Is google endpoints hipaa compliance - google-cloud-endpoints

I'm not sure about this, i think i can use it for a app that needs hipaa compliance, because the nginx container is running on GKE or GCE and this services are hipaa compliance. Or is it not compliant?

Product Manager here.
Endpoints is not yet on Google's official list of HIPAA compliant products (available here).
We not believe it is non-compliant, but it has not yet gone through the certification process (and we have a few products ahead of it in the queue). I'd love to bump it up in the queue; feel free to email me (ciruli at google dot com) and I will let the certification team know about the request. I can't promise a schedule or timeframe, but customer input certainly helps.

Related

HIPAA compliance in Microsoft computer vision?

is computer vision already HIPAA compliant? Or, if it is not, will it be coming soon?
Edit: to further clarify: Microsoft categorizes its cloud services into categories. See here more information: https://www.microsoft.com/en-us/TrustCenter/Compliance/HIPAA
I am asking if Computer Vision/Cognitive Services will be added into the in scope list.
Thanks!
Microsoft Cognitive service Vision APIs are not currently HIPAA compliant. You can stay up to date with updates and announcements via Cognitive Services Blog

Is Firebase Cloud Messaging HIPAA Compliant?

I want to use Firebase Cloud Messaging in a healthcare application. I want to know is FCM HIPAA Compliant and does it provide BAA?
We’ve just completed the HIPAA audit with a 3rd party for a Firestore Chat sample app (iOS and Android) that’s using End-to-End Encryption. If you’re implementing a healthcare Chat app, keep reading. Otherwise, this isn’t relevant.
The challenge: if you know how E2EE works, you realize that it alone should protect your patients’ data from Firebase/Firestore: apparently, lawyers don’t agree with that. So we had to implement an artificial data redaction that deletes chat messages from Firestore as soon as the messages are delivered. This enables your app to qualify for HIPAA’s Conduit exception, because it only acts as a message delivery system, it doesn’t store permanent health data. This way, your chat solution is exempt of HIPAA.
We’ve compiled the solution into a How-to blog post: https://VirgilSecurity.com/hipaa-firebase - with pointers to reusable sample apps.
Whitepaper that contains our HIPAA audit & 3rd-party data privacy expert’s notes: https://VirgilSecurity.com/firebase-whitepaper
According to the co-founder, as of now Firebase is not HIPAA compliant.
You can take a look at the updates here: https://groups.google.com/forum/#!topic/firebase-talk/sg-WCHVXs5k

Here api Consumer Free Plan expiration

Is there an expiration to the Free Plan for here.com javascript api services?
I am developing a demo product, and cannot afford the licence to expire after I deliver it. Yet, I could not find anywhere saying when the plan expires if it ever does.
As mentioned previously there is the Basic Plan which can be used.If no plans available suit your requirement or you have queries regarding the plan, please reach out to HERE Sales team using the form on here

Deploying app with Crashlytics to Apple Appstore - do I need a privacy policy?

I am about to submit an app to the Apple AppStore built in Swift that uses Crashlytics to capture crash information. As users of Crashlytics know, some information about usage, duration, crashes, etc. is captured and stored on the Crashlytics servers. My application does not ask for, store or attempt to capture any user data.
My question is about the privacy policy for my application. Since I don't capture any user data, I want to state that in my privacy policy but I'm not sure that's factual since I am using Crashlytics. Any feedback on people that have used Crashlytics in their app and have an actual privacy policy?
Thanks
--Vinny
Quick answer: yes, you need that privacy policy. There are ways to get it done fast, too.
Longer answer:
Third parties (here Crashlytics)
When dealing with a third party service like this, often a quick look into their legal documents will help (for Crashlytics in this case as described in your question).
(...) At all times during the term of this Agreement, Developer shall
maintain a privacy policy (a) that is readily accessible to users from
its website or within its online service (as applicable), (b) that
fully and accurately discloses to its users what information is
collected about its users and (c) that states that such information is
disclosed to and processed by third party providers like Crashlytics
in the manner contemplated by the Services, including, without
limitation, disclosure of the use of technology to track users’
activity and otherwise collect information from users. (...)
And
Developer shall at all times comply with all applicable laws, rules
and regulations relating to data collection, privacy and security,
including, without limitation, the Children’s Online Privacy
Protection Act (“COPPA”). Crashlytics may, at its sole discretion from
time to time during the Term of this Agreement, audit Developer Data
to verify compliance.
Crashlytics is actually being unusually vocal about this topic.
The App Store
At the time of writing (and since iOS8) Apple requires privacy policies for 5 categories:
Kids Category, HomeKit, HealthKit, Apple Pay, and Keyboard Extentions. Also they require privacy policies for user registrations (more). I can't tell if any of the above for your app is true. Apple still says in their App Store Review Guidelines that you need to be compliant with all applicable laws. This brings us to the third and most important reason.
Privacy related regulations
All of the above is just there because of global privacy regulations, these companies would most likely not care otherwise. As soon as you work with User data you are mostly under an obligation to disclose these facts. It's personal data like names, addresses or the tracking of user behaviour. It's been written at length why analytics services need privacy policies. All of it is more important as soon as you share data and use third party services for it. Mostly the disclosure or some kind of consent is the condition for it's compliant usage.
If you are interested in reading more about the matter in the context of mobile apps I'd suggest any of these documents:
ICO UK
Ireland
USA/California
Canada
Australia
Hope this helps.
(For proper disclosure: I do some work for iubenda, a tool that helps creating privacy policies for apps and websites)
Vinny, I think it's not mandatory (I've seen apps using Crashlytics wihtout a privacy policy), but it's recommended to have transparency in the communications with your users.
Crashlytics already has a privacy policy so you can just use that policy and add a statement informing that you are not collecting any sensitive information from the user, such as email or phone number.

Do need to worry about PCI compliance if I use Stripe or Authorize.net with WooCommerce? And what do I have to do?

I'd like to set up a Wordpress site and use WooCommerce. In terms of payment processors, I'd like to use either Authorize.net CIM or Stripe. At the top of each of those pages, it says that an SSL certificate is required, so based on that fact and the PCI-DSS Compliance article on the WooCommerce site, I assumed that PCI Compliance would be necessary. Is that correct?
If I do need to worry about PCI Compliance, what does that mean I need to do? I'm familar with the 12 requirements, I just don't understand the practical implications for me.
Specifically, I understand that many of the PCI requirements are covered by the hosting provider. Others PCI requirements are covered by the coding. Both of those things I don't have to really worry about, once it's set up. One thing I know I'll need to do, though, is enable SSL on the site. Is there anything else I am responsible to do, though? For example, annually get my site scanned for PCI Compliance? Manage my store in a particular way?
Any info is more than welcome! Things are a bit vague for me regarding this and PCI Compliance.
This is Stripe's response on unofficial site
Cristina Cordova, works at Stripe
Answered Aug 22, 2013
*
I work at Stripe. As others have mentioned, anyone accepting credit
card payments must be PCI compliant. With many other service providers
in the online payments space, becoming PCI compliant is a very
complicated process requiring businesses to fill out lots of paperwork
and work with several expensive third parties. With Stripe, it's
easy:
1.Serve your payment page over SSL, i.e., the page's web address
should begin with "https", not "http".
2.Use Stripe.js as the only means
by which you accept payment information and transmit it directly to
Stripe's servers.
By taking these steps, you completely avoid handling
sensitive card data, and keep your systems out of PCI scope. Using SSL
ensures that your pages are secure. Stripe.js makes it easy to collect
credit card (and other similarly sensitive) details without having the
information touch your server. Those details are sent directly to
Stripe, which is a PCI Level 1 Service Provider. Assuming you've
taken the steps above, Stripe can provide you with a completed Self
Assessment Questionnaire, which details the means by which you're
handling credit card data.
Stripe's official guidance on PCI compliance:
https://stripe.com/docs/security

Resources