Security Statement for Jupyter

[reicoco212]

Hello Jupyter Security team,

I'm an IT associate from BSR, a non-profit organization working on global social issues, and one of my users is requesting to install Jupyter on her laptop as she finds it very useful for her work.

Every time the user requests Apps that has not been approved by BSR IT, we check the software security statement of the App to confirm whether it is aligned with the Californian CCPA Data Processing Agreement before the installation.

I searched for the security statement on your website but couldn't find it anywhere. Would it be possible to obtain the statement anywhere or have the contact email address to make a further inquiry?

I would appreciate your advice very much.

Thank you for your assistance.

Kind Regards,

Reiko Aruga
Email: [email protected]

[Carreau]

As far as I understand this is not necessary, there is no data exchange between the user and the jupyter team/developers/infrastructure, not any type of data usage collection with third party services. That is to say we do not collect (or process) any data regarding who installs, or how they use Jupyter; we do not store customer records, or billing information.

Depending on how you install jupyter (apt, pip, conda), the server from which you download it may count the number of downloads, but that's about it.

For security reasons, if you are using JupyterLab it may every now and then:

• Check a static url to know whether there is a new (security) update and warn you to update.
• Check an atom.xml feed to display news to user (URL configurable if you deploy it on premises: https://jupyterlab.readthedocs.io/en/stable/user/announcements.html)

None of these URL collect information about who access them, but if you really want you an deactivate those (I even believe they are deactivated by default and ask you en first launch if you want to check update and new, to which you can reply no).

Beyond that, Jupyter is a local software that does not make any contact with external services unless the user explicitly asks to fetch a network resource like downloading a dataset, and even then this is does not go through any of our services.

Does that help ?

[krassowski]

Also, see a related discussion: https://discourse.jupyter.org/t/jupyterhub-and-jupyterlab-cookies-privacy-policy/27170 and linked:

• https://jupyterlab.readthedocs.io/en/stable/privacy_policies.html
• https://jupyter-server.readthedocs.io/en/latest/operators/security.html#security-in-the-jupyter-server

In general it is hard to give a single answer for the entire "Jupyter" as there is multiple applications (like Notebook, JupyterLab, JupyterHub, JupyterLab Desktop) and each utilises a specific set of technologies. However, official Jupyter software is written with privacy-first approach. Just be mindful that this may not be the case when using third-party integrations of Jupyter.