Labelbox documentation

Access & storage

As part of our privacy program, individuals can request to access, obtain a copy, delete, and update the personal data that Labelbox holds on that individual. Individuals that wish to make such a request must first complete an intake form.

Labelbox uses Google Cloud Services for cloud storage and all data is stored in the US. If your data is hosted on our servers, we use a CDN that provides geoloading as close to the location as possible. Labelbox does not store data in the EU and will not do so on request.

Read the sections below to learn how Labelbox accesses and stores your data based on the Labelbox deployment model you choose.

Cloud

When you import your data directly to the Labelbox cloud, it is stored on Labelbox servers, giving Labelbox access to your data. Labelbox stores your data and annotations in private buckets in Google Cloud Services.

To display assets in the browser interface, Labelbox generates signed URLs for each file, then loads the assets in the Editor. The standard expiration value for these signed URLs is 1 day. Labelers on your team only have access to the labels they create and to the asset URLs in their label queue.

Labelbox adheres to strict security measures to ensure all of your data is encrypted at rest and in transit.

Hybrid Cloud

The Hybrid Cloud solution allows you to keep your data in your existing cloud storage and upload your data via private (or public) URLs. The three implementations for Hybrid Cloud are Delegated Access, customer-secured URLs, and public URLs. Please note that, regardless of the Hybrid Cloud solution you choose, the annotation data created in the Labelbox labeling interface will be stored on Labelbox servers.

  1. With Delegated Access, you can keep your assets in your AWS cloud storage and configure Identity and Access Management (IAM) roles and policies to grant Labelbox read-only access to the data in your S3 bucket. Labelbox assumes the role you create for it in your AWS account, generates signed URLs to access the data in your S3 bucket, and releases/deletes assets from our servers as soon as processing completes. The expiration time for these signed URLs is set to 15 minutes. At any time, you can invalidate all active signed URLs by removing the GetObject permission from your AWS role's permission policy. IP whitelisting, restricting access to your assets by only allowing requests from certain IP ranges, is still possible with Delegated Access as long as you grant the Labelbox backend (35.223.142.181) access to your assets. To learn how to do this, see these AWS docs. Delegated Access assets are served directly from customer S3 buckets, so no CDN caching occurs. To control browser caching, you can configure various cache-related headers on your S3 bucket (to learn more see these AWS docs). Currently, all asset processing is performed in US-based datacenters.

  2. You can also upload private URLs by securing the URLs yourself via signed URLs and/or IP whitelisting. If you choose to secure your URLs with IP whitelisting, you'll need to grant the Labelbox backend (35.223.142.181) access in order to use our more advanced labeling tools.

  3. If you do not need to import private URLs, you can still upload public URLs to your cloud-hosted data. Uploading URLs this way means your URLs are public to the internet. See Privacy Notice for more information.

On-prem

When you install Labelbox on-prem, Labelbox does not have any access to your assets or annotation data. While Labelbox can provide you with guidance for configuring a Labelbox workforce with an on-prem deployment, we are not able to provide you with the security services offered with the cloud or hybrid cloud solutions when you connect a workforce. For users that have security requirements to protect highly sensitive data, an air-gapped version of the on-prem installation is available.

Usage

Labelbox does not sell customer or end-user personal data. We share personal data with our third-party service providers for our business purposes, but we do not share this information for monetary value or other valuable consideration. See our Privacy Notice to learn more.

Portability

Upon request, Labelbox can export your data to give to you and permanently delete all of your data from our servers.

Security

All labeled data, assets, and private user information hosted by Labelbox are encrypted at rest using AES-256. Labelbox uses Google Cloud for cloud storage, which means that your data will be encrypted on the server-side using GCP’s default encryption keys. Data is automatically decrypted when read by an authorized user.

To ensure that our privacy-sensitive data does not get compromised, Labelbox uses Auth0 for authentication.

User identity

Single sign-on (SSO) is available and configured by our engineering team on a case-by-case basis.

Regulatory compliance

Labelbox is fully committed to protecting the personal data that we collect, use, and process. Our comprehensive privacy program helps us meet our obligations under applicable privacy and security laws and regulations, and to safeguard the personal data of our employees and customers. To learn more about our privacy practices and how we comply with CCPA, GDPR, and SOCII Type II, see our Privacy FAQ.