Indonesia Data Privacy
Protect your data
Earning customer trust is the foundation of our business at AWS and we know you trust us to protect your most critical and sensitive assets: your data. We earn this trust by working closely with you to understand your data protection needs, and by offering the most comprehensive set of services, tooling, and expertise to help you protect your data. To do this, we provide technical, operational, and contractual measures needed to protect your data. With AWS, you manage the privacy controls of your data, control how your data is used, who has access to it, and how it is encrypted. We underpin these capabilities with the most flexible and secure cloud computing environment available today.
Our commitments to you
With AWS, you control your data by using powerful AWS services and tools to determine where your data is stored, how it is secured, and who has access to it. Services such as AWS Identity and Access Management (IAM) allow you to securely manage access to AWS services and resources. AWS CloudTrail and Amazon Macie enable governance, compliance, detection, and auditing, while AWS CloudHSM and AWS Key Management Service (KMS) allow you to securely generate and manage encryption keys.
You can choose to store your customer data in any one or more of our AWS Regions around the world. You can also use AWS services with the confidence that customer data stays in the AWS Region you select. A small number of AWS services involve the transfer of data, for example, to develop and improve those services, where you can opt-out of the transfer, or because transfer is an essential part of the service (such as a content delivery service). We prohibit -- and our systems are designed to prevent -- remote access by AWS personnel to customer data for any purpose, including service maintenance, unless that access is requested by you or unless access is required to prevent fraud and abuse, or to comply with law. If we receive a law enforcement request, we will challenge law enforcement requests for customer data from governmental bodies where the requests conflict with law, are overbroad, or where we otherwise have appropriate grounds to do so. We also provide a bi-annual Information Request Report describing the types and number of information requests AWS receives from law enforcement.
At AWS, security is our top priority and security in the cloud is a shared responsibility between AWS and our customer. Financial services providers, healthcare providers, and governmental agencies are among the customers, who trust us with some of their most sensitive information. You can improve your ability to meet core security, confidentiality, and compliance requirements with our comprehensive services, whether that's through Amazon GuardDuty, or our AWS Nitro System, the underlying platform for our EC2 instances. In addition, services such as AWS CloudHSM and AWS Key Management Service allow you to securely generate and manage encryption keys, and AWS Config and AWS CloudTrail deliver monitoring and logging capabilities for compliance and audits.
Indonesia enacted its Personal Data Protection Law (Law of the Republic of Indonesia Number 27 Year 2022) (PDP Law) on October 17, 2022. The PDP Law applies to persons residing (i) in Indonesia; and (ii) outside Indonesia if their actions have legal consequences in Indonesia or for Indonesian data subjects abroad.
The PDP Law distinguishes between data controller and data processor, and applies different data handling obligations on each of them. A data controller is a person who determines the objectives of, and exercises control over, the processing of personal data. A data processor is a person who processes data at the instruction of a data controller. At a high level, some of the key obligations of data controllers include:
- Processing personal data in accordance with the specified legal bases for processing, including consent from the data subject, contractual necessity and legitimate interest
- Implementing appropriate security measures to protect the personal data from unauthorized disclosure
- Responding to the rights of data subjects including rights to access and correct their personal data, and requests to delete their personal data
- Transferring personal data outside of Indonesia only where conditions for such transfer have been fulfilled
For data processors, the PDP Law requires their personal data processing to be only in accordance with the instructions of the data controller. The PDP Law does not include any data localization requirements.
Existing personal data protection regulations, including the Law No. 11 of 2008 regarding Electronic Information and Transactions, Government Regulation No. 71 of 2019 regarding Operation of Electronic System and Transactions (GR 71) (which amended Government Regulation No. 82 of 2012 Concerning Electronic System and Transaction Operation), and Minister of Communications & Informatics Regulation No. 20 of 2016 regarding the Protection of Personal Data in an Electronic System (Ministerial Regulation 20) continue to remain in force to the extent they do not conflict with the PDP Law.
AWS is vigilant about your privacy and data security. Security at AWS starts with our core infrastructure. Custom-built for the cloud and designed to meet the most stringent security requirements in the world, our infrastructure is monitored 24x7 to ensure the confidentiality, integrity, and availability of our customer's data. The same world-class security experts who monitor this infrastructure also build and maintain our broad selection of innovative security services, which can help you simplify meeting your own security and regulatory requirements. As an AWS customer, regardless of your size or location, you inherit all the benefits of our experience, tested against the strictest of third-party assurance frameworks.
AWS implements and maintains technical and organizational security measures applicable to AWS cloud infrastructure services under globally recognized security assurance frameworks and certifications, including ISO 27001, ISO 27017, ISO 27018, ISO 27701, ISO 22301, PCI DSS Level 1, and SOC 1, 2 and 3. These technical and organizational security measures are validated by independent third-party assessors, and are designed to prevent unauthorized access to or disclosure of customer content.
For example, ISO 27018 is the first International code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to Personally Identifiable Information (PII) processed by public cloud service providers. This demonstrates to customers that AWS has a system of controls in place that specifically address the privacy protection of their content.
These comprehensive AWS technical and organizational measures are consistent with typical regulatory goals to protect personal data. Customers using AWS services maintain control over their content and are responsible for implementing additional security measures based on their specific needs, including content classification, encryption, access management and security credentials.
As AWS does not have visibility into or knowledge of what customers are uploading onto its network, including whether or not that data is deemed subject to the PDP Law, customers are ultimately responsible for their own compliance with the PDP Law and related regulations. The content on this page supplements the existing Data Privacy resources to help you align your requirements with the AWS Shared Responsibility Model when you store and process personal data using AWS services.
What is the customer’s role in securing their content?
Under the AWS Shared Responsibility Model, AWS customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site data center. Customers can build on the technical and organizational security measures and controls offered by AWS to manage their own compliance requirements. Customers can use familiar measures to protect their data, such as encryption and multi-factor authentication, in addition to AWS security features like AWS Identity and Access Management.
When evaluating the security of a cloud solution, it is important for customers to understand and distinguish between:
- Security measures that AWS implements and operates - "security of the cloud", and
- Security measures that customers implement and operate, related to the security of their customer content and applications that make use of AWS services - "security in the cloud"
Who can access customer content?
Customers maintain ownership and control of their customer content and select which AWS services process, store and host their customer content. AWS does not have visibility into customer content and does not access or use customer content except to provide the AWS services selected by a customer or where required to comply with the law or a binding legal order.
Customers using AWS services maintain control over their content within the AWS environment. They can:
- Determine where it will be located, for example the type of storage environment and geographic location of that storage.
- Control the format of that content, for example plain text, masked, anonymized or encrypted, using either AWS provided encryption or a third-party encryption mechanism of the customer’s choice.
- Manage other access controls, such as identity access management and security credentials.
- Control whether to use SSL, Virtual Private Cloud and other network security measures to prevent unauthorized access.
This allows AWS customers to control the entire life-cycle of their content on AWS and manage their content in accordance with their own specific needs, including content classification, access control, retention and deletion.
Where will customer content be stored?
AWS data centers are built in clusters in various locations around the world. We refer to each of our data center clusters in a given location as a "Region."
AWS customers choose the AWS Region(s) where their content will be stored. This allows customers with specific geographic requirements to establish environments in the location(s) of their choice.
Customers can replicate and back up content in more than one Region, but AWS does not move customer content outside of the customer’s chosen Region(s), except to provide services as requested by customers or comply with applicable law.
How does AWS secure its data centers?
The AWS data center security strategy is assembled with scalable security controls and multiple layers of defense that help to protect your information. For example, AWS carefully manages potential flood and seismic activity risks. We use physical barriers, security guards, threat detection technology, and an in-depth screening process to limit access to data centers. We back up our systems, regularly test equipment and processes, and continuously train AWS employees to be ready for the unexpected.
To validate the security of our data centers, external auditors perform testing on more than 2,600 standards and requirements throughout the year. Such independent examination helps ensure that security standards are consistently being met or exceeded. As a result, the most highly regulated organizations in the world trust AWS to protect their data.
Learn more about how we secure AWS data centers by design by taking a virtual tour »
Which AWS Regions can I use?
What security measures does AWS have in place to protect systems?
The AWS Cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. Amazon's scale allows significantly more investment in security policing and countermeasures than almost any large company could afford on its own. This infrastructure is comprised of the hardware, software, networking, and facilities that run AWS services, which provide powerful controls to customers and APN Partners, including security configuration controls, for the handling of personal data.
AWS also provides several compliance reports from third-party auditors who have tested and verified our compliance with a variety of security standards and regulations - including ISO 27001, ISO 27017, and ISO 27018. To provide transparency on the effectiveness of these measures, we provide access to the third party audit reports in AWS Artifact. These reports show our customers and APN Partners, who may act as either data controllers or data processors, that we are protecting the underlying infrastructure upon which they store and process personal data. For more information, visit our Compliance Resources.