To securely manage your data when you use watsonx.governance as a Service on AWS, it is important to know exactly what data is stored and encrypted and how you can delete it.
How your data is stored and encrypted in watsonx.governance
Watsonx.governance service instance data is stored in a relational database service (RDS) on AWS and S3 bucket. The data in the storage is encrypted by using a 256-bit Advanced Encryption Standard (AES) cipher. The encryption key is owned by the watsonx.governance service.
In addition to the storage level encryption, watsonx.governance settings that are marked for encryption are further encrypted before they are stored to the relational database table. The encryption is done by using a 256-bit Advanced Encryption Standard (AES) cipher, and the encryption key is owned by the watsonx.governance service.
Watsonx.governance also uses the following security mechanisms to protect your data in transit.
- TLS 1.2+ for end to end communications
- mTLS for internal communications
- Web App Firewall and DDoS protection
- Ingress and Egress network rules to isolate your dedicated instance
Protecting your sensitive data in watsonx.governance
The watsonx.governance service stores personal data, such as a user's email address, first name, and last name, on Amazon Relational Database Service (RDS). The data is replicated automatically from the IBM SaaS Console in the IAM service. After the data replication, the user can log in to the watsonx.governance service and view the user selector object fields.
Credentials and API keys for external integration, such as IBM Watson® Natural Language Understanding and IBM Watson® Machine Learning , are further encrypted before they are stored to the relational database.
To protect access to your sensitive data, you can configure IP allowlisting of your service instance to limit the source IP address or IP address ranges to access the service. The IP allowlisting can be configured from the Settings page of the IBM SaaS Console.
Additional sensitive data can be stored with the encrypted option of Governance console settings.
Deleting your data in watsonx.governance
When you delete your instance of watsonx.governance, all the user data that is associated with it is also deleted. When the service instance is deleted, a 30-day reclamation period begins. During that time, you're able to restore the instance and all of its associated user data by contacting Support. However, if the instance and data are permanently deleted, it can no longer be restored. watsonx.governance does not store any data from permanently deleted instances.
The watsonx.governance data retention policy describes how long your data is stored after you delete the service. The data retention policy is included in the watsonx.governance service description, which you can find in the Terms and Notices.
Deleting a watsonx.governance instance
If you no longer need an instance of watsonx.governance, you can delete the service instance and any data that is stored. You delete instances by using the IBM SaaS Console.
Your instance data is retained for 30 days. After 30 days, it is permanently deleted.
Restoring a deleted service instance
If your instance is within the 30-day retention period, you can get it restored by submitting a support ticket.
Parent topic: Setting up your watsonx.governance environment on AWS