Customer responsibility

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation (GDPR). Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all customer situations and may have restricted availability. IBM does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

HIPAA readiness

To meet HIPAA requirements, IBM introduces controls that are commensurate with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Privacy Rule requirements. These requirements include the appropriate administrative, physical, and technical safeguards that are required of Business Associates in 45 CFR Part 160 and Subparts A and C of Part 164.

HIPAA readiness applies to selected IBM services, plans, and regions:

To meet HIPAA requirements, IBM introduces controls that are commensurate with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Privacy Rule requirements. These requirements include the appropriate administrative, physical, and technical safeguards that are required of Business Associates in 45 CFR Part 160 and Subparts A and C of Part 164.

Generative AI capabilities available with watsonx plans are not HIPAA-ready. For example, generative AI prompts or inferencing with foundation models are not HIPAA-ready.

HIPAA-readiness for machine learning assets is available when you are in the Cloud Pak for Data as a Service context, and only for these plans:

• For IBM Knowledge Catalog, HIPAA readiness applies to Standard and Professional plans in the Dallas (US South) region.
• For watsonx.ai Studio, HIPAA readiness applies to the Professional plan in the Dallas (US South) region.
• For watsonx.ai Runtime, HIPAA readiness applies to the Standard plan in the Dallas (US South) region.

HIPAA support from IBM requires that you agree to the terms of the Business Associate Addendum (BAA) agreement with IBM for your IBM Cloud account. The BAA outlines IBM responsibilities, but also your responsibilities to maintain HIPAA compliance. After you enable HIPAA support in your IBM Cloud account, you cannot disable it. See IBM Cloud Docs: Enabling HIPAA support for your account.

To enable HIPAA support for your IBM Cloud account:

1. Log in to your IBM Cloud account.
2. Click Manage > Account and then Account settings.
3. In the HIPAA Supported section, click On.
4. Read the BAA and then select Accept and click Submit.

IBM's commitment to GDPR

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey.

Content and Data Protection

The Data Processing and Protection data sheet (Data Sheet) provides information specific to the IBM Cloud Service regarding the type of Content enabled to be processed, the processing activities involved, the data protection features, and specifics on retention and return of Content. Any details or clarifications and terms, including customer responsibilities, around use of the Cloud Service and data protection features, if any, are set forth in this section. There may be more than one Data Sheet applicable to a customer's use of the IBM Cloud Service based upon options selected by customer. The Data Sheet may only be available in English and not available in local languages. Despite any practices of local law or custom, the parties agree that they understand English and it is an appropriate language regarding acquisition and use of the IBM Cloud Services. The following Data Sheets apply to the IBM Cloud Service and its available options. Customer acknowledges that i) IBM may modify Data Sheets from time to time at IBM's sole discretion and ii) such modifications will supersede prior versions. The intent of any modification to Data Sheet(s) will be to

1. improve or clarify existing commitments,
2. maintain alignment to current adopted standards and applicable laws, or
3. provide additional commitments. No modification to Data Sheets will materially degrade the data protection of a IBM Cloud Service.

See the Learn more section for links to some of the data sheets that you can view.

You, the customer, are responsible to take necessary actions to order, enable, or use available data protection features for a IBM Cloud Service and accept responsibility for use of the IBM Cloud Services if you fail to take such actions, including meeting any data protection or other legal requirements regarding Content. IBM's Data Processing Addendum (DPA) and DPA Exhibits apply and are referenced in as part of the Agreement, if and to the extent the European General Data Protection Regulation (EU/2016/679) (GDPR) applies to personal data contained in Content. The applicable Data Sheets for this IBM Cloud Service will serve as the DPA Exhibits. If the DPA applies, IBM's obligation to provide notice of changes to Subprocessors and Customer's right to object to such changes will apply as set out in DPA.

GDPR statement that applies to IBM watsonx.ai Runtime log files

Please pay close attention to data privacy principals when selecting a dataset for training data. Processing of PI is governed by vigorous legal requirements and is only allowed if it is based on an explicit legal basis. These regulations mandate that PI is processed only for the purpose it was collected for. No other processing in a manner that is incompatible with this initial purpose is permissible. For these and other constrains these regulations place on your use of PI, we highly recommend that you do not use "real" PI in your training dataset unless it is allowed or permissible. You may substitute real PI using test data that is available on the public sphere.

Secure deletion from the IBM watsonx.ai Runtime service

Anyone that has personally identifiable information and data (PII) stored as part of using the IBM watsonx.ai Runtime service, has the right to obtain from the controller the erasure of that data without undue delay. The controller has the obligation to erase personal data without undue delay where one of the following conditions exist:

• There is PII data stored in the IBM watsonx.ai Runtime service

• User email address and full name are stored as metadata related to the watsonx.ai Runtime repository assets.

• User provided service credentials.

• Repository asset content, which is usually out of watsonx.ai Runtime service control and potentially can contain any type of PII data in it. In this case, when users want to track PII data stored in assets, such as a model, they must:

  • Get training data reference from the model or asset metadata.
  • Scan training data for occurrence of PII data of particular user.
  • If such data can be found in the training data set, the model or asset should be considered as potentially holding this data in its content.

Repository asset content, such as models, can be securely deleted by performing one of the methods for permanently deleting personal data.

Learn more

• watsonx terms
• IBM watsonx.ai Runtime terms
• IBM watsonx.ai Studio terms
• IBM Cloud Object Storage terms
• How do I know that my data is safe?
• Data Security and Privacy Principles for IBM Cloud Services
• IBM and GDPR
• Software Product Compatibility Reports: IBM watsonx.ai Studio
• Software Product Compatibility Reports: IBM watsonx.ai Runtime
• Software Product Compatibility Reports: IBM watsonx.ai Runtime Service

Parent topic: Security