Sensitive data privacy / gathering

Dear huggingface community,

We are planning to use Hugging Face’s Enterprise Serverless Inference API for a professional document processing application. Our use case involves processing sensitive documents for legal professionals, including personal identification documents and financial records.

We have a few questions regarding data handling and compliance:

  1. Could you provide details about data retention policies when using the serverless inference API? Specifically:
  • How long are input data retained on your servers?
  • Is there an option for immediate data deletion after inference?
  • What security measures are in place during the inference process?
  1. We understand that Hugging Face is GDPR compliant, but would it be possible to get explicit confirmation regarding:
  • Data processing agreements for EU customers
  • Data storage location for EU inference requests
  • Compliance certifications relevant to handling sensitive personal data
  1. Regarding the enterprise service:
  • What are the recommended practices for handling sensitive data?
  • Are there specific endpoints or configurations for enhanced security?
  • Do you provide dedicated infrastructure for enterprise customers?

Thank you for your assistance. This information will help us ensure our implementation aligns with both our security requirements and regulatory obligations.

1 Like

Hi there!

Your concerns about data handling, security, and compliance are valid, especially when dealing with sensitive documents. Hugging Face takes data privacy and security seriously, especially in enterprise environments, and here’s an overview of how we handle such requests:

  1. Data Retention Policies:

    • Input data is typically retained temporarily during the inference process and is deleted immediately after processing. This helps to ensure that no sensitive information is stored long-term.
    • Immediate Data Deletion: Yes, there is an option to delete data immediately after inference through the API. You can configure your requests to ensure that no data is retained after processing.
  2. Security Measures:

    • Hugging Face uses industry-standard encryption techniques, such as TLS encryption, to ensure that your data is securely transmitted during the inference process.
    • Additional security features like multi-factor authentication (MFA) for user accounts and role-based access control (RBAC) can be implemented for enhanced security.
  3. GDPR and Compliance:

    • Hugging Face is GDPR compliant, and we offer explicit Data Processing Agreements (DPAs) for EU customers.
    • Data related to EU inference requests is stored in EU-based data centers, ensuring that all data remains within the EU for compliance with regional regulations.
    • Hugging Face holds ISO certifications and is committed to meeting compliance standards related to the handling of sensitive personal data.
  4. Enterprise Service Recommendations:

    • Sensitive Data Handling: For optimal security, it’s recommended to:
      • Use encryption at rest to protect stored data.
      • Implement tokenization for processing sensitive data without exposing raw values.
      • Regularly audit logs to monitor access to sensitive data.
    • Enhanced Security Endpoints: Yes, we offer private endpoints for enterprise customers to ensure that your data processing remains within a secure and isolated environment.
    • Dedicated Infrastructure: For enterprise customers, Hugging Face can provide dedicated infrastructure to ensure data privacy and security are aligned with your organization’s needs.

Feel free to reach out directly to Hugging Face’s enterprise support team for further clarification on these points or to get customized configurations for your use case.

I hope this helps! Let me know if you have any more questions.

1 Like