Advice and answers from the LightTag Team

Go to LightTag


Common Questions About LightTag-on-AWS

Written by Tal Perry. Updated over a week ago

Thanks for your interest in the LightTag-on-AWS. This guide will answer some high level questions you might have. 

What is LightTag-on-AWS and who is it for ? 

LightTag-on-AWS is the same LightTag text annotation software as the SaaS, but shipped in an Amazon Machine Image that you can run on your own AWS account and infrastructure. 

LightTag-on-AWS is right for you if you need to label data, but can't or don't want to share the data with a third party. In a nutshell, with LightTag-on-AWS your company is the only entity that ever sees the data being labeled

How is it different from LightTag SaaS

Mostly in that it's not SaaS, e.g. LightTag-on-AWS is not a managed service. In the SaaS option, we are responsible not only for excellent software, but also for infrastructure and security. With LightTag-on-AWS, you still have best in class labeling tools though you are responsible for deploying, operating and securing them. 

In a nutshell, if you don't have a security/compliance requirement to self host the data, you're probably better off with the SaaS. If you do have such requirements, this is the solution for you. 

What is an AMI ? 

An AMI is short for Amazon Machine Image, and is the AWS format to share images of machines. LightTag-on-AWS comes as an AMI, with a snapshot of everything you need to operate a LightTag instance. 

What's inside the AMI ? 

LightTag :-).
When you send a request to LightTag-on-AWS, that request is processed by traefik to one of a few different containers such as the UI or the server API. There is also a database in there and all of that sits on top of Amazon Linux 2

Do you have an offering on the AWS marketplace ? 

We're working on it. You can help us get there faster by asking your account rep to expedite our onboarding. 

How does the license work ? 

Your License key (the thing you enter to activate your instance) is tied to a subscription in our billing system. Once you enter a license key, that subscription is tied to the AWS instance you launched LightTag on, so you can't have two instances of LightTag running on a single license.
LightTag periodically talks to the billing system to see that the license is in good standing. 

Where is my data stored ? 

Great question. It's stored on the AWS instance in your account and no one can see it but you. 

How do I backup my data ? 

You make a snapshot of your LightTag-on-AWS instance. AWS has a tutorial on how to automate this

Can LightTag, Inc see my data ? 


What data does LightTag see ? 

You're LightTag-on-AWS instance sends back some information to our servers. Specifically, it sends usage statistics (# Active Users, # Annotations Made etc) and error reports if any happen. Error reports to not contain any of your data. 

Additionally, the UI sends error reports to our servers in case of an error. Again, the error reports do not contain any of your data.

Is this secure ? 

LightTag and LightTag-on-AWS handle sensitive data and thus are built with security as top concern. We follow and adhere to the latest security best practices. LightTag-on-AWS particularly ships with the smallest possible attack surface. 

Since LightTag-on-AWS is software that you operate and manage, the final security posture is your responsibility. See our security documentation and SSL implementation guide for additional details. 

Is this HIPAA Compliant ? 

HIPAA defines seven rules. In a self hosted setting such as with LightTag-on-AWS the majority of the rules govern your organizations practices and processes which are independent of LightTag-on-AWS. More specifically, HIPAA deals with a "covered entity" dealing with PHI. When using LightTag-on-AWS your organization (and AWS) are the only covered entities. 

With that in mind, the HIPAA security rule defines four Technical Safeguards which are detailed below with information about how LightTag-on-AWS addresses them. 

Access Control

A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI)

LightTag and LightTag-on-AWS implement modern authentication and authorization processes.

Audit Controls

A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.25

LightTag-on-AWS addresses HIPAA Audit Controls in two ways.
First, our logging infrastructure records every request made to LightTag-on-AWS. 

Second, LightTag's datastore follows an  immutable  append-only pattern such that the sequence of access, appends. updates etc. is always available. 

Integrity Controls

A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed

As mentioned with regards to Audit Controls, LightTag's datastore follows an  immutable  append-only pattern such that the sequence of access, appends. updates etc. is always available. 

Transmission Security

A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.

Transmission security is your responsibility. In particular, it is your responsibility to implement SSL. For information on how to do so please so see our SSL guide

Is there a difference in functionality between LightTag-on-AWS and the SaaS version ? 

LightTag-on-AWS is a snapshot of the SaaS and is feature equivalent to it. However, we periodically ship new features to the SaaS product which do not arrive automatically in LightTag-on-AWS.
Your eligibility for product updates and the mechanism for receiving them will be defined in your service agreement with LightTag, Inc. 

What Happens if there is a problem and I need support ?