We are sometimes asked about our approach to data protection so following is further information on that but do contact us if you want further details or want answers to questions not covered here.
Is Ably GDPR compliant?
Yes. Ably has ensured that it has followed all the steps necessary to comply with the GDPR reforms.
Does Ably have a GDPR DPA (Data Processing Agreement)?
Yes. It can be found here, as an addendum to and as a standard part of our Terms of Service.
Is Ably part of the EU-U.S. Privacy Shield Framework?
On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework. (The U.S. Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.)
US-based companies with data subjects in Europe will now need to implement a substitute legal mechanism, such as standard contractual clauses or binding corporate rules, and are advised to seek the advice of competent data privacy counsel in this regard.
To this end, Ably has implemented the Standard Contractual Clauses (also known as the EU Model Clauses), as part of Ably’s standard Data Processing Addendum.
Moreover, the Ably solution allows US-based companies (indeed, any company, whether based in the US, EU or elsewhere) to constrain Ably's management and distribution of their messages to within the confines of the EU, obviating the need for transatlantic data transfers. If you'd like to know more about this or adjust your account setup to impose this restriction, please contact Ably.
What about HIPAA compliance?
Ably has a BAA agreement for your organization's compliance purposes. Please read our Ably U.S. HIPAA (Health Insurance Portability and Accountability Act) Statement for more information, or get in touch to discuss your requirements.
Does Ably comply with EU data protection requirements?
Is Ably registered with the UK Information Commissioner’s Office?
Yes. Ably is registered as a data controller, registration reference ZA153339, and we can provide a copy of our certificate if required.
What level of data encryption does Ably use?
Ably uses TLS 2048 bit encryption for all data in transit. However, customers can elect not to transmit their data over TLS. All data within the same datacenter in Ably is moved around un-encrypted as it cannot be intercepted, but is always encrypted when moved between data centres.
Ably also offers optional 256-bit AES symmetric encryption which makes it impossible for Ably to inspect any data payloads moving through the system at all.
Does Ably inspect data it transports?
No. Ably never inspects payloads. We treat them as opaque. Ably is a conduit for data (a ‘dumb pipe’) like the postal service in the physical world.
Does Ably transport personal data?
As a transport for information Ably does not know the nature of the data we are handling. It is possible for our customers to transport the personal data of their customers.
Where is data going through the Ably platform stored?
Data in transit is stored ephemerally (i.e. not on disk) in all 14+ data centres in all regions. Each region can have two or more data centres.
Messages are only persisted when the history feature is explicitly enabled, and that data is stored in US East Virginia, Europe Ireland, and Asia Singapore.
How long will Ably store data published through the platform for?
By default, messages are ephemeral and kept in memory only whilst in transit. The duration messages remain in memory is two minutes (the maximum time we allow connections to be recovered).
However, when the history feature is explicitly enabled by our customers, data is stored on disk for the history duration configured for that package. Please see the history storage documentation for more details.