Privacy and Security
This page outlines Fabric’s key security and privacy information. Whether you’re looking to kick off a new project with Fabric, or curious about how Fabric works with your existing project, read on to see how Fabric can help protect you and your users.

Data Protection
Fabric is GDPR ready
Fabric offers Data Processing and Security Terms
Fabric’s privacy and security certifications
Data collection policies
Identifiable data collected
Development guides
Exporting data
Security information
Security practices
Data Protection
Fabric is GDPR ready
On 25 May 2018, the EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. We’re committed to helping our customers succeed under the GDPR. The information in this article describes some of the important privacy and security properties available and planned for Fabric customers to be ready for GDPR.

The GDPR imposes obligations on data controllers and data processors. Fabric customers typically act as the “data controller” for any personal data they provide to Google in connection with their use of Fabric, and Google is, generally, a “data processor”.

This means that data is under the customer’s control. Controllers are responsible for obligations like fulfilling an individual’s rights with respect to their personal data. To understand your responsibilities as a data controller, you should familiarize yourself with the provisions of the GDPR, and check on your compliance plans.

Key questions to consider:

How does your organisation ensure user transparency and control around data use?
Are you sure that your organisation has the right consents in place where they are needed under the GDPR?
Does your organisation have the right systems to record user preferences and consents?
How will you show to regulators and partners that you meet the principles of the GDPR and are an accountable organisation?
Fabric offers Data Processing and Security Terms
When a customer is using Fabric, Google is generally a data processor and processes personal data on behalf of the customer. Effective March 27th, Fabric’s Terms of Service offers a standard Data Processing and Security Terms (DPST) for all Fabric customers.

Fabric’s privacy and security certifications
Fabric is certified under the following privacy and security standards:

Privacy Shield Framework certification

Google LLC is certified under both the EU-U.S. and Swiss-U.S. Privacy Shield frameworks and our certifications can be viewed on the Privacy Shield list.

SOC certification

All Fabric products are certified as SOC 2 compliant. For more information, see https://fabric.io/terms/faq#certifications.

Data Collection Policies
Identifiable data collected
Fabric services process some of your end users’ personal data to provide the service to you. The chart below has examples of how various Fabric services use and handle end-user personal data.

Answers
Effective with SDK versions 1.3.7 on iOS or 1.4.2 on Android and higher.

Personal Data collected:
Installation UUID
IP Addresses - once received it is geo-coded to a city and displayed on Audience Insights map for 10 seconds. Retained temporarily.
For versions prior to 1.3.7 on iOS and 1.4.2 on Android:
Installation UUID
Secure Android ID
Mobile ad IDs
IP Addresses - once received it is geo-coded to a city and displayed on Audience Insights map for 10 seconds.
How data helps provide the service:
Provides customers with analytics information based on segmented device data. IP addresses are used to provide geolocation information to customers.
Retention:
Answers retains Installation UUID data for 90 days.
Beta
Personal Data collected:
User information - name and email address provided by application’s customer.
UDID on iOS
Secure Android ID
GCM Token
How data helps provide the service:
Helps customers distribute app builds to testers, monitor beta tester activity, and associate Crashlytics data with specific beta testers.
Retention:
User information is stored until requested for deletion by the customer and then removed within 180 days.
Crashlytics
Personal Data collected:
Installation UUID
Crash traces
How data helps provide the service:
Helping a customer associate crash data with specific instances of their app.
Retention:
Crash traces and their associated identifiers are kept for 90 days.
Development Guides
The services listed above need some amount of end-user personal data to function. As a result, it’s not possible to entirely disable data collection while using those services.

If you’re a customer who would like to offer users a chance to opt-in to a service, and the data collection that comes with it, in most cases that just requires adding a dialog or settings toggle before using the service.

Fabric starts up automatically when included in an app. To give users a chance to opt-in before using those services, you can choose to gain user consent before initializing Fabric. Here are guides for iOS and Android that show ways you may accomplish this.

Exporting data
Depending on your needs, you may want to export your app’s data or customers of your app. Here’s how to do for the following products:

Exporting Data¶
Answers	Please contact support if you need assistance.
Beta	From your Beta dashboard, click on Export Testers.
Crashlytics	In the future, Crashlytics will support an export. In the meantime, please contact support if you need assistance.
Security information
Security practices
To keep personal data safe, Fabric employs extensive security measures to minimize access:

Fabric encrypts user data in transit and at-rest.
Fabric restricts access to a select group of employees who have a business purpose to access personal data.
Fabric logs employee access to systems that contain personal data.
Fabric conducts background checks on all employees.