Atlas Device Sync + GDPR

I am currently evaluating Atlas Device Sync for a mobile app with respect to GDPR requirements for a German company.
The data that should be synced is non-personal, but it seems that the Atlas Sync service itself collects personal identifiable data like the client’s IP address or device identifiers.

  • How is this data handled inside of Atlas?
  • Can I prevent Atlas Sync from storing the IP address?
  • What would be measures to prevent any personal data from being transferred to MongoDB (since its a US company)?

There are two solutions that came to my mind, in order to prevent personal data from being send to MongoDB:
1: Encrypt Atlas with a custom KMS key, that my company owns. Does this encryption include metadata (like the IP) from Atlas Device Sync?
2: Proxy the connection between the device and Atlas and remove the client’s IP address before it reaches Atlas. Is this possible? How can I configure a custom URL in the Realm Sync Configuration?

I would appreciate your thoughts and ideas on that topic. Thanks in advance.

Hello @Markus_Kieselmann I hope someone already answered this at least externally to the forums.

Basically Device Sync is in fact compliant for GDPR, you can find all the things it’s compliant for here: Trust Center — MongoDB Cloud Services | MongoDB

It even recently got CJIS and a higher level of FedRAMP certification, too. I’m not sure at what level CJIS is for Atlas, but it exceeds Interpol’s RPD and CCF requirements, meaning it well exceeds GDPR compliance requirements, it’s going to come down to how YOU choose to design the collections and infra around it.

The FedRAMP is also heavier than Germany’s BDSG, you could probably talk to the provisional authorities in your region of Germany even, about a German Government Atlas instance if enough manpower were available etc. You never know, and honestly I’m sure MongoDB wouldn’t mind said kind of conversation.

When I worked with NATO back in 2012 I know Atlas and Firebase were both infrastructure that would have been amazing to have had available. But without the special stuff involved with FEDRAMP and CJIS, it still is GDPR compliant just on its own accord in a stand alone constraint, it’s even HIPAA compliant, which HIPAA exceeds needs of GDPR, and is marginally even more strict than GDPR, which also exceeds the CFRA and other consumer data privacy acts.

That said, in Atlas the data is locked away from even employees unless exclusive circumstances and permissions from the customer directly are given for emergency situations.

And to prevent data from being transferred to MongoDB in the states? The data is local to the regional datacenter you choose. If you pick Frankfurts DC, that’s where the data is, which is ran and operated by German’s.

Amazon FRA50 Kleyerstrasse 88-90. Frankfurt am Main 60326 is the Atlas Datacenter in Germany, hosted by Amazon, manned by German born citizens, which you could always reach out to Amazon directly for any specific restrictions you need to have in place, and communicate that with MongoDB for what’s needed.

Given MongoDB is GDPR compliant, I honestly wouldn’t worry as much about that.

And hey @Markus_Kieselmann, if you’re needing NATO compliance I do have the contact information for the Joint Information Security, Systems, and Data Command out of Ulm, as well as NCISG out of Mons, in the Joint Support and Enabling Command Headquarters. I do have the direct lines if you need questions answered of what AWS services and third party services are approved.

Which the Datacenter Europe Central - 1 regions 50, 53, ETC. are all approved datacenters, they do have channels within Amazon you can be directed through if you’re asking because of a NATO need. If this request of info isn’t related to NATO, you can freely just use the general consumer Atlas and normal AWS channels and be GDPR compliant based upon your configurations and what data you choose to collect.

@Markus_Kieselmann Also, if you’re asking for something related to MAD, BND, BfV, or the BKA, your companies government liaison will already have a pre-determine list of services for you to use for your mobile application if maintaining it within the borders of Germany is required.

The BND Headquarters out of Berlin can give you the proper guidance and oversight if that’s the case.

@Markus_Kieselmann if you see this, just to let you know I reached out to some of my contacts in Germany and whether Atlas or Realm can be used for GDPR sensitive items.

  • Realm was deemed acceptable per BDSG guidelines, and is acceptable enough to meet the needs of the 2021 Cyber Security Strategy, but is not approved for military or militia use as per Heer’s publication for Germany’s KdoCIR, who also had findings determined Realm was not a threat to Germany’s consumer population.

  • Germany as a nation has the means to lock down foreign internet traffic to and from any mobile application on any devices not using a Germany sourced SIM card. Or geographically lock access to the application. This would be done by the BND.

Do note a caveat to this, is that MongoDB support personnel are not located in Germany, so doing this would lock out MongoDBs ability to directly provide support to your mobile applications Realm infrastructure. But still maintain access to your company and its services, but I’m sure you could work something out with MongoDB.

KdoCIR Is experimenting with Realm like it is other systems like it, but there’s no comment on whether or not the Heer will adopt Realm, or consider how to develop their own version of it.

Also under the Verbandssanktionengesetz, MongoDB cannot put in place efforts to undermine GDPR within Germany, or it can violate the EU international laws, and Germany’s laws which would bring in the US State Department, and DoJ. Basically that means MongoDB as an American Company can face very scary people in the US Government who can push very severe punishments domestically, in addition to EU company sanctions should they violate international laws.

Simply put: All of this in summary, I wouldn’t have GDPR concerns when even the German Government has approved its use, and it’s used presently in a postal application to deliver and track mail, with potential other areas of the German government may formally use Realm pending stability fixes.