Hopsworks is fully HIPAA and GDPR compliant. As a platform for data engineering, and the development and operation of machine learning models, we provide a comprehensive security framework and safeguards for a high level of compliance to the most demanding of regulatory standards.
The General Data Protection Regulation (GDPR) is a European privacy law1(Regulation 2016/679 of the European Parliament and of the Council of April 27, 20162) that became enforceable on May 25, 2018. The GDPR replaces the EU Data Protection Directive (Directive 95/46/EC), and is intended to harmonize data protection laws throughout the European Union (EU) by applying a single data protection law that is binding throughout each EU member state.
The GDPR applies to all organizations established in the EU and to organizations, whether or not established in the EU, that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information relating to an identified or identifiable natural person.
Under the GDPR, Hopsworks acts as both a data processor and a data controller. Under Article 32, controllers and processors are required to “…implement appropriate technical and organizational measures” that consider “the state of the art and the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”.
The GDPR provides specific suggestions for what types of security actions may be required, including:
• The pseudonymization and encryption of personal data.
• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
• The ability to restore the availability and access to personal data in a timely manner, in the event of a physical or technical incident.
• A process to regularly test, assess, and evaluate the effectiveness of technical and organizational measures to ensure the security of the processing.
When customers and Hopsworks partners use Hopsworks services to process personal data in their content, Hopsworks acts as a data processor. Customers and partners can use the controls available in Hopsworks services, including security configuration controls, to process personal data and control access to such data. Under these circumstances, the customer or partners may act as a data controller or a data processor, and Hopsworks acts as a data processor or sub-processor. The GDPR-compliant Data Processing Addendum (DPA) incorporates the commitments of Hopsworks as a data processor.
In particular, Hopsworks provides a project-based multi-tenant security models, where there are two possible user roles within a project - a data owner or a data scientist. All data within the platform with have a responsible individual who is a data owner within the data's project.
When programs on Hopsworks collect personal data and determine the purpose of processing that personal data, it acts as a data controller. For example, when Hopsworks processes account information for account registration, administration, services access, or contact information for the Hopsworks account to provide assistance through customer support activities, it acts as a data controller.
Article 25 of the GDPR states that the controller “…shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.” The following Hopsworks access control mechanisms help customers comply with this requirement by allowing only authorized administrators, users, and applications to get access to Hopsworks resources and customer data.
● Data-in-motion is encrypted at the application layer using Transport Layer Security (TLS) 1.2 and data-at-rest is encrypted in the connected object store (S3 buckets or ADLS containers) or file system.
● Multi-layered access control using Projects for data owners, administrators, and ordinary users.
● Web and application access are protected by verified email address and authentication token (password, single sign on (SSO) with Kerberos/Active Directory or OAuth-2), and JWT provides session-based automatic logout.
● Project management and governance allows for granular access control for all the organization.
● None of the data is listed publicly.
● Hopsworks users are authenticated using either a password, 2-factor authentication, SSO with LDAP/AD/Kerberos, or OAuth-2.
Article 30 of the GDPR states that “…each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.” Hopsworks provides audit-logs for all operations performed using its REST API, identifying the operation, who performed the operation, and when it was performed. Logs are created and stored for all applications that are run on the platform.
Hopsworks provides a detailed configuration of many types of resources in the Hopsworks account. This includes how the resources are related to one another, and how they were previously configured. The right to portability in Hopsworks ensures that data subjects have the right to data portability (Article 20), meaning they can request the personal data they have supplied to a controller in “a structured, commonly used and machine-readable format” in order to give it to another data controller. Hopsworks provides open standards for storing its data (in SQL databases and file formats such as parquet), enabling the data to be easily ingested into an alternative platform.
If technically feasible, the data subject can require the current controller to transmit it directly to the new data controller. For data breach notifications, Hopsworks has an internal policy of notification known to all the essential personal with a mandatory procedure guaranteeing the notification of data owners and customers affected by the breach within 72 hours. Additional information on data collection can be found in the Hopsworks Privacy Policy.
The Health Insurance Portability and Accountability Act and supplemental legislation, collectively referred to as the HIPAA rules (HIPAA), lay out privacy and security standards that protect the confidentiality of protected health information (PHI). In terms of Data Processing systems, the solution and security architecture must comply with the applicable standards, implementation specifications and requirements with respect to electronic PHI of a covered entity.
The general requirements of HIPAA Security Standards state that covered entities must:
1. Ensure the confidentiality, integrity, and availability of all electronic PHI the covered entity creates, receives, maintains, or transmits.
2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the privacy regulations.
4. Ensure compliance by its workforce.
In the course of providing services to healthcare customers, the Hopsworks Platform enables HIPAA compliance to covered entities. In provisioning and operating Hopsworks, it complies with the provisions of the HIPAA Security Rule that are required and applicable to it in its capacity as a business associate.
Hopsworks is responsible for enforcing the administrative, technical and physical safeguards to prevent any unauthorized access to or disclosure of protected health information (PHI) in the Hopsworks' environment.
The following table demonstrates how Hopsworks supports HIPAA compliance based on the HIPAA Security Rule published in the Federal Register on February 20, 2003 (45 CFR Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule).
Healthcare organizations and account administrators need to have the tools and technology to ensure they’re meeting HIPAA standards. Hopsworks provide additional tools and safeguards to enable security and privacy of protected health information (PHI)
● Data-in-motion is encrypted at the application layer using TLS 1.2 and data-at-rest is encrypted.
● Role-based access control and project-based multi-tenant security allows for granular access control and read/write privilege across the Hopsworks platform.
● Data processing support in Hopsworks enables the anonymization and pseudo-anonymization of data and Hopsworks or it's users can store identifiable individual information when required.
Currently, the agencies that certify health technology – the Office of the National Coordinator for Health Information Technology and the National Institute of Standards and Technology – do “not assume the task of certifying software and off-the-shelf products” (p. 8352 of the Security Rule), nor accredit independent agencies to do HIPAA certifications. Additionally, the HITECH Act only provides for testing and certification of Electronic Health Records (EHR) programs and modules. Thus, as Hopsworks is not an EHR software or module, our type of technology is not certifiable by these unregulated agencies.
.svg)