Data security
The IBM Watson® Text to Speech service provides the following security features to help you protect your user data.
Authenticating to IBM Cloud
IBM Cloud
You authenticate to the service by using IBM Cloud Identity and Access Management (IAM). You can pass either an API key or a bearer token in an Authorization
header. For more information, see Authenticating to IBM Cloud.
Authenticating to IBM Cloud Pak for Data
IBM Cloud Pak for Data
You authenticate to the service by passing an access token with each request. You pass a bearer token in an Authorization
header to authenticate. Several methods exist to generate the token, including by using an API key or by username.
For more information, see Authenticating to IBM Cloud Pak for Data.
Text to Speech for IBM Cloud Pak for Data is a multi-tenant cloud solution. Your credentials provide access to your data only, and your data is isolated from other users.
Basic data security
The service provides security for all user data both in motion and at rest:
- Transport Layer Security (TLS) 1.2 is used to secure data in transit.
- Advanced Encryption Standard (AES)-256 with Secure Hash Algorithm (SHA)-256 is used to secure data at rest.
For more information about data security for cloud applications, see Security architecture for cloud applications.
Information security
The service supports the European Union General Data Protection Regulation (GDPR) to manage user data. You can pass the X-Watson-Metadata
header with a request to associate a customer ID with data that the request passes to the
service. If necessary, you can then delete the data by using the DELETE /v1/user_data
method. For more information about these features and their use, see Information security.
IBM Cloud For Premium plans, the service also offers US Health Insurance Portability and Accountability Act (HIPAA) readiness in the Washington, DC, (us-east
) and Dallas (us-south
)
regions.
Request logging
IBM Cloud
The service lets you control the default request logging that is performed for all Watson services. The service logs request and response data only to improve the service for future users. The logged data is never shared or made public. No data can be exported from the service. For example, users must retain the data that they use for training custom prompts because it cannot be retrieved from the service.
If you are concerned about the privacy of users' personal information or otherwise do not want your requests to be logged by IBM, you can opt out of the default logging to prevent the service from logging your request and response data. If you opt out, the service logs no user data from your HTTP or WebSocket requests. No user data is written to disk.
You can choose to opt out of logging at either the account level or the API request level. For more information, see Controlling request logging for Watson services.
Data separation and encryption
IBM Cloud
The service's Standard and Premium pricing plans offer different levels of data separation and encryption for users:
- Standard plans are multi-tenant solutions that provide logical separation of data by using common encryption keys.
- Premium plans are single-tenant solutions that provide physical separation of data. Premium plans provide dedicated data storage accounts that use unique encryption keys.
Users of Premium plans can also integrate with IBM® Key Protect for IBM Cloud® to create, import, and manage their encryption keys. This process is commonly referred to as Bring your own keys (BYOK). For more information about using Key Protect, see Protecting sensitive information in your Watson service.
Network endpoints
IBM Cloud
IBM Cloud supports both public and private network endpoints with certain plans. Connections to private network endpoints do not require public internet access. Private network endpoints support routing services over the IBM Cloud private network instead of the public network. A private network endpoint provides a unique IP address that is accessible to you without a VPN connection.
Private network endpoints are supported only for paid plans. Check the plan information for your service to learn about the plans that support private network endpoints. For more information, see Public and private network endpoints.
Virtual private endpoints
IBM Cloud
IBM Cloud® Virtual Private Endpoints for Virtual Private Cloud (VPC) are available with certain plans. Virtual private endpoints enable you to connect to supported IBM Cloud services from your VPC network by using the IP addresses of your choosing, allocated from a subnet within your VPC. Virtual private endpoints are an evolution of the private connectivity to IBM Cloud services. They are virtual IP interfaces that are bound to an endpoint gateway created on a per service or service instance basis.
Virtual private endpoints are supported only for paid plans. Check the plan information for your service to learn about the plans that support virtual private endpoints. For more information, see Virtual Private Endpoints.
CORS support
The service supports Cross-Origin Resource Sharing (CORS). By using CORS, web pages can request resources directly from a foreign domain. CORS circumvents the same-origin security policy, which otherwise prevents such requests. Because the service supports CORS, a web page can communicate directly with the service without passing the request through the web server that hosts the page.
For instance, a web page that is loaded from a server in IBM Cloud can call the customization API directly, bypassing the IBM Cloud server. For more information, see enable-cors.org.
Signed URLs
Signed URLs provide authentication information as a query string. Although signed URLs provide access for a limited time and with limited permissions, they allow any user with such a URL to access the service, regardless of whether that user has an account. The Text to Speech service does not support signed URLs.
FISMA support
IBM Cloud Pak for Data
Federal Information Security Management Act (FISMA) support is available for Text to Speech for IBM Cloud Pak for Data offerings purchased on or after 30 August 2019 (version 1.0.1). Text to Speech for IBM Cloud Pak for Data is FISMA High Ready.
FIPS support
IBM Cloud Pak for Data
Text to Speech for IBM Cloud Pak for Data supports running on Federal Information Processing Standard (FIPS)-enabled clusters as of version 4.5.1.