We are building a video call application utilising Amazon Chime SDK. Our application serves customers in the UK and need to be GDPR compliant.
Amazon Chime's compliance info page doesn't explicitly state anything in relations to GDPR compliance. However AWS itself states it is, and Chime is a service under AWS.
So we are not sure if Chime itself is GDPR compliant. Could someonese please advice if have any relevant information to confirm or deny Chime's GDPR compliance conclusively.
I believe Amazon Chime is not GDPR compliant. The website provides no way to export existing user data. The documented approach to exporting history is to scroll back in the chat history and copy paste: https://answers.chime.aws/questions/629/how-can-i-save-all-the-data-from-a-chat-room-or-co.html
After multiple attempts we did get a response - albeit vague - from AWS.
At the foundation of Amazon Chime security is Amazon Web Services (AWS) Security. AWS regions and networks are built and operated to meet the requirements of some of the world’s most security-sensitive organizations. AWS constantly undergoes third-party audits by a variety of public sector and private sector auditing organizations in order to maintain its status under multiple compliance offerings, such as the credit card industry’s PCI DSS Level 1, the U.S. Government’s FedRAMP program, C5 Certification in Germany, and IRAP assessment by the Australia Government. For more information, see the AWS Security and AWS Compliance websites. Amazon Chime is designed and operated according to the same AWS standards, has undergone the compliance process required to be a HIPAA-eligible service, and is currently in the process of being added to other relevant compliance programs.
The Amazon Chime SDK can be used by customers who incorporate GDPR best practices and compliance using our Shared Responsibility Model.
So they seem to imply it can be used in a GDPR compliant way.
Additional info: Specific to chat feature, AWS advised us to use the data-messaging API route to ensure the data relay and retention within EU.
All chat messages in the Chime app are relayed and stored in us-east-1 (Virginia). The chat messages always leave the UK.
There is a data messaging API in the SDK that can be use to build chat. (https://aws.github.io/amazon-chime-sdk-js/modules/apioverview.html#9-send-and-receive-data-messages-optional) These messages flow through the same region that is used to host the meeting (London, for example) and they are persisted there for a few minutes and until the end of the meeting so that they can be relayed to other participants during that meeting.
Talk to your AWS technical POC. I am sure they can help you understand this better. AWS is a big ecosystem of services. Chime used with other services can be made GDPR compliant.
For instance, all Chime events are tracked via AWS EventBridge. Should be pretty easy to attribute and track all data for a specific user.
