Galaxy and Meteor APM has the potential to contain ‘personal data’ as defined in the EU’s GDPR regulations - this could be in the form of data within container logs or various traces/errors within the Meteor APM. Apollo Engine could be potentially in the same boat due to it’s collection of the variables for GQL queries/mutations.
I contacted Galaxy support about MDG’s compliance with GDPR and received a very brief response stating that they are not currently compliant, along with a link to the Galaxy Security page in the docs. I’ve sent a follow up asking if they have any plans to become compliant and currently awaiting their response.
I’m of the understanding that if any sub-processors you use are not GDPR compliant, it acts like a chain, which means anyone who hosts on Galaxy and handles personal data of EU citizens is potentially not going to compliant, unless MDG become compliant. I’m not a lawyer, so don’t take this as gospel truth, but it’s my understanding of the matter.
Has anyone else considered the implications of this on their business? What actions are you taking if so?
2 Likes
Partially correct (from my understanding). Galaxy needs to fulfill certain things in GDPR. Most of those things are proper documentation and procedures (aka ISO 27001). If your app is to be compliant it also needs to be hosted in the EU region (so that would be the Frankfurt region), including the database. You can get around that requirement by putting an agreement in your TOS that the data is being stored and processed in the given datacenters.
I think the biggest issue is the APM service (if you have that) since that can store some user data.
As for myself, I’m still at the stage where I’m trying to improve my app to be compliant (user deletion and data export). I’m also rewriting the TOS and other legal documents which will explicitly state that the data is stored and processed in the USA (where I have the app deployed). I’m currently adding a process which will not allow the app to be used unless user has agreed to the terms (since they can revoke their agreement as stipulated by GDPR).
Unfortunately logs in general present an important surface for compliane issues.
For instance if some log contains any user identifiable data, that automatically constitutes liability.
Actually same goes for your database oplog, database slow query and/or error log, too.
APM imho is more concerned about the metrics rather than the data, so you might already be safe there.
The issue with APM is that in the errors report part it also shows stack traces and other log entries, so you run into the same issue as with logs.
1 Like
That’s correct, I overlooked stack traces.
Hi guys,
so whats the current state on this?
Is galaxy GDPR compliant?