GDPR compliance
How Ory Network helps you to be GDPR compliant
Adopting Ory Network as your identity management solution represents a big step towards becoming GDPR compliant. Ory is dedicated to upholding the highest standards in data protection and also provides you with the option of hosting personal data on EU based servers.
The following GDPR checklist provides an overview of how Ory Network can bring you closer to overall GDPR compliance.
GDPR checklist
According to the EU Commission's guidelines on Rules for business and organisations, there is an extensive set of GDPR rules that affect the processing of EU citizens' personal data. The following table summarizes this aspect of the GDPR regulations and indicates the level at which Ory Network supports compliance.
- GDPR regulation
- Ory's role
- Customer's role
| Dealing with citizens | Ory's role | 
|---|---|
| Limitations on automated decision making | Ory does not make algorithmic decisions that significantly affect end users. | 
| Right to data portability | Ory provides an API that enables you to retrieve all of the personal data for a specific user. | 
| Right to ask for personal data to be deleted | Ory provides an API that enables you to delete personal data for a specific user. | 
| Right to object to the processing of personal data | You can optionally customize the Ory identity schema to store consent flags. | 
| Right to request access to personal data | Ory provides an API that enables you to retrieve all of the personal data for a specific user. | 
| Dealing with requests | Requests relating to personal data can be automated using Ory's API, facilitating a rapid response to the user. | 
| Dealing with citizens | Customer's role | 
|---|---|
| Limitations on automated decision making | Your applications must avoid making purely algorithmic decisions (without human review) that significantly affect end users. | 
| Right to data portability | Any additional data you store in your own database must be retrievable by end users. | 
| Right to ask for personal data to be deleted | Any user data you store in your own database must be deleted on request, followed by deletion of the related Ory user account. | 
| Right to object to the processing of personal data | Your application must respect a user's consent flag settings, and provide a mechanism for the user to give or revoke consent. | 
| Right to request access to personal data | If you store any personal data in your own database, it must be retrievable by end users. | 
| Dealing with requests | Implement automated mechanisms that enable users to manage their personal data, in accordance with GDPR regulations. In particular, enabling Ory's self-service account settings flow enables users to manage most aspects of their personal data. | 
- GDPR regulation
- Ory's role
- Customer's role
| Legal grounds for processing data | Support level | 
|---|---|
| Specific safeguards for data about children | |
| Consent required for third-party marketing | |
| Validity of consent | |
| Sensitive data | 
| Legal grounds for processing data | Ory's role | 
|---|---|
| Specific safeguards for data about children | Ory provides all of the APIs that would be needed for implementing safeguards around parental consent for processing children's personal data, but Ory cannot offer any support beyond that. | 
| Consent required for third-party marketing | You can optionally customize the Ory identity schema to store consent flags and then use these flags to decide whether the personal data is processed or not. | 
| Validity of consent | By default, Ory does not process personal data in a way that requires additional consent. | 
| Sensitive data | By default, Ory does not store or process sensitive data. | 
| Legal grounds for processing data | Customer's role | 
|---|---|
| Specific safeguards for data about children | If your application is targeted at children, you must implement additional safeguards and ensure that personal data is stored only with explicit consent of a parent or guardian. | 
| Consent required for third-party marketing | Your application must respect a user's consent flag settings, and provide a mechanism for the user to give or revoke consent. | 
| Validity of consent | There are multiple conditions that must be complied with in order for consent to be valid and, in particular, you must always provide a mechanism for the user to revoke consent. | 
| Sensitive data | Processing of sensitive data is allowed only in special cases. | 
- GDPR regulation
- Ory's role
- Customer's role
| Data protection | Support level | 
|---|---|
| Data protection by design | |
| Data protection by default | |
| Obligations in the event of a data breach | |
| Transfer of data outside the EU | 
| Data protection | Ory's role | 
|---|---|
| Data protection by design | Ory protects personal data with the highest standards in data protection (for details, see Integrity and confidentiality). | 
| Data protection by default | By default, personal data is accessible only to the owner of the data. | 
| Obligations in the event of a data breach | Ory implements multiple technical measures to guard against data breaches and has policies in place to respond to a data breach, in the unlikely event of one occurring. | 
| Transfer of data outside the EU | Ory provides the option of storing personal data on EU servers, with an EU based operations team, which provides the most practical way to stay in compliance with GDPR. | 
| Data protection | Customer's role | 
|---|---|
| Data protection by design | The parts of your application that process personal data must also uphold high standards of data protection (including encrypted communication). | 
| Data protection by default | If your application is capable of exposing personal data to other users (for example, social media), this data must remain hidden by default. | 
| Obligations in the event of a data breach | In the event of a data breach occurring, you must comply with the reporting obligations laid down in the GDPR regulations. | 
| Transfer of data outside the EU | Transferring personal data of EU citizens outside the EU is severely restricted and is currently not permitted for most countries in the world (including the US). | 
- GDPR regulation
- Ory's role
- Customer's role
| Principles of the GDPR | Support level | 
|---|---|
| Lawful and transparent data processing | |
| Specifity of purpose | |
| Data minimization | |
| Accuracy | |
| Repurposing | |
| Storage limitation | |
| Integrity and confidentiality | 
| Principles of the GDPR | Ory's role | 
|---|---|
| Lawful and transparent data processing | By default, Ory uses personal data only for basic account operations, with no significant legal implications. | 
| Specifity of purpose | By default, Ory uses personal data only for basic account operations. | 
| Data minimization | When using the default identity schemas, Ory stores just enough personal data for basic account operations. | 
| Accuracy | When the Ory account settings self-service flow is enabled, users can directly view and manage their own personal data to keep it accurate and up-to-date. | 
| Repurposing | By default, Ory stores personal data only for the purpose of basic account operations. | 
| Storage limitation | Ory provides an API for deleting user accounts and, by default, records the date and time of account creation, which makes it possible to implement a storage limitation on a user's personal data. | 
| Integrity and confidentiality | Ory implements comprehensive technical measures to ensure data integrity and confidentiality—see Integrity and confidentiality for details. | 
| Principles of the GDPR | Customer's role | 
|---|---|
| Lawful and transparent data processing | You must ensure that your application processes personal data in a lawful and transparent manner. | 
| Specifity of purpose | There must be a specific purpose for the personal data that you collect and you must indicate this specific purpose to the user when collecting the data. | 
| Data minimization | You must store and process only the data that is needed for the purposes you have specified to the user. | 
| Accuracy | You must ensure that a user's personal data is accurate and up-to-date. | 
| Repurposing | You must ensure that the personal data is not used for another purpose that is not compatible with the original purpose. | 
| Storage limitation | You must ensure that personal data is stored for no longer than is necessary (this depends on the purpose for which the data was collected). | 
| Integrity and confidentiality | When processing personal data in your application, you must implement technical measures to ensure data integrity and confidentiality. | 
Where the support levels in this table are, as follows:
- - Compliance with this GDPR regulation is mainly the responsibility of the customer. 
- - Ory Network is compliant and/or facilitates compliance with this GDPR regulation. 
- - Ory Network has special features that strongly support compliance with this aspect of GDPR. 
The purpose of the preceding checklist is to help you understand how Ory Network can assist you with making your applications and systems GDPR compliant. This checklist does not list the complete provisions of the GDPR and is not a substitutes for due diligence and conducting your own research. Only the text of the General Data Protection Regulation (GDPR) has legal force.
EU based servers
In the context of the GDPR, cross-border transfers of personal data are problematic. The GDPR rules for international data transfer are derived from the principle that "protection offered by the General Data Protection Regulation (GDPR) travels with the data". Transferring data to a third country outside the EU is therefore not generally permitted, unless the the EU accepts that the destination country upholds data protection standards equivalent to GDPR. The only exceptions are for those countries the EU has certified as a safe destination for data, through a so-called "Adequacy Decision". Unfortunately, until now very few countries have been certified, and the list of certified countries does not include the US.
Hence, in most cases, in order to be GDPR compliant, your company needs to store personal data for European customers on EU based servers. With Ory Network, you can choose to store all of your identity data on EU based servers, which ensures compliance with this aspect of GDPR.
Integrity and confidentiality
The GDPR requires companies to take technical measures to ensure data integrity and confidentiality. At Ory, data integrity and confidentiality are central to our mission and we adhere to recommended industry standards and security practices to ensure your data remains safe. In particular, these measures include:
- Ory Network forces HTTPS for all services using TLS 1.2 or higher, including our public website, the Ory Console, and the Ory Network APIs to ensure data is encrypted in transit.
- Any data stored by the Ory Network is encrypted at rest using industry best practice standard AES-256 Password Encryption Ory uses salted bcrypt to ensure passwords are stored securely.
- The Ory Network implements a backup strategy to ensure regular backups are created and stored in an encrypted fashion.
Protection against data breaches
The GDPR also requires companies to protect personal data and prevent data breaches. Ory has multiple policies and technical measures in place to keep your data safe:
- Vulnerability management — Ory embeds vulnerability scans into the CI/CD pipelines and scans all containers built for deployment. In addition, at runtime all containers running in our clusters are scanned continuously to report findings. 
- Third party penetration testing — Third party pen tests are conducted on a quarterly basis to ensure regular verification of our systems and procedures. 
- Bug bounty program — Ory's disclosure and reward program supports anyone who wants to increase the security of the Ory Network by conducting external pen testing. 
- Secure cloud deployment — Google Cloud Platform provides secure and scalable infrastructure that meets Ory's strict requirements and compliance needs. 
- Logging and audit trail — Ory uses logging in its cloud network. enabling forensic analysis of potential incidents.