We are sometimes asked about our approach to data protection so following is further information on that but do contact us if you want further details or want answers to questions not covered here.
Is Ably GDPR compliant?
Yes. Ably has ensured that it has followed all the steps necessary to comply with the GDPR reforms.
Do you have a GDPR DPA (Data Processing Agreement) to sign?
No, fortunately, this is not necessary as our online Terms incorporate everything that is required within a DPA document. This means that all Ably customers globally can rely on our standard terms which includes the provisions for GDPR DPA which will apply automatically whenever they use AWS services to process personal data under the GDPR.
By incorporating our GDPR DPA into the Ably Service Terms, we are simply extending the terms of our GDPR DPA to all customers globally who will require it under GDPR. Please note you can review the changes to our terms to incorporate GDPR requirements by reviewing our legals audit trail from 29 March 2018
Is Ably part of the EU-U.S. Privacy Shield Framework?
No. This is because only US businesses can join Privacy Shield and Ably is incorporated in the UK. The Privacy Shield Framework was designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. As Ably is within the EU we comply in any case with EU data protection requirements.
What about HIPAA compliance?
Ably has a BAA agreement for your organization's compliance purposes. Please read our Ably U.S. HIPAA (Health Insurance Portability and Accountability Act) Statement for more information, or get in touch to discuss your requirements.
Does Ably comply with EU data protection requirements?
How will Brexit and new EU regulation affect Ably’s approach to data protection?
We do not yet know what form Brexit will take or what the timescales will be. It is thought likely that the UK legislation will remain very much in line with EU legislation in any case. In January 2012, the European Commission proposed a comprehensive reform of data protection rules in the EU. On 4 May 2016, the official texts of the Regulation and the Directive were published in the EU Official Journal. While the Regulation entered into force on 24 May 2016, it will apply from 25 May 2018. Ably will review, and comply, with all revised UK data protection legislation once it is clarified.
Is Ably registered with the UK Information Commissioner’s Office?
Yes. Ably is registered as a data controller, registration reference ZA153339, and we can provide a copy of our certificate if required.
What level of data encryption does Ably use?
Ably uses TLS 2048 bit encryption for all data in transit. However, customers can elect not to transmit their data over TLS. All data within the same datacenter in Ably is moved around un-encrypted as it cannot be intercepted, but is always encrypted when moved between data centres.
Ably also offers optional 256-bit AES symmetric encryption which makes it impossible for Ably to inspect any data payloads moving through the system at all.
Does Ably inspect data it transports?
No. Ably never inspects payloads. We treat them as opaque. Ably is a conduit for data (a ‘dumb pipe’) like the postal service in the physical world.
Does Ably transport personal data?
As a transport for information Ably does not know the nature of the data we are handling. It is possible for our customers to transport the personal data of their customers.
Where is data going through the Ably platform stored?
Data in transit is stored ephemerally (i.e. not on disk) in all 14+ data centres in all regions. Each region can have two or more data centres.
Messages are only persisted when the history feature is explicitly enabled, and that data is stored in US East Virginia, Europe Ireland, and Asia Singapore.
How long will Ably store data published through the platform for?
By default, messages are ephemeral and kept in memory only whilst in transit. The duration messages remain in memory is two minutes (the maximum time we allow connections to be recovered).
However, when the history feature is explicitly enabled by our customers, data is stored on disk for the history duration configured for that package. Please see the history storage documentation for more details.