General Data Protection Regulation

This topic provides an overview of the General Data Protection Regulation (GDPR) and where Pivotal Cloud Foundry (PCF) may store personal data.

Overview

GDPR came into effect on May 25, 2018 and impacts any company processing the data of EU citizens or residents, even if the company is not EU-based. The GDPR sets forth how companies should handle privacy issues, securely store data, and respond to security breaches.

Understand Personal Data

The GDPR grants data subjects certain rights, such as the right to obtain a copy of their personal data, object to the processing of personal data, and the right to have their personal data erased. Organizations subject to GDPR need to ensure that they can address and respond to requests by data subjects if they are processing their personal data.

Article 4, Section 1 of the GDPR defines personal data as follows:

‘personal data’ means any information relating to an identified or identifiable natural person ('data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

For more information, see the GDPR text.

Personal data can be collected, stored, and processed in a PCF deployment. Pivotal has performed a review of PCF components and determined that personal data may reside in the following areas:

Where Personal Data May Reside

The following sections explain how different PCF components collect personal data.

User Account and Authentication (UAA)

UAA is an open-source Cloud Foundry component that provides identity management features and identity-based security for applications and APIs. For more information, see User Account and Authentication.

GDPR Workflow What personal data is collected? When is it collected? Where is it stored? How is it processed? Who has access to it?
Business Initiation User registers  
  • Username
  • Email address
  • First name (optional)
  • Last name (optional)
  • User ID (UAA GUID, generated)
User registration submission UAA DB Stored in UAA DB
  • End user
  • UAA administrators
Just-in-time provisioning: create user on user login
  • Username
  • Email address
  • First name (optional)
  • Last name (optional)
  • User ID (UAA GUID, generated)
  • Additional attributes as defined by the organization 
User login  UAA DB Stored in UAA DB  UAA administrators
Admin user makes a creation API call  
  • Username
  • Email address
  • First name (optional)
  • Last name (optional)
  • User ID (UAA GUID, generated)
  • Additional attributes as defined by the organization
Admin API call  UAA DB  Stored in UAA DB  UAA administrators
Business Execution User self-updates profile
  • Email address
  • First name (optional)
  • Last name (optional)
User registration submission UAA DB Stored in UAA DB
  • End user
  • UAA administrators
Just-in-time provisioning: user update
  • Email address
  • First name (optional)
  • Last Name (optional)
  • Additional attributes as defined by the organization 
User login  UAA DB  Stored in UAA DB UAA administrators
User logs in
  • Current account cookie (generated)
  • Saved account cookie (generated)
User login User browser By UAA
  • End user
  • UAA login page 
Admin user makes an update API call
  • Email address
  • First name (optional)
  • Last name (optional)
  • Additional attributes as defined by the organization
 Admin API call UAA DB  Stored in UAA DB  UAA administrators
Delete User Flow Admin user makes a hard delete API call n/a n/a n/a Deleted from UAA DB UAA administrators
Admin user makes a deactivation API call n/a n/a n/a Soft delete (records still held in database but user cannot login)  UAA administrators
Reports/Logs Event or debug logs Any information When event happens UAA logs Depends on setup of Loggregator and log forwarding BOSH administrators

Cloud Foundry API

The Cloud Foundry API release contains several components, including the Cloud Controller. For more information, see the Cloud Foundry API release README.

GDPR Workflow What personal data is collected? When is it collected? Where is it stored? How is it processed? Who has access to it? How long is it kept?
Business Initiation User makes a request for the first time User ID The first time a user makes a request to the API Cloud Controller DB It is used to identify permissions for the user PCF operator  As long as the user is part of the system
Business Execution Troubleshooting API requests
  • User ID 
  • User agent
  • IP address
On each request
  • Local VM:
    component and logs 
  • Log aggregator used by PCF operator
 n/a PCF operator
  • Local VM:
    4 week maximum by default
  • Log aggregator as configured by PCF operator
 
Audit Trails Audit what changes a user makes
  • Name
  • User ID
  • Email address
On specific API requests that mutate the state of resources Audit Event Table in the Cloud Controller DB  n/a
  • PCF operator
  • Users that can view the resource that had an audited change
31 days
Audit what changes a user makes
  • IP Address
  • Email address
  • User ID
  • Username
On each request 
  • Local VM:
    CEF logs
  • Log aggregator used by PCF operator
n/a  PCF operator 
  • Local VM:
    4 week maximum by default
  • Log aggregator as configured by PCF operator
Audit what user created a resource
  • Name
  • User ID
  • Email address
When API resources are created As part of the resource row in Cloud Controller DB n/a
  • PCF operator
  • Users that can view the resource
As long as the resource exists

Routing

By default, the Gorouter logs include the X-Forwarded-For header, which may include the originating client IP. Under GDPR, client IP addresses should be considered personal data.

Disable Client IP Logging

In Pivotal Application Service (PAS) v2.0 and later and Elastic Runtime v1.12, operators can disable logging of client IP addresses in the Gorouter.

To disable logging of client IP addresses, do the following:

  1. Navigate to the Ops Manager Installation Dashboard and click the PAS or Elastic Runtime tile.

  2. Click Networking.

  3. Under Logging of Client IPs in CF Router, select one of the two options:

    • If the source IP address exposed by your load balancer is its own IP address, select Disable logging of X-Forwarded-For header only.
    • If the source IP address exposed by your load balancer belongs to the downstream client, select Disable logging of both source IP and X-Forwarded-For header.
  4. Click Save.

  5. Return to the Ops Manager Installation Dashboard and click Apply Changes to redeploy.

Diego

Diego is the container management system for PCF. For more information, see Diego Components and Architecture.

GDPR Workflow What personal data is collected? When is it collected? Where is it stored? How is it processed? Who has access to it? How can I delete it?
Business Execution Executing apps and tasks No personal data is collected explicitly, but personal data may be encoded in app file contents or runtime metadata such as environment variables or start commands. Runtime metadata is collected when Cloud Controller submits work specification to the Diego BBS API. File contents are collected when Diego schedules an app or a task on a Diego cell. Runtime metadata is stored in the Diego BBS DB. App file contents are cached on Diego cells. Runtime metadata is used to start processes inside app instance containers and to configure their environment. App file contents are presented as part of the app instance container filesystem. Platform operators and other developers with access to the Cloud Controller space containing that app can view the data.
  • To delete the runtime metadata stored in the Diego BBS DB, stop the app or cancel the task that includes that data.
  • To delete the app file contents stored in the running app and task containers, stop the app or cancel the task to destroy the containers. To destroy the app file contents stored in the download cache on the Diego cells, recreate the Diego cell VMs.
Reports/Logs SSH proxy logs Cloud Foundry user access. UAA user name and ID When the user authenticates for SSH access to an app. The data is stored in a log file collocated with the SSH proxy instance handling the authentication request. This log file may also have its contents forwarded to a remote syslog destination. No processing of the local log file is done automatically. If the log file contents are forwarded to a log aggregation service, they may be parsed and processed arbitrarily. Only platform operators have access to the local log file. Platform operators or auditors may have access to these log contents in a downstream log aggregation service. To delete the log lines containing the user ID, perform the following steps:
  1. Run bosh recreate on the VMs hosting the SSH proxy processes to remove all the logs on ephemeral disk.
  2. bosh ssh into the VMs hosting the SSH proxy processes and remove specific log lines containing user IDs.
  3. Scrub corresponding log lines from any log aggregation service.

Notifications Service

The Notifications Service enables operators to configure components of Cloud Foundry to send emails to end users. For more information, see Getting Started with the Notifications Service.

GDPR Workflow What personal data is collected? When is it collected? Where is it stored? How is it processed? Who has access to it?
Business Execution Sending email to UAA users User ID First email sent The receipts table in the Notifications database Stored in the Notifications database Notifications operator making a database query
UAA user unsubscribes globally User ID When the UAA user unsubscribes The global_unsubscribes table in the Notifications database Stored in the Notifications database Notifications operator making a database query
UAA user unsubscribes from a specific kind of email User ID When the UAA user unsubscribes The unsubscribes table in the Notifications database Stored in the Notifications database Notifications operator making a database query
UAA user unsubscribes from a campaign in the v2 API User ID When the UAA user unsubscribes The unsubscribes table in the Notifications database Stored in the Notifications database Notifications operator making a database query
Reports/Logs UAA user unsubscribes User email address When the UAA user unsubscribes Log output Loggregator Loggregator Firehose users
Create a pull request or raise an issue on the source for this page in GitHub