IBM Cloud Docs
Data security

Data security

The Speech to Text service provides the following security features to help you protect your user data.

Authenticating to IBM Cloud

IBM Cloud

You authenticate to the service by using IBM Cloud Identity and Access Management (IAM). You can pass either an API key or a bearer token in an Authorization header. For more information, see Authenticating to IBM Cloud.

Authenticating to IBM Cloud Pak for Data

IBM Cloud Pak for Data

You authenticate to the service by passing an access token with each request. You pass a bearer token in an Authorization header to authenticate. Several methods exist to generate the token, including by using an API key or by username. For more information, see Authenticating to IBM Cloud Pak for Data.

Speech to Text for IBM Cloud Pak for Data is a multi-tenant cloud solution. Your credentials provide access to your data only, and your data is isolated from other users.

Basic data security

The service provides security for all user data both in motion and at rest:

  • Transport Layer Security (TLS) 1.2 is used to secure data in transit.
  • Advanced Encryption Standard (AES)-256 with Secure Hash Algorithm (SHA)-256 is used to secure data at rest.

For more information about data security for cloud applications, see Security architecture for cloud applications.

Information security

The service supports the European Union General Data Protection Regulation (GDPR) to manage user data. You can pass the X-Watson-Metadata header with a request to associate a customer ID with data that the request passes to the service. If necessary, you can then delete the data by using the DELETE /v1/user_data method. For more information about these features and their use, see Information security.

IBM Cloud For Premium plans, the service also offers US Health Insurance Portability and Accountability Act (HIPAA) readiness in the Washington, DC, (us-east) and Dallas (us-south) regions.

Request logging

IBM Cloud

The service lets you control the default request logging that is performed for all Watson services. The service logs request and response data only to improve the service for future users. The logged data is never shared or made public. No data can be exported from the service. For example, users must retain the data that they use for training custom models because it cannot be retrieved from the service.

If you are concerned about the privacy of users' personal information or otherwise do not want your requests to be logged by IBM, you can opt out of the default logging to prevent the service from logging your request and response data. If you opt out, the service logs no user data from your requests:

  • Results from synchronous HTTP and WebSocket requests are never stored to disk.
  • Results from asynchronous HTTP requests are deleted as soon as their time to live expires. For more information, see Asynchronous job retention.

You can choose to opt out of logging at either the account level or the API request level. For more information, see Controlling request logging for Watson services.

Asynchronous job retention

You use the POST /v1/recognitions method of the asynchronous HTTP interface to initiate an asynchronous speech recognition job. The service retains the results of each job until its time to live expires. The default time to live for a job is one week, though you can specify a shorter retention period.

You can also use the DELETE /v1/recognitions/{id} method to delete the results of a job. You typically delete a job after you obtain its results from the service. Once you delete a job, its results are no longer available. For more information, see Deleting a job.

Data separation and encryption

IBM Cloud

The service's Plus and Premium pricing plans offer different levels of data separation and encryption for users:

  • Plus plans are multi-tenant solutions that provide logical separation of data by using common encryption keys.
  • Premium plans are single-tenant solutions that provide physical separation of data. Premium plans provide dedicated data storage accounts that use unique encryption keys.

Users of Premium plans can also integrate with IBM® Key Protect for IBM Cloud® to create, import, and manage their encryption keys. This process is commonly referred to as Bring your own keys (BYOK). For more information about using IBM® Key Protect for IBM Cloud®, see Protecting sensitive information in your Watson service.

Network endpoints

IBM Cloud

IBM Cloud supports both public and private network endpoints with certain plans. Connections to private network endpoints do not require public internet access. Private network endpoints support routing services over the IBM Cloud private network instead of the public network. A private network endpoint provides a unique IP address that is accessible to you without a VPN connection.

Private network endpoints are supported only for paid plans. Check the plan information for your service to learn about the plans that support private network endpoints. For more information, see Public and private network endpoints.

Virtual private endpoints

IBM Cloud

IBM Cloud® Virtual Private Endpoints for Virtual Private Cloud (VPC) are available with certain plans. Virtual private endpoints enable you to connect to supported IBM Cloud services from your VPC network by using the IP addresses of your choosing, allocated from a subnet within your VPC. Virtual private endpoints are an evolution of the private connectivity to IBM Cloud services. They are virtual IP interfaces that are bound to an endpoint gateway created on a per service or service instance basis.

Virtual private endpoints are supported only for paid plans. Check the plan information for your service to learn about the plans that support virtual private endpoints. For more information, see Virtual Private Endpoints.

CORS support

The service supports Cross-Origin Resource Sharing (CORS). By using CORS, web pages can request resources directly from a foreign domain. CORS circumvents the same-origin security policy, which otherwise prevents such requests. Because the service supports CORS, a web page can communicate directly with the service without passing the request through the web server that hosts the page.

For instance, a web page that is loaded from a server in IBM Cloud can call the customization API directly, bypassing the IBM Cloud server. For more information, see enable-cors.org.

Signed URLs

Signed URLs provide authentication information as a query string. Although signed URLs provide access for a limited time and with limited permissions, they allow any user with such a URL to access the service, regardless of whether that user has an account. The Speech to Text service does not support signed URLs.

FISMA support

IBM Cloud Pak for Data

Federal Information Security Management Act (FISMA) support is available for Speech to Text for IBM Cloud Pak for Data offerings as of version 1.0.1. Speech to Text for IBM Cloud Pak for Data is FISMA High Ready.

FIPS support

IBM Cloud Pak for Data

Speech to Text for IBM Cloud Pak for Data supports running on Federal Information Processing Standard (FIPS)-enabled clusters as of version 4.5.1.