At AWS, customer trust is our top priority. We deliver services to millions of active customers, including enterprises, educational institutions, and government agencies in over 190 countries. Our customers include financial services providers, healthcare providers, and governmental agencies, who trust us with some of their most sensitive information.
We know customers care deeply about privacy and data security. That’s why AWS gives them ownership and control over their content, by design, through simple, but powerful tools that allow customers to determine where their content will be stored, to secure their content in transit or at rest, and to manage access to AWS services and resources for their users. We also implement responsible and sophisticated technical and physical controls designed to prevent unauthorized access to or disclosure of customer content.
Maintaining customer trust is an ongoing commitment, we strive to inform customers of the privacy and data security policies, practices and technologies we’ve put in place. These commitments include:
- Access: Customers manage access to their customer content and AWS services and resources. We provide an advanced set of access, encryption, and logging features to help you do this effectively (such as AWS CloudTrail). We do not access or use customer content for any purpose other than as legally required and for maintaining the AWS services and providing them to our customers and their end users.
- Storage: Customers choose the region(s) in which their customer content will be stored. We will not move or replicate customer content outside of the customer’s chosen region(s), except as legally required and as necessary to maintain the AWS services and provide them to our customers and their end users.
- Security: Customers choose how their customer content is secured. We offer our customers strong encryption for customer content in transit or at rest, and we provide customers with the option to manage their own encryption keys.
- Disclosure of customer content: We do not disclose customer content unless we’re required to do so to comply with the law or a valid and binding order of a governmental or regulatory body. Unless prohibited from doing so or there is clear indication of illegal conduct in connection with the use of Amazon products or services, Amazon notifies customers before disclosing customer content so they can seek protection from disclosure.
- Security Assurance: We have developed a security assurance program using global privacy and data protection best practices in order to helping customers establish, operate and leverage our security control environment. These security protections and control processes are independently validated by multiple third-party independent assessments.
AWS classifies customer data into two categories: customer content and account information.
We define customer content as software (including machine images), data, text, audio, video or images that a customer or any end user transfers to us for processing, storage or hosting by AWS services in connection with that customer's account and any computational results that a customer or any end user derives from the foregoing through their use of AWS services. For example, customer content includes content that a customer or any end user stores in Amazon Simple Storage Service. Customer Content does not include account information, which we describe below. The terms of the AWS Customer Agreement or other agreement with us governing the use of AWS services apply to your customer content.
We define account information as information about a customer that a customer provides to us in connection with the creation or administration of a customer account. For example, account information includes names, usernames, phone numbers, email addresses and billing information associated with a customer account. The information practices described in the AWS Privacy Notice apply to account information.
Customers maintain ownership of their customer content and select which AWS services process, store and host their customer content. We do not access or use customer content for any purpose other than as legally required and for maintaining the AWS services and providing them to our customers and their end users. We never use customer content or derive information from it for marketing or advertising.
Customers control their customer content. With AWS, customers:
• Determine where their customer content will be stored, including the type of storage and geographic region of that storage.
• Choose the secured state of their customer content. We offer customers strong encryption for customer content in transit or at rest, and we provide customers with the option to manage their own encryption keys.
• Manage access to their customer content and AWS services and resources through users, groups, permissions and credentials that customers control.
We know that customers care how account information is used, and we appreciate customers' trust that we will do so carefully and sensibly. The AWS Privacy Notice describes how we collect and use account information.
We are vigilant about our customers' privacy. We do not disclose customer content unless we're required to do so to comply with the law or a valid and binding order of a governmental or regulatory body. Governmental and regulatory bodies need to follow the applicable legal process to obtain valid and binding orders, and we review all orders and object to overbroad or otherwise inappropriate ones. Unless prohibited from doing so or there is clear indication of illegal conduct in connection with the use of Amazon products or services, Amazon notifies customers before disclosing customer content so they can seek protection from disclosure. It's also important to point out that our customers can encrypt their customer content, and we provide customers with the option to manage their own encryption keys.
We know transparency matters to our customers, so we regularly publish a report about the types and volume of information requests we receive here.
Customers choose the region(s) in which their customer content will be stored, allowing them to deploy AWS services in the location(s) of their choice, in accordance with their specific geographic requirements. AWS datacenters are built in clusters in various regions around the globe.
For example, an AWS customer in the UK can choose to deploy its AWS services exclusively in the Europe (London) region and store their content onshore in the UK. If the customer make this choice, their customer content will be located in the UK. Customers can replicate and back up their customer content in more than one region, and we will not move or replicate customer content outside of the customer's chosen region(s), except as legally required and as necessary to maintain the AWS services and provide them to our customers and their end users.
*All AWS services may not be available in all regions.
When evaluating the security of a cloud solution, it is important for customers to understand and distinguish between:
• Security measures that AWS implements and operates - "security of the cloud"
• Security measures that customers implement and operate, related to the security of their customer content and applications that make use of AWS services - "security in the cloud"
For a complete list of all the security measures built into our core AWS cloud infrastructure, platforms and services, please read our Overview of Security Processes Whitepaper.
We have developed a security assurance program using additional global privacy and data protection best practices in order to help customers establish, operate and leverage our security control environment. These security protections and control processes are independently validated by multiple third-party independent assessments.
AWS’s alignment with ISO 27018 has been validated by an independent third party assessor. ISO 27018 is the first International code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to Personally Identifiable Information (PII) processed by public cloud service providers. This demonstrates to customers that AWS has a system of controls in place that specifically address the privacy protection of their content. For more information, please visit the AWS ISO 27018 FAQ.
AWS data centres are built in clusters in various countries around the world. We refer to each of our data center clusters in a given country as a "Region." Customers have access to sixteen AWS Regions around the globe, including three Regions in the EU – Ireland (Dublin), the UK (London) and Germany (Frankfurt). Customers can choose to use one Region, all Regions or any combination of Regions.
AWS customers choose the AWS Region(s) where their content will be stored. This allows customers with specific geographic requirements to establish environments in a location(s) of their choice. For example, AWS customers in Europe can choose to deploy their AWS services exclusively in one of the Regions in the EU (Germany, the UK, or Ireland). If the customer elects to do so, their content will be stored in Germany, the UK or Ireland, as they choose, unless the customer explicitly selects to move or replicate their content in a different AWS Region.
Customers can replicate and back up content in more than one Region, but AWS does not move customer content outside of the customer’s chosen Region(s), except to provide services as requested by customers or comply with applicable law.
AWS maintains certification with robust security standards, such as ISO 27001, SOC 1/2/3 and PCI DSS Level 1. We operate a shared responsibility model in the Cloud, under which AWS is responsible for the security of the underlying Cloud infrastructure (Security of the Cloud) and customers are responsible for the security of their data and applications (Security in the Cloud). AWS has teams of Solutions Architects, Account Managers, Consultants, Trainers and other staff in the EU expertly trained on cloud security and compliance to assist AWS customers in achieving high levels of security and compliance in the Cloud, following Cloud Security Best Practices. AWS also helps customers meet local security standards. For example, AWS alongside auditor TÜV TRUST IT, has published a Customer Certification Workbook that provides guidance on achieving German BSI IT Grundschutz compliance in the Cloud.
The EU Data Protection Directive (also known as Directive 95/46/EC) is a regulation that covers the processing of personal data and on the free movement of such data. Broadly, this Directive sets out a number of data protection requirements which apply when personal data is being processed.
The Article 29 Working Party has approved the AWS Data Processing Addendum, which includes the Model Clauses. The Article 29 Working Party has found that the AWS Data Processing Addendum meets the requirements of the Directive with respect to Model Clauses. This means that the AWS Data Processing Addendum is not considered “ad hoc”. For more detail on the approval of the AWS Data Processing Addendum from the Article 29 Working Party, please visit: http://www.cnpd.public.lu/en/actualites/international/2015/03/AWS/index.html
The Luxembourg Data Protection Authority (the CNPD) acted as the lead authority on behalf of the Article 29 Working Party in accordance with procedure of the Article 29 Working Party.
For more information on how customers can enter into the AWS Data Processing Addendum, please visit here (sign-in required).
AWS customers that collect and store personal information in the Cloud are Data Controllers in the sense of Directive 95/46/EC.
More information can be found about the role of the customer and AWS in the section “Data Protection in the EU The Directive” in the AWS "Whitepaper on EU Data Protection".
The Standard Contractual Clauses (also known as "model clauses") are a set of standard provisions defined and approved by the European Commission that can be used to enable personal data to be transferred in a compliant way by a data controller to a data processor outside the European Economic Area.
The Article 29 Working Party was set up under the EU Data Protection Directive of the European Parliament and of the Council. It is made up of representatives from the data protection authorities of all the EU Member States as well as from the European Commission. The Article 29 Working Party works to harmonise the application of data protection rules throughout the EU and also advises the EU Commission on the adequacy of data protection standards in non-EU countries.
Now that the EU-U.S. Safe Harbour program has been ruled invalid, can customers still use AWS and comply with EU law?
Security of our customers' data is our number one priority, and AWS has already obtained approval from EU data protection authorities, known as the Article 29 Working Party, of the AWS Data Processing Addendum and Model Clauses to enable transfer of data outside Europe, including to the U.S. With our EU-approved Data Processing Addendum and Model Clauses, AWS customers can continue to run their global operations using AWS in full compliance with EU law. The AWS Data Processing Addendum is available to all AWS customers that are processing personal data whether they are established in Europe or a global company operating in the European Economic Area.
For more information on how customers can enter into the AWS Data Processing Addendum, please visit here (sign-in required).
Yes. Amazon.com, Inc. is certified under the EU-US Privacy Shield and AWS is covered under this certification. This helps customers who choose to transfer personal data to the US to meet their data protection obligations. Amazon.com Inc’s certification can be found on the EU-US Privacy Shield website here: https://www.privacyshield.gov/list
To learn more about this topic in the context of AWS, visit our EU-US Privacy Shield page.
In 2016, the European Commission approved and adopted the new General Data Protection Regulation (GDPR). The GDPR is the biggest change in data protection laws in Europe since the introduction of the EU Data Protection Directive, also known as Directive 95/46/EC, in 1995. The GDPR aims to strengthen the security and protection of personal data in the EU and harmonize EU data protection law. The GDPR will replace the EU Data Protection Directive, as well as all local laws relating to it.
AWS welcomes the GDPR. It protects European citizens’ fundamental right to privacy and the protection of personal data. It introduces robust requirements that will raise the bar for data protection, security, and compliance and will push the industry to implement stringent controls. We can confirm that all AWS services will comply with the GDPR when it becomes enforceable on May 25, 2018.
In addition to our own compliance, AWS is committed to offering services and resources to our customers to help them comply with GDPR requirements that may apply to their operations.
The General Data Protection Regulation (GDPR) is a new European privacy law due to become enforceable on May 25, 2018. The GDPR will replace the EU Data Protection Directive, also known as Directive 95/46/EC, and is intended to harmonize data protection laws throughout the European Union (EU) by applying a single data protection law that is binding throughout each member state.
The GDPR applies to all organizations operating in the EU and processing “personal data” of EU residents. Personal data is any information relating to an identified or identifiable natural person.
The GDPR will replace the existing Data Protection Directive (Europe Directive 95/46/EC). Beginning on May 25, 2018, the existing Data Protection Directive, and the laws relating to it, will no longer apply.
AWS compliance, data protection, and security experts have been working with customers around the world to answer their questions and help them prepare for running workloads in the AWS Cloud after the GDPR becomes enforceable. These teams have also been reviewing everything that AWS already does to ensure it complies with the requirements of the new GDPR. We can confirm that all AWS services will comply with the GDPR when it becomes enforceable in May of 2018.
In addition, we have a new Data Processing Agreement (GDPR DPA) that will meet the requirements of the GDPR. This GDPR DPA is available now to all AWS customers to help them prepare for May 2018. For additional information on the GDPR DPA, or to obtain a copy, please contact your AWS Account Manager.
Recently, AWS also announced compliance with the CISPE Code of Conduct. The CISPE Code of Conduct helps cloud customers assess how their cloud infrastructure provider complies with its data protection obligations under the GDPR. AWS has declared that Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3), Amazon Relational Database Service (Amazon RDS), AWS Identity and Access Management (IAM), AWS CloudTrail, and Amazon Elastic Block Storage (Amazon EBS) are fully compliant with the CISPE Code. This provides customers with additional assurances regarding their ability to fully control their data in a safe, secure, and compliant environment when they use AWS. More detail on AWS' compliance with the CISPE Code of Conduct can be found at the website: https://cispe.cloud/
AWS continually maintains a high bar for security and compliance across all of our global operations. Security has always been our highest priority – truly "job zero." Our industry-leading security provides the foundation for our long list of internationally recognized certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1 and others. AWS also helps customers meet local security standards such as BSI's Common Cloud Computing Controls Catalogue (C5), which is important in Germany.
AWS announced compliance with the CISPE Data Protection Code of Conduct. CISPE is a coalition cloud infrastructure (also known as Infrastructure as a Service) providers who offer cloud services to customers in Europe. The CISPE Code of Conduct helps cloud customers ensure that their cloud infrastructure provider is using appropriate data protection standards to protect their data consistent with the GDPR. A few key benefits of the Code include:
- Clarifying who is responsible for what when it comes to data protection: The Code of Conduct explains the role of both the provider and the customer under the GDPR, specifically within the context of cloud infrastructure services.
- The Code of Conduct sets out what principles providers should adhere to: The Code of Conduct outlines the actions and commitments that providers should undertake to comply with the GDPR and help customers comply.
- The Code of Conduct gives customers information, relating to data protection and data security, that they need to make decisions about compliance: The Code of Conduct requires providers to be transparent about the steps they are taking to deliver on their security commitments. These steps involve notifications relating to data breaches, data deletion, and third-party sub-processing, as well as law enforcement, and governmental requests. Customers can use this information to gain a full understanding of the high levels of security provided
One of the key aspects of the GDPR is that it creates consistency across EU member states on how personal data can be processed, used, and exchanged securely. Organizations will need to demonstrate the security of the data they are processing and their compliance with GDPR on a continual basis, by implementing and regularly reviewing robust technical and organisational measures, as well as compliance policies.
AWS is already providing specific features and services which help customers to meet requirements of GDPR:
Access Control: Allow only authorized administrators, users and applications access to AWS resources
- Multi-Factor-Authentication (MFA)
- Fine granular access to objects in Amazon S3-Buckets/ Amazon SQS/ Amazon SNS and others
- API-Request Authentication
- Temporary access tokens through AWS Security Token Service
Monitoring and Logging: Get an overview about activities on your AWS resources
- Asset Management and Configuration with AWS Config
- Compliance Auditing and security analytics with AWS CloudTrail
- Identification of configuration challenges through AWS Trusted Advisor
- Fine granular logging of access to Amazon S3 objects
- Detailed information about flows in the network through Amazon VPC-FlowLogs
- Rule-based configuration checks and actions with AWS Config Rules
- Filtering and monitoring of HTTP access to applications with WAF functions in AWS CloudFront
Encryption: Encrypt Data on AWS
- Encryption of your data at rest with AES256 (EBS/S3/Glacier/RDS)
- Centralized managed Key Management (by AWS Region)
- IPsec tunnels into AWS with the VPN-Gateways
- Dedicated HSM modules in the cloud with AWS CloudHSM
Strong Compliance Framework and Security Standards:
- ISO 27001/9001 certified
- ISO 27017/27018 certified
- Cloud Computing Compliance Controls Catalog (C5 - German Government-backed attestation scheme)
- AWS, alongside auditor TÜV TRUST IT, has published a Customer Certification Workbook that provides guidance on achieving German BSI IT Grundschutz compliance in the Cloud
Although it will not become enforceable until May 2018, we are encouraging our customers and partners to start preparing for the GDPR now. For those that have already implemented a high bar for compliance, security, and data privacy, the move to GDPR should be simple. For those who are yet to start their journey to GDPR compliance, we urge you to start reviewing your security, compliance, and data protection processes now to ensure a smooth transition in May 2018. Here are some of the key points that you should consider for GDPR compliance:
• Territorial Reach: Determining whether the GDPR applies to an organisation’s activities is essential to ensuring that organisation's ability to satisfy its compliance obligations. The GDPR applies to all organisations that are established in the EU. However, depending on your activities, the GDPR may also apply to you if you are established outside the EU.
• Data Subject Rights: The GDPR enhances the rights of data subjects in a number of ways. For example, data subjects have the right to object to the processing of their data and they have the right to data portability. You will need to make sure you can accommodate the rights of data subjects if you are processing their personal data.
• Data Breach Notifications: If you are a data controller, you will need to report data breaches to the data protection authorities without undue delay. Using AWS gives you control over how you want to process personal data and protect it. This gives you the ability to monitor your own environment for privacy breaches and to notify regulators and affected individuals as required under the GDPR. In addition, AWS will notify you without undue delay if we are aware of a breach of our security standards relating to the AWS network.
• Data Protection Officer (DPO): You may need to appoint a DPO who will need to manage data security and other issues relating to the processing of personal data.
• Data Protection Impact Assessment (DPIA): You may need to conduct, and in some circumstances you may be required to file with the supervisory authority, a DPIA for your processing activities. This will need to identify your data handling procedures and processes, as well as the controls in place to protect personal data.
• Data Processing Agreement (DPA): You may need a DPA that will meet the requirements of the GDPR particularly if personal data is transferred outside the EEA. AWS offers customers a GDPR DPA that is available on request to help customers prepare for next May.
AWS offers a wide range of services and specific service features which help customers to meet requirements of the GDPR, including services for access controls, monitoring, logging and encryption. More information on these can be found in the section above, "What services does AWS offer customers to help them comply with the GDPR?"
We also have teams of compliance, data protection, and Security experts, as well as AWS Partner Network Partners, working with customers across Europe to answer their questions and help them prepare for running workloads in the cloud after the GDPR becomes enforceable. For additional information on this, please contact your AWS Account Manager.