The European Union’s data protection authorities have approved Amazon Web Services’ (AWS) data processing agreement (DPA).
According to the National Commission For Data Protection (Luxembourg) (1) “On 6 March 2015, the CNPD issued a letter, confirming that the Data Processing Addendum of AWS was in line with the Standard Contractual Clauses of Commission Decision 2010/87/EU and acknowledging that, by using the “Data Processing Addendum” together with its annexes, AWS will make sufficient contractual commitments to provide a legal framework to its international data flows, in accordance with Article 26 of Directive 95/46/EC. Furthermore, the Luxembourgish DPA thanked AWS for the constructive collaboration that has led to these positive conclusions.”
Amazon Web Services(2) state that “AWS data centres are built in clusters in various countries around the world. We refer to each of our data center clusters in a given country as a “Region.” Customers have access to eleven AWS Regions around the globe, including two Regions in the EU – Ireland (Dublin) and Germany (Frankfurt). Customers can choose to use one Region, all Regions or any combination of Regions.
AWS customers choose the AWS Region(s) where their content will be stored. This allows customers with specific geographic requirements to establish environments in a location(s) of their choice. For example, AWS customers in Europe can choose to deploy their AWS services exclusively in one of the Regions in the EU (Germany or Ireland).”
Amazon Web Services(2) further state that “AWS maintains certification with robust security standards, such as ISO 27001, SOC 1/2/3 and PCI DSS Level 1. We operate a shared responsibility model in the Cloud, under which AWS is responsible for the security of the underlying Cloud infrastructure (Security of the Cloud) and customers are responsible for the security of their data and applications (Security in the Cloud).”
It is important to remember however, that although storing data in AWS may in fact for alot of organizations help to increase their security – that this is a shared security model, yo are also still responsible for a lot of the security with regards to your infrastructure, software environment and policies.
References
1. cnpd.public.lu National Commission For Data Protection (Luxembourg) Review of Amazon Web Services (AWS), Inc.’s “Data Processing Addendum” and Annex 2 “Standard Contractual Clauses” 19-3-2015
http://www.cnpd.public.lu/en/actualites/international/2015/03/AWS/index.html Retrieved 2/4/2015
2. Amazon Web Services AWS EU Data Protection
http://aws.amazon.com/compliance/eu-data-protection/ Retrieved 2/4/2015