DSR-S: How to Deploy and Set Up DSR-S in GCP

What is Ethyca DSR-S? What are the steps to set up my own GCP storage?

Ethyca's DSR-S application allows customers to securely store their Data Subject Request download files on their own managed infrastructure.

  1. Your customer (a "Data Subject") puts in a request to download or erase their data in your Privacy Center (privacy.<yourdomain>.com)
  2. Ethyca stores all the Data Subject Requests (DSRs) that come into your Privacy Center
  3. Ethyca's Atlas, deployed in your infrastructure, polls Ethyca's web services to retrieve the queue of DSRs for your organization
  4. When complete, Ethyca's Atlas returns an object of aggregated responses from the databases to Ethyca's web services
  5. Ethyca fetches data for each DSR from each of your configured 3rd party SaaS Data Integrations
  6. Ethyca aggregates both the response from Atlas and each of your Data Integrations and sends the final package to Ethyca's DSR-S
  7. Ethyca's DSR-S then sends the final downloadable package to be stored in your desired cloud storage system (ie: AWS S3, GCP Cloud Storage, Azure Cloud Storage)
  8. At the same time, the Data Subject is notified that their DSR is ready via an email containing a URL with a downloadable ZIP file
  9. Using the URL provided, which Ethyca proxies to your storage system, the Data Subject downloads the data to retrieve the package and return it to the user to save locally on their desktop

This guide will outline the steps to deploy and configure DSR-S in 4 steps:

  1. Configure Authentication/Authorization for DSR-S
  2. Download the Ethyca DSR-S Docker Image
  3. Deploy DSR-S
  4. Validate your deployment

Deployment Prerequisites

  • A command-line environment (preferably Linux) to run CLI commands
  • Ability to securely receive API keys for AWS ECR from Ethyca
  • Ability to run the docker commands/launch docker images
  • Access to a test subject’s email for the purpose of requesting data from the Privacy Center, validating Multi-Factor Authentication (MFA), and verifying the final data
  • Administrative access to customer’s Control Panel to approve the test subject’s DSR request

Configuring Authentication/Authorization for DSR-S

There are a number of ways to give Ethyca's DSR-S access to your GCP cloud storage, below outlines the currently supported method:

Authenticate DSR-S using GCP Service Account

Step 1. Log into your GCP Storage Account and navigate to "Settings."


Step 2. Select the "Interoperability" tab.


Step 3. Click "Create a key for another service account" to create a service account for Ethyca DSR-S.


Step 4. Enter a descriptive name, such as ethyca-dsrs-QA, and click "create."


Step 5. Navigate to the IAM console and access the Service Account Menu.


Step 6. Select the service account you want to provision access for. Click the 3 dots on the right and select"Create Key."


Step 7. Select "JSON" as the format for your key and press "Create."


Step 8. Your key will be downloaded to a .json file locally.


Deploying DSR-S

Ethyca's DSR-S and the configuration tool are provided as Docker images. Instructions include details of steps needed for downloading the software images.

Your Ethyca Customer Success Manager will provide you the following information for your Environment Variable Properties file:

  • Link to Ethyca's Docker Hub Public Repo
  • atlas.ethyca.api.key for your deployed DSR-S to connect to Ethyca’s APIs, and as such, Ethyca will issue you the API key
  • Your unique organization name

Step 1. Pull down the latest image from the Ethyca DSR-S Docker Repo.
Use the following command to pull down the latest image from the public Ethyca DSR-S docker repository:

docker pull ethyca/dsrs

Step 2. Deploy your DSR-S image

docker run -it \
     -e dsrs.organization=<ETHYCA-PROVIDED ORGANIZATION NAME> \
     -e dsrs.api.key=<YOUR OWN API KEY> \
     -e dsrs.url=https://<URL TO YOUR DSR-S INSTANCE> \
     -e dsrs.ttl.hours=24 \
     -e dsrs.ethyca.url=https://api.ethyca.com \
     -e dsrs.ethyca.api.key=<ETHYCA-PROVIDED API KEY> \
     -e dsrs.storage.type=gcp \
     -e dsrs.storage.path=<YOUR GCP STORAGE>/<PATH HERE> \
     -e dsrs.storage.gcp.credentials.path=</path/to/my/google/credentials.json>
     -p 8080:8080 \
--name dsrs-rest ethyca/dsrs:latest <OR YOUR DOCKER IMG PATH & NAME>

The following settings can be modified to customize your deployment:

dsrs.ttl.hours=24 : this is the expiration time in hours that your DSR download package will be available to the user. The default is 24-hours.

dsrs.storage.path: this is the canonical path that your DSR zip files will be stored in.

The Finishing Touches

🚨Do not forget to safe-list or open bidirectional communication to Ethyca hosted services at api.ethyca.com

Validating your Deployment

Once DSR-S is up, the service can be validated using the following rest commands:

$ curl --header "Authorization: <ETHYCA-PROVIDED API KEY>" \
     --header "Content-Type: application/json" \
     --data '{"organizationName":"<ETHYCA-PROVIDED ORGANIZATION NAME>","apiKey":"<YOUR OWN API KEY>","url":"https://<YOUR DEPLOYED URL>,"ttl":24}' \
     -X POST https://api.ethyca.com/dsrs


Please contact [email protected] or your dedicated Customer Success Manager if you require any technical assistance for the installation or configuration of Ethyca's DSR-S.