Security & privacy
Deployment models overview
When you integrate with Labelbox, you have three deployment models to choose from. Your options for security provided by Labelbox depend on the type of deployment model you choose.
With the cloud model, Labelbox offers data storage services and enterprise-grade security for all raw assets and labeled data stored in the Labelbox cloud. The cloud solution offers more accessibility to our most advanced features than the hybrid or on-prem deployment models.
With the hybrid cloud integration, customers have sole access to their raw assets while still enabling labeling operations in Labelbox. In this configuration, Labelbox cannot access the raw assets.
In the on-premise (on-prem) model, all of the customer’s data (raw data and labeled data) is hosted entirely on the customer’s servers. Labelbox does not have access to your data and can only provide limited support.
Data access & storage
As part of our privacy program, individuals can request to access, obtain a copy, delete, and update the personal data that Labelbox holds. Individuals that wish to make such a request must first complete an intake form.
Labelbox uses Google Cloud Services for cloud storage and all data is stored in the US. If your data is hosted on our servers, we use a CDN which provides geoloading as close to the location as possible. Labelbox does not store data in the EU and will not do so on request.
Below are the data access and storage details for each deployment model.
In this model, Labelbox has access to the raw assets and label data in order to provide you with our most advanced features. We require that you import your raw data directly to Labelbox, meaning that your raw data is stored on Labelbox servers. Labelbox uses Google Cloud Services to store your data and adheres to strict security measures to ensure all of your data is encrypted at rest and in transit.
All user data is stored in private buckets and Labelbox generates signed URLs to render assets in the Labelbox browser tool for your labeling team to view and label. The standard expiration value for these signed URLs is 1 day. Each labeler only has access the labels they create and to the asset URLs in their queue.
In this configuration, only the customer can access the raw assets. Labelbox only has access to the label data, i.e. the annotations made on the raw assets, but Labelbox has no access to the raw assets. When you opt in for hybrid cloud, your labeled data is stored on Labelbox servers. Instead of importing your data directly, you are responsible for providing Labelbox with a URL for each asset to load in the browser tool.
Since the user is only passing a URL, no data is actually being transferred from your existing cloud storage to Labelbox.
Here are security practices some of our users choose to enforce when they opt for the hybrid cloud solution:
- Generate signed URLs. For instructions, see How to generate signed URLs. [RECOMMENDED]
- Enforce IP range restrictions
- Protect your data with VPN
Labelers in your project will only have access to the labels they create. When you generate your signed URLs, you can set the expiration value for your assets to protect your data that is rendered in the Labelbox app.
When you install the Labelbox on-prem, Labelbox does not have any access to your assets or labeled data. While Labelbox can provide you with guidance for configuring workforce with an on-prem deployment, we are not able to provide you with the security services offered with the cloud or hybrid cloud solutions when you connect a workforce. For users that have security requirements to protect highly sensitive data, an air-gapped version of the on-prem installation is available.
If you choose to add a workforce to your on-prem Labelbox application, each labeler would need to be added to your organization in order for them to access and label your assets. In this case, it is the user’s responsibility to provision user accounts for each labeler in the workforce.
Labelbox does not sell customer or end-user personal data. We share personal data with our third party service providers for our business purposes, but we do not share this information for monetary value or other valuable consideration. See our Privacy Notice to learn more.
Upon request, Labelbox can export your data to give to you and permanently delete all of your data from our servers.
All labeled data, assets, and private user information hosted by Labelbox is encrypted at rest using AES-256. Labelbox uses Google Cloud for cloud storage, which means that your data will be encrypted on the server side using GCP’s default encryption keys. Data is automatically decrypted when read by an authorized user.
To ensure that our privacy-sensitive data does not get compromised, Labelbox uses Auth0 for authentication.
Single sign-on (SSO) is available and configured by our engineering team on a case-by-case basis.
Labelbox is fully committed to protecting the personal data that we collect, use, and process. Our comprehensive privacy program helps us meet our obligations under applicable privacy and security laws and regulations, and to safeguard the personal data of our employees and customers. To learn more about our privacy practices and how we comply with CCPA and GDPR, see our Privacy FAQ.