Filestack & GDPR

Adapting to GDPR

GDPR became effective last month, causing changes to businesses worldwide while making it one of the most critical events of 2018. At its core, GDPR enforces strict guidelines covering how companies process data while making users more knowledgeable of their privacy rights.

In the previous blog post we explained what steps we have taken to comply with GDPR, and this post will cover what product changes we made to help our customers become GDPR compliant.

Cookie-less Picker

Previous versions of the File Picker used cookies to track a users session. Because of the nature of the Picker, these cross-origin cookies might have been perceived as user tracking. We have never tracked any of our customers’ users, and cookies were used solely to provide the best user experience.

In version 1.0 of the JavaScript SDK we have removed cookies altogether. This solved problems with cross-origin cookies support in some browsers and you can now control your users’ session cache settings.

Metadata Removal

When you upload with Filestack, you can configure your own storage to keep files. You can choose between S3, GCS, Dropbox, Rackspace and Azure. Once the file is in your bucket and you don’t need a Filestack CDN URL,  you can remove any metadata about the file from our system.

You can now do it using the standard DELETE call with the skip_storage parameter set to true like this:

curl -X DELETE ‘https://www.filestackapi.com/api/file/HANDLE?key=&skip_storage=true

Be aware that once you remove the metadata about your file from our system, you might have to use external URLs or storage aliases in order to transform them using our Processing Engine.

US-EU only CDN distribution

Filestack offers super fast CDN for content delivery. Since May 25th (when GDPR became effective) customers have been given the option to choose between two distributions:

  • cdn.filestackcontent.com (to route traffic through Filestack’s entire global network)
  • us-eu.filestackcontent.com (to route traffic through Filestack’s North American and EU POPs only).

We can also configure domains on either global or us-eu distribution for customers that purchased or are interested in the custom CNAME functionality.

In order to increase security, new distribution is also only available using TLS 1.2 protocol according to the PCI Security Standards Council mandate that requires the deprecation of TLS versions 1.0 and recommends the deprecation of TLS 1.1.

Global CDN distribution and Filestack API will require TLS 1.2 starting June 30th.

ZeroTrust Authorization

Internally, we have implemented the ZeroTrust authorization model to our Infrastructure. This means standard access credentials were replaced with ephemeral client certificates, scaled to the scope and context of the user’s request, and are valid for only a limited time.

Security Policies and Whitelisted Domains

As always we encourage our customers to use security policies, which can help you secure the uploading process and data delivery from unauthorized access.

You can learn how to enable security and how to generate policies in our security documentation.

Whitelisting a domain ensures that the File Picker can only be used to upload files when the uploader is opened in a browser from the domains that you have specified in your developer portal.

You can learn more about this process by visiting our whitelisting documentation.

If you have any questions about features and tools explained above, please contact our support team at support@filestack.com.

Read More →

Ready to get started?

Create an account now!