The General Data Protection Regulation (GDPR) is a European privacy law1(Regulation 2016/679 of the European Parliament and of the Council of April 27, 20162) that became enforceable on May 25, 2018. The GDPR replaces the EU Data Protection Directive (Directive 95/46/EC), and is intended to harmonize data protection laws throughout the European Union (EU) by applying a single data protection law that is binding throughout each EU member state.
The GDPR applies to all organizations established in the EU and to organizations, whether or not established in the EU, that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information relating to an identified or identifiable natural person.
Hopsworks Compliance with the GDPR
Under the GDPR, Hopsworks acts as both a data processor and a data controller. Under Article 32, controllers and processors are required to “…implement appropriate technical and organizational measures” that consider “the state of the art and the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”.
The GDPR provides specific suggestions for what types of security actions may be required, including:
• The pseudonymization and encryption of personal data.
• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
• The ability to restore the availability and access to personal data in a timely manner, in the event of a physical or technical incident.
• A process to regularly test, assess, and evaluate the effectiveness of technical and organizational measures to ensure the security of the processing.
Hopsworks as Data Processor
When customers and Hopsworks partners use Hopsworks services to process personal data in their content, Hopsworks acts as a data processor. Customers and partners can use the controls available in Hopsworks services, including security configuration controls, to process personal data and control access to such data. Under these circumstances, the customer or partners may act as a data controller or a data processor, and Hopsworks acts as a data processor or sub-processor. The GDPR-compliant Data Processing Addendum (DPA) incorporates the commitments of Hopsworks as a data processor.
In particular, Hopsworks provides a project-based multi-tenant security models, where there are two possible user roles within a project - a data owner or a data scientist. All data within the platform with have a responsible individual who is a data owner within the data's project.
Hopsworks as Data Controller
When programs on Hopsworks collect personal data and determine the purpose of processing that personal data, it acts as a data controller. For example, when Hopsworks processes account information for account registration, administration, services access, or contact information for the Hopsworks account to provide assistance through customer support activities, it acts as a data controller.
Compliance and Security Standards
Article 25 of the GDPR states that the controller “…shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.” The following Hopsworks access control mechanisms help customers comply with this requirement by allowing only authorized administrators, users, and applications to get access to Hopsworks resources and customer data.
● Data-in-motion is encrypted at the application layer using Transport Layer Security (TLS) 1.2 and data-at-rest is encrypted in the connected object store (S3 buckets or ADLS containers) or file system.
● Multi-layered access control using Projects for data owners, administrators, and ordinary users.
● Web and application access are protected by verified email address and authentication token (password, single sign on (SSO) with Kerberos/Active Directory or OAuth-2), and JWT provides session-based automatic logout.
● Project management and governance allows for granular access control for all the organization.
● None of the data is listed publicly.
● Hopsworks users are authenticated using either a password, 2-factor authentication, SSO with LDAP/AD/Kerberos, or OAuth-2.
Monitoring and Logging
Article 30 of the GDPR states that “…each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.” Hopsworks provides audit-logs for all operations performed using its REST API, identifying the operation, who performed the operation, and when it was performed. Logs are created and stored for all applications that are run on the platform.
Right to Portability
Hopsworks provides a detailed configuration of many types of resources in the Hopsworks account. This includes how the resources are related to one another, and how they were previously configured. The right to portability in Hopsworks ensures that data subjects have the right to data portability (Article 20), meaning they can request the personal data they have supplied to a controller in “a structured, commonly used and machine-readable format” in order to give it to another data controller. Hopsworks provides open standards for storing its data (in SQL databases and file formats such as parquet), enabling the data to be easily ingested into an alternative platform.
Data breach notifications