detailed cost report for each individual AWS account associated with your paying account. Consolidated Billing may also lower your overall costs since the rolled up usage across all of your accounts could help you reach lower-priced volume tiers more quickly.
Consolidated Billing Guide
This is absolutely possible using IAM service of AWS. With the help of IAM you can create users and give them specific permissions on various services of amazon.
You can try http://LabSlice.com. It's primarily for Virtual Lab Management (ie. playground environments), but may suit your needs.

Resources