Galaxy and Meteor APM has the potential to contain ‘personal data’ as defined in the EU’s GDPR regulations - this could be in the form of data within container logs or various traces/errors within the Meteor APM. Apollo Engine could be potentially in the same boat due to it’s collection of the variables for GQL queries/mutations.
I contacted Galaxy support about MDG’s compliance with GDPR and received a very brief response stating that they are not currently compliant, along with a link to the Galaxy Security page in the docs. I’ve sent a follow up asking if they have any plans to become compliant and currently awaiting their response.
I’m of the understanding that if any sub-processors you use are not GDPR compliant, it acts like a chain, which means anyone who hosts on Galaxy and handles personal data of EU citizens is potentially not going to compliant, unless MDG become compliant. I’m not a lawyer, so don’t take this as gospel truth, but it’s my understanding of the matter.
Has anyone else considered the implications of this on their business? What actions are you taking if so?