Peter Nordmark in Security

Haaartland + AWS and the Cloud Act 👻

Security and privacy are two of the pillars we founded Haaartland on. From day one, this has gone into everything we do. We want to make sure all of our clients are safe including companies and public sector clients that have to comply with local laws and regulations to protect their data and sovereignty requirements.

TL;DR

Don't worry. You do not need to be concerned about the Cloud Act when using Haaartland.

Your security is our job zero

We operate our services on the AWS cloud platform. This means that the data you own are not physically under our control. It lives in the cloud. Is this really safe? and what about the Cloud Act? Can I use Haaartland in the public sector? The questions are many.

Let me get back to the Cloud Act and what it means and start off by telling you how we at Haaartland ensure your data is safe with us.

The haaartland system

Data needs to be protected both in transit and at rest. We protect your data in transit using the latest tech in transport layer security. The little 🔒you see in your browser address bar indicates that the data sent from your browser (or our app) is encrypted. Only you and our edge servers can see the actual data transmitted.

When your data are at rest in Haaartlands storage it's automatically encrypted. Any files created in file storage or in our databases are encrypted using keys only we know. Sensitive data is even encrypted one more time. E.g passwords, chat logs, etc are encrypted with keys unique for every user. So basically all sensitive data is stored in an encrypted format residing in encrypted files.

Protecting data with unique keys for the user makes it impossible even for us to read things like chat logs even though they are stored on our server. That is private to you so we have even removed the possibility for ourselves to snoop. Speaking of chats. Our chats and video calls are always end-to-end encrypted meaning you can be sure no one listens in on a private conversation. Not during, not after.

We also use a permission and credentials scheme to make sure that unauthorized people can never pull data from our servers not intended for them.

We try our best to make sure no one can hijack your account by encouraging you to use complex passwords. If you have a mobile phone, we even support one-time passwords. This spring we will also add biometric authentication. There are several more account protection mechanisms like account locking to protect from brute force attacks and the like.

And finally, our app is built from the ground up with security in mind. We protect any data on your phone or tablet too by encrypting it. We also employ techniques for anti-tampering, anti-fraud, and so forth in the app bringing the security to another level.

AWS

For AWS, its customer's security and privacy are key. If the customers cannot trust AWS with their data the cloud is dead. The customers (including governmental agencies) need to be able to trust AWS with their most sensitive content. The Cloud Act did not alter or weaken their commitment.

AWS provides an extensive set of security services and features to help ensure that the customers have complete control of their data. At the heart of these services are industry-leading encryption services that give customers a range of options to encrypt data in transit and at rest, and to manage encryption/decryption keys – because encrypted content is rendered useless without the applicable decryption keys. These services is used by Haaartland.

AWS handles a request for data from law enforcement (regardless of Clout Act) in the following manner:

When AWS receives a request for data located outside the United States, we have tools to challenge it and a long track record of doing so. In fact, our challenges typically begin well before we go to court. Each request from law enforcement agencies is reviewed by a team of legal professionals. As part of that review, we assess whether the request would violate the laws of the United States or of the foreign country in which the data is located, or would violate the customer’s rights under the relevant laws. We rigorously enforce applicable legal standards to limit – or reject outright – any law enforcement request for data coming from any country, including the United States. We actively push back on law enforcement agencies to address concerns, which frequently results in them withdrawing their request.

In the event we cannot resolve a dispute, we do not hesitate to go to court. Amazon has a history of formally challenging government requests for customer information that we believe are overbroad or otherwise inappropriate. We will continue to resist requests, including those that conflict with local law such as GDPR in the European Union, to do everything we can to protect customer data. We will also notify customers before disclosing any content

- Michael Punke, VP of Global Public Policy at AWS

The Cloud Act

The CLOUD Act did not change cloud providers’ ability to protect their customers. In fact, the CLOUD Act recognizes the right of cloud providers to challenge requests that conflict with another country’s laws or national interests and requires that governments respect local rules of law. Additionally, foreign governments concerned about the risk of government data disclosure may be entitled to sovereign immunity. The United States recognizes that under the principle of sovereign immunity foreign governments have effective legal means under U.S. law to prevent disclosure of their data.

Cloud computing is positively impacting lives around the world in all kinds of ways. New technologies are created that shape the ways we live and learn, whether through photo sharing and video streaming, increased access to financial services and e-commerce/trade, processing geospatial data for new discoveries, creating or promoting greater opportunities for education and skills development, or helping industries evolve with accessible AI/ML services. What would be incredibly disappointing would be for all of this to be slowed due to fundamental misunderstandings about the CLOUD Act.

- Michael Punke, VP of Global Public Policy at AWS

Still have questions?

Don't hesitate to contact us about any concerns you might have at support@haaartland.com

Martin Lindeskog

Martin Lindeskog

@Peter Nordmark Thanks for the heads-up. I would like to talk more with you about this topic in the future.
Johanna Bruce

Johanna Bruce

Can you kindly also relate to Schrems II?

Peter Nordmark

@Johanna Bruce ok. I Will update article as soon as I can

Peter Nordmark

@Johanna Bruce meanwhile this outlines haaartlands Current position in relation ti schrems II https://aws.amazon.com/blogs/security/customer-update-aws-and-the-eu-us-privacy-shield/

Mx Tester

@Mx Tester test

Peter Nordmark

@Mx Tester PING!

Peter Nordmark

@Terry Winship Just a mail test
Do you want to read more like this? Hit subscribe. It’s FREE!

Never miss out on Developer Blog: Haaartland!

Community negotiated deals. Exclusive events. Posts. Polls and more. Free to members.

or