Are my users' credentials taken abroad at any time during SSO?

Hi,

This is extremely important for my company, as in our field of work, we face very serious regulations that enforce us to keep our users’ data within the country. It is prohibited to use any kind of cloud hosting abroad for our services.

We use SSO for Discourse login, and Discourse’s business plan for hosting. What concerns me is when I can go to a user’s profile page, switch to admin view and scroll to the bottom; I can view the exact sensitive user data that we are not allowed to send abroad. I’m not that knowledgable on this aspect, so I don’t understand if this information taken abroad at any point in time, during or after the SSO occurs. I’d appreciate any help :slight_smile:

Abroad… from or to US?

But in generally when using SSO, Discourse, where ever its data is located, will get sensitive data as name and email from SSO, not vice versa.

1 Like

We are located in Turkey and our Discourse is hosted in EU. Sorry that I haven’t specified this before.

So, you have to follow GDPR? Any of those SSOs that Discourse is using, doesn’t break GDPR. But regulations from company (and/or Turkey) can change the situation. But still… SSO doesn’t move any sensitive data — unless knowing that a user is using your forum is counting as sensitive data :wink:

This is something I can’t understand:

And yet you have business plan from Discourse. If that is really strict you must have self hosted forum.

1 Like

What data? Their email address and ip number? Discourse will get them both.

For our hosted sites, you can find information about GDPR / data locality in our privacy policy at discourse.org/privacy. If you have any specific questions about the paid hosting service, please feel free to send a PM to @team or email us at team@discourse.org and we’ll be happy to help.

1 Like

Our country’s regulation (which has additional conditions for the finance industry) says that you can’t use cloud services to store a user’s sensitive information. @Jagster So we can use cloud services as long as we don’t store sensitive data there.

It is OK if only email address is stored abroad - this alone is not considered sensitive info. Still, if at any point I store email address together with the full name of the user, this is considered sensitive information, since the user is now identifiable as a person. I’m worried because after SSO is used for login, since I can see our users’ email address and full name on the platform, I don’t know whether this data sent to and stored in the Discourse hosting, it is against our local regulations.

To demonstrate the mindset with our regulations: Say, for example, a 3rd party with malicious intent gets access to the physical drives of Discourse’s cloud server in the EU. Would they be able to read our users’ full name & email together, given that they logged in with SSO?

If you can see the information in the Discourse admin UI then, yes, it is being stored on the Discourse servers. To stop Discourse storing that information, you probably need to update your SSO system so that it doesn’t transmit the sensitive information to external platforms like Discourse.

1 Like

Thanks a lot, this was the answer I was looking for.

1 Like

Are you sure about your definition of sensitive information?

If you are thinking about the European Union’s GDPR, which was mentioned above, or legislation based on it, then it might be worth doing a quick internet search – as I vaguely recollect that it’s got to do with health data, religious or political beliefs etc rather than merely data that can identify a person.

1 Like

Actually it was not.

Basic informations as email and some name isn’t sensitive data in Europe. In Turkey perhaps, but situation there is somekind hairy anyway. But the most important thing to understand is that your Discourse is not sending needed login data to SSO. Your Discourse is getting that data from SSO.

All you need to worry about is not to sell/give that data any further. You can store it to your needs, though. Where you store all user data depends in the meaning if you may violate GDPR. If you are following GDPR then you have to be sure that services you are using (as Google, Discourse as company, email prosessor etc) are following GDPR. These companies mostly do.

But as said, email and name is not such sensitive information that GDPR is regulating. You can collect those from your users, if needed, like to create user accounts. But you can’t use those, like emails, as you want. Using is regulated.

If you start collecting home addresses, work places, even marriage statuses, without reason, you break against GDPR.

So, the information you needed, but for some reasoon you don’t like it, is SSO has absolut nothing to with GDPR and EU regulations. Of course you should tell that in your security statement, but that is all.

1 Like

I’ve done a quick search out of curiosity. Here’s one page of many that come up: GDPR matchup: Turkey's Data Protection Law It seems that Turkey has data protection laws that are inspired by the GDPR. The situation in relation to sensitive data and cross-border transfers doesn’t look nearly as strict as you described above.

That is only one point and it regulates only turkish.

If they have a single ordinary EU-user (B2B is a bit different thing) GDPR must be followed no matter where a company is located. But that is not that hard either. And still — if the policy of company says something that is different thing, but it in-house question (and if all clouds outside EU are forbidden then they can’t use business-Discourse eiher).

We would need to know more about the original poster’s situation before making categorical statements.

My bad, it’s not about sensitive information at all. It’s about any user data that can be used to identify the person. For example an email address may belong to anyone, or two people can have the exact same name; but using the two together you might much more easily pinpoint a person. I don’t know if you call this personal data, private data or just user data. It’s not about sensitive data though.

Totally same thing when you are thinking GDPR.

Still: Discourse is not expoiting personal data to SSO. SSO is serving that data to Discourse. And what you see at Discourse is needed. It is not regulated data in EU, and I’m totally sure it is not regulated in Turkey either.