how to build a GDPR compliant stack on Rockset

[veeve]

from a Rockset customer:

"But i am wondering about the EU GDPR Compliance. What are your position about this subject ? I couldn't find any on your website / google. My concerns is that, if our data is saved into your system, will be still be GDPR compliant ?"

[veeve]

Under GDPR, Rockset is considered a data processor and Rockset's customer will be the data controller. And yes, it is already possible to get all data hosted and managed in Rockset to be GDPR compliant. Rockset has a variety of features from role-based access control to data encryption using customer-supplied master encryption keys that can be used to build a GDPR compliant stack.

Some of those features include:

• Data retention policies: Rockset supports time-based retention in every collection/table and will automatically delete records that are past the retention setting. This allows organizations to easily enforce custom GDPR guided Personal Data retention policies.

• Single-sign on support and role-based access control: Rockset support enterprise-wide authentication mechanisms such as SSO + 2factor auth. This allows organizations to ensure only authorized persons who follow can access GDPR personal data stored in Rockset.

• Audit and access logs: All queries are logged in an immutable table/collection that is also queryable in Rockset. This allows organizations ways to implement data access monitoring and breach detection.

• Encryption for data at rest: All data at rest is fully encrypted in Rockset. Customers can also provide custom encryption keys via Amazon KMS as a master key that will be used to encrypt all data stored at REST.

• Encryption for data in transit: All API calls in Rockset uses TLS/SSL HTTPS encryption and are shielded from tampering or network snooping.

• Field mappings to anonymize PII/PHI: Rockset supports advanced field-mapping functionality that can be use to hash and pseudoanonymize sensitive PII/PHI personal data. GDPR principle for securing Personal Data is Pseudonymization, which is defined as “...the processing of personal data in such a way that the data can no longer be attributed to a specific Data Subject without the use of additional information.”. This can be easily achieved in Rockset using field-mappings.

• Availability and Resilience: All data is replicated to a minimum of 2 nodes to ensure high availability and resilience from node failures. This is automatically enabled for all Rockset accounts.

• Disaster Recovery: A remote second region durable backup is supported for all data stored in Rockset for Enterprise customers. This will allow you to ensure business continuity during times of major disasters.

[veeve]

lets reopen this issue, if any new requirements or feature requests show up that will make GDPR compliance even easier for Rockset customers.