We are sometimes asked about our approach to data protection so following is further information on that but do contact us if you want further details or want answers to questions not covered here.
Is Ably GDPR compliant?
Yes. Ably has ensured that it has followed all the steps necessary to comply with the GDPR reforms.
Do you have a GDPR DPA (Data Processing Agreement) to sign?
No, fortunately, this is not necessary as our online Terms incorporate everything that is required within a DPA document. This means that all Ably customers globally can rely on our standard terms which includes the provisions for GDPR DPA which will apply automatically whenever they use AWS services to process personal data under the GDPR.
By incorporating our GDPR DPA into the Ably Service Terms, we are simply extending the terms of our GDPR DPA to all customers globally who will require it under GDPR. Please note you can review the changes to our terms to incorporate GDPR requirements by reviewing our legals audit trail from 29 March 2018
Is Ably part of the EU-U.S. Privacy Shield Framework?
On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework. (The U.S. Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.)
As per previous practice, it is anticipated that the EU authorities will provide for a grace period to give businesses time to react and adapt to this new regulatory regime. US-based companies with data subjects in Europe will now need to implement a substitute legal mechanism, such as standard contractual clauses or binding corporate rules, and are advised to seek the advice of competent data privacy counsel in this regard.
As an alternative, the Ably solution allows US-based companies (indeed, any company, whether based in the US, EU or elsewhere) to constrain Ably's management and distribution of their messages to within the confines of the EU, obviating the need for transatlantic data transfers. If you'd like to know more about this or adjust your account setup to impose this restriction, please contact Ably.
What about HIPAA compliance?
Ably has a BAA agreement for your organization's compliance purposes. Please read our Ably U.S. HIPAA (Health Insurance Portability and Accountability Act) Statement for more information, or get in touch to discuss your requirements.
Does Ably comply with EU data protection requirements?
How will Brexit and new EU regulation affect Ably’s approach to data protection?
We do not yet know what form Brexit will take or what the timescales will be. It is thought likely that the UK legislation will remain very much in line with EU legislation in any case. In January 2012, the European Commission proposed a comprehensive reform of data protection rules in the EU. On 4 May 2016, the official texts of the Regulation and the Directive were published in the EU Official Journal. While the Regulation entered into force on 24 May 2016, it will apply from 25 May 2018. Ably will review, and comply, with all revised UK data protection legislation once it is clarified.
Is Ably registered with the UK Information Commissioner’s Office?
Yes. Ably is registered as a data controller, registration reference ZA153339, and we can provide a copy of our certificate if required.
What level of data encryption does Ably use?
Ably uses TLS 2048 bit encryption for all data in transit. However, customers can elect not to transmit their data over TLS. All data within the same datacenter in Ably is moved around un-encrypted as it cannot be intercepted, but is always encrypted when moved between data centres.
Ably also offers optional 256-bit AES symmetric encryption which makes it impossible for Ably to inspect any data payloads moving through the system at all.
Does Ably inspect data it transports?
No. Ably never inspects payloads. We treat them as opaque. Ably is a conduit for data (a ‘dumb pipe’) like the postal service in the physical world.
Does Ably transport personal data?
As a transport for information Ably does not know the nature of the data we are handling. It is possible for our customers to transport the personal data of their customers.
Where is data going through the Ably platform stored?
Data in transit is stored ephemerally (i.e. not on disk) in all 14+ data centres in all regions. Each region can have two or more data centres.
Messages are only persisted when the history feature is explicitly enabled, and that data is stored in US East Virginia, Europe Ireland, and Asia Singapore.
How long will Ably store data published through the platform for?
By default, messages are ephemeral and kept in memory only whilst in transit. The duration messages remain in memory is two minutes (the maximum time we allow connections to be recovered).
However, when the history feature is explicitly enabled by our customers, data is stored on disk for the history duration configured for that package. Please see the history storage documentation for more details.