Not a technical question but legal, and probably specific to Europe: how to make sure we’re GDPR compliant when we use the (external) push/notification service?
We’ve exposed our server to the Internet, have many happy users now who are keen on using their mobiles. What’s missing so far however is a reliable push service to alert users who receive a message. From what I know there is a service (needs to be paid for higher volume, that’s not the issue) but our Lawyer raised the concern of sending data from Europe/Germany to a 3rd party in the US including personal information, e.g. the user name. Encryption exists but is not end-to-end.
I would assume we’re not the first user group who experience that issue but I couldn’t find any prior discussions in this forums. Is there anybody else who’s facing that issue? What’s your view, and have you managed to find a legal agreement to successfully run a notification service?
on this precarious topic, there have already been several posts here, all of which have run aground.
As an alternative you could run your own push gateway (are there instructions for this?), but then you have to build the mobile clients yourself, a lot of effort, see here. But even with your own gateway, you can only bypass the gateway of rocket.chat. You still have to push from your gateway via Google or Apple to your mobile clients. And frankly, I trust the Rocket.Chat team more than Google or Apple. So in the current concept it doesn’t matter to me that the data would be pushed through the Rocket.Chat gateway in advance.
In the summary: pushes are simply a terrible dilemma. This is where we really need to gather ideas to better implement data protection and confidentiality.
Yeah, I second that, and many thanks for your initial answer. @aaron.ogle : a gateway in Europe is a good start but nonetheless we need to know what data (or metadata) exactly is going out to the push service.
I read some rocket.chat page that say “Rocket.Chat is GDPR compliant” and I very much appreciate you take that serious but the statement can hardly include the push service as-is as obviously neither you nor the (on-premise) user/admin have sufficient control over data once it goes there and (that’s what the Lawyer says) if you pass personal information to another system you’ll need to get the user agreement in advance. Since it’s a global setting that means all users.