GDPR compliant when hosting applications to European users

1

Hi,

I wonder how I can be GDPR compliant when hosting applications to European users using Fly.io.

I have a use case hosting HTTP servers along with storage (database VMs and binary files in volumes). I’m hosting Fly VM’s in European countries.

Questions:

  1. Is routing related data encrypted to and from Fly VMs?
  2. Is routing related data sent outside Europe?
  3. Is Fly volumes encrypted?
  4. Is Fly volume data sent outside Europe?
  5. Is Fly volume backups encrypted?
  6. Is Fly volume backup data sent outside Europe?
  7. Is Fly secrets encrypted?
  8. Is Fly secrets stored outside of Europe?
  9. Do Fly.io have access to the encryption keys to the encrypted data in step 1-8?
  10. Can Fly.io ensure I’m the only person who can access Fly volumes?
  11. Can Fly.io ensure I’m the only person who can access Fly volume backups?
  12. Can Fly.io ensure I’m the only person who can access the Fly VM’s?
  13. Does Fly.io have any plans on implementing a Bring Your Own Keys (BYOK) solution for encrypted data?

I know there is a DPA agreement I can sign with Fly.io but it not enough:
GDPR and DPAs - we can help

Related topics:

2

I’m not a lawyer so take this with a grain of salt but AFAIK it really depends on the type of personal data you’re storing.

The GDPR makes a distinction between personal data (email, name, etc) and sensitive data (healthcare data, biometric data, etc).

Unless you’re storing sensitive data you don’t need to worry about having the upmost level of encryption and security throughout your infrastructure. If you’re just storing user emails nobody is going to check whether your storage is encrypted etc.

3

Thanks for answearing.

Im not very into this area neither, but have read something about not sending data to USA, if its only healthcare related data or personal data in general im not sure.

And I have read that me owning the encryption keys is crucial.

4

The data transfers between US-EU were forbidden because the US was not considered an adequeate country to safeguard personal data. This changed last year:

On 10 July the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework. On the basis of the adequacy decision, personal data can flow freely from the EU to companies in the United States that participate in the Data Privacy Framework.

1 Like
5

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.