Merge pull request segmentio#5342 from segmentio/master

forstisabella · web-flow · commit 8f09fac225e1 · 2023-09-13T13:42:44.000-04:00
cascading changes from one-off
diff --git a/src/_data/products.yml b/src/_data/products.yml
@@ -165,3 +165,11 @@ items:
     business: true
     add-on: false
 
+- product_display_name: HIPAA Eligible Segment
+  slug: hipaa-eligible
+  plan-note: "HIPAA eligible workspaces require a Business Assosciate Addendum."
+  plans:
+    free: false
+    team: false
+    business: true
+    addon: true
diff --git a/src/_includes/content/connection-modes-intro.md b/src/_includes/content/connection-modes-intro.md
@@ -2,6 +2,15 @@ Segment's web source (Analytics.js), and native client-side libraries (iOS, Andr
 
 - **Cloud-mode**: The sources send data directly to the Segment servers, which then translate it for each connected downstream destination, and send it on. Translation is done on the Segment servers, keeping your page size, method count, and load time small.
 
+  <div class="premonition info">
+    <div class="fa fa-info-circle"></div>
+    <div class="content">
+      <p class="header">Healthcare and Life Sciences (HLS) customers can encrypt data flowing into their destinations</p>
+      <p> HLS customers with a HIPAA eligible workspace can encrypt data in fields marked as Yellow in the Privacy Portal before they flow into an event stream, cloud mode destination.
+      <br>To learn more about data encryption, see the <a href="/docs/privacy/hipaa-eligible-segment/#data-encryption">HIPAA Eligible Segment documentation</a></p>
+    </div>
+  </div>
+
 - **Device-mode**: You include additional code on your website or mobile app which allows Segment to use the data you collect on the device to make calls directly to the destination tool's API, without sending it to the Segment servers _first_. (You still send your data to the Segment servers, but this occurs asynchronously.) This is also called *wrapping* or *bundling*, and it might be required when the source has to be loaded on the page to work, or loaded directly on the device to function correctly. When you use Analytics.js, you can change the device-mode destinations that a specific source sends from within the Segment web app, without touching any code.
 
 
diff --git a/src/connections/destinations/add-destination.md b/src/connections/destinations/add-destination.md
@@ -2,13 +2,17 @@
 title: Sending Segment Data to Destinations
 ---
 
-You've decided how to format your data, and collected it using [Segment Sources](/docs/connections/sources/). Now what do you do with it? You send the data to Destinations!
+You've decided how to format your data, and collected it using [Segment Sources](/docs/connections/sources/). Now what do you do with it? You send the data to Destinations.
 
 Destinations are tools or services which can use the data sent from Segment to power analytics, marketing, customer outreach, and more.
 
 > info ""
-> Each Segment Workspace has its own set of destinations, which are connected to the workspace's sources. When you add or modify a destination, make sure you're working with the correct workspace!
+> Each Segment Workspace has its own set of destinations, which are connected to the workspace's sources. When you add or modify a destination, make sure you're working with the correct workspace.
 
+> info "Healthcare and Life Sciences (HLS) customers can encrypt data flowing into their destinations"
+> HLS customers with a HIPAA eligible workspace can encrypt data in fields marked as Yellow in the Privacy Portal before they flow into an event stream, cloud mode destination.
+>
+> To learn more about data encryption, see the [HIPAA Eligible Segment documentation](/docs/privacy/hipaa-eligible-segment/#data-encryption).
 
 ## Adding a destination
 
@@ -58,21 +62,21 @@ You can use the Segment Public API to add destinations to your workspace using t
 
 Adding a destination can have a few different effects, depending on which sources you set up to collect your data, and how you configured them.
 
-#### Analytics.js
+### Analytics.js
 
 If you are using [Segment's JavaScript library, Analytics.js](/docs/connections/sources/catalog/libraries/website/javascript/), then Segment handles any configuration changes you need for you. If you're using Analytics.js in cloud-mode, the library sends its tracking data to the Segment servers, which route it to your destinations. When you change which destinations you send data to, the Segment servers automatically add that destination to the distribution list.
 
 If you're using Analytics.js in device-mode, then Analytics.js serves as a wrapper around additional code used by the individual destinations to run on the user's device. When you add a destination, the Segment servers update a list of destinations that the library queries. When a user next loads your site, Analytics.js checks the list of destinations to load code for, and adds the new destination's code to what it loads. It can take up to 30 minutes for the list to update, due to CDN caching.
 
 You can enable device-mode for some destinations from the destination's Settings page in the Segment web app. You don't need to use the same mode for all destinations in a workspace; some can use device-mode, and some can use cloud-mode.
 
-#### Mobile sources
+### Mobile sources
 
 By default, Segment's [mobile sources](/docs/connections/sources/catalog/#mobile) send data to Segment in cloud-mode to help minimize the size of your apps. In cloud-mode the mobile source libraries forward the tracking data to the Segment servers, which route the data to the destinations. Since the Segment servers know which destinations you're using, you don't need to take any action to add destinations to mobile apps using cloud-mode.
 
 However, if the destination you're adding has features that run on the user's device, you might need to update the app to package that destination's SDK with the library. Some destinations require that you package the SDK, and some only offer it
 
-#### Server sources
+### Server sources
 
 Segment's [server sources](/docs/connections/sources/catalog/#server) run on your internal app code, and never have access to the user's device. They run in cloud-mode only, and forward their tracking calls to the Segment servers, which forward the data to any destinations you enabled.
 
diff --git a/src/connections/destinations/destination-filters.md b/src/connections/destinations/destination-filters.md
@@ -87,6 +87,11 @@ Property-level allowlisting is available with Segment's API. Using destination f
 
 ![PII management example](images/destination-filters/pii_example.png)
 
+> info "Healthcare and Life Sciences (HLS) customers can encrypt data flowing into their destinations"
+> HLS customers with a HIPAA eligible workspace can encrypt data in fields marked as Yellow in the Privacy Portal before they flow into an event stream, cloud mode destination.
+>
+> To learn more about data encryption, see the [HIPAA Eligible Segment documentation](/docs/privacy/hipaa-eligible-segment/#data-encryption).
+
 ### Control event volume
 
 This example shows a filter that controls event volume by only sending `User Signed Up` and `Demo Requested` events.
diff --git a/src/privacy/hipaa-eligible-segment.md b/src/privacy/hipaa-eligible-segment.md
@@ -1,10 +1,10 @@
 ---
 title: HIPAA Eligible Segment
+plan: hipaa-eligible
 ---
 
 Segment is a HIPAA eligible platform, and meets the data privacy and security requirements of healthcare customers and their stakeholders. For more information about Segment becoming HIPAA eligible, see the [announcement blog post](http://segment.com/blog/segment-for-healthcare){:target="_blank"}.
 
-
 ## Business Associate Addendum
 
 > info ""
@@ -31,4 +31,78 @@ Data captured in the HIPAA audit logs includes:
  - `end_user_id`: Segment sometimes assigns this unique identifier to an end-user, event, audience, or journey, depending on the event type
  - `timestamp`: Time in UTC when the action occurred
 
-These logs can be provided upon request. For specific requests, please reach out to [friends@segment.com](mailto:friends@segment.com){:target="_blank"}.
+These logs can be provided upon request. For specific requests, please reach out to [friends@segment.com](mailto:friends@segment.com){:target="_blank"}.
+
+## Data encryption
+
+Segment encrypts the data in select fields [marked as yellow in the Privacy Portal](/docs/privacy/portal/#default-pii-matchers) before sending them to event stream, cloud mode destinations, further supporting HIPAA compliance in your destinations. 
+
+> info "Data encryption is currently in public beta"
+> Data encryption only supports event-stream, cloud-mode destinations. Only data fields in `context`, `traits`, and `property` objects can be encrypted. 
+>
+> After Segment encrypts the data, the encrypted data value is always a `string`. Any downstream validation that looks for `integer` or `boolean` data types will fail for encrypted values.
+
+### Configure data encryption for a new destination
+
+To configure data encryption while setting up a new destination:
+1. From the [Destinations page in the Segment App](https://app.segment.com/goto-my-workspace/destinations/){:target="_blank"}, click **Add destination**.
+2. Select a destination from the catalog and click **Configure**.
+3. On the destination's overview page, click **Add destination**. 
+4. On the Select data source page, select the source you want to connect to your destination and click **Next**.
+5. On the Setup page, give your destination a name, fill in any optional settings, and select the **Have Segment encrypt sensitive data** checkbox.
+6. Open the **Fields** dropdown, select one or more fields you'd like to encrypt and click the **Generate Encryption Keys** button. <br> *If you don't see all of the fields that you want to encrypt, [change the classification of your missing data fields](/docs/privacy/portal/#change-a-recommended-classification) to Yellow in the Privacy Portal*.<br> 
+7. Securely store your private key.  <br> **Note:** Once you finish setting up the destination, you cannot retrieve the key. 
+8. Click **Create destination**.
+
+> error "Private Key is not recoverable"
+> Segment does not save the private key created during the data encryption setup flow, and cannot retrieve the key after you finish setting up your destination. You can generate a new key using the instructions in the [Configure new key pairs](#configure-new-key-pairs) section. Any data encrypted prior to generating a new key pair cannot be decrypted with the new key. 
+
+### Configure data encryption for an existing destination
+ 
+To configure data encryption for an existing destination:
+1. Open the [My destinations page](https://app.segment.com/goto-my-workspace/destinations){:target="_blank”} in the Segment app.
+2. Select a destination, and click the **Data Encryption** tab.
+3. On the Data Encryption page, select the **Have Segment encrypt sensitive data** checkbox.
+4. Open the **Fields** dropdown, select one or more fields you'd like to encrypt and click the **Generate Encryption Keys** button. <br> *If you don't see all of the fields that you want to encrypt, [change the classification of your missing data fields](/docs/privacy/portal/#change-a-recommended-classification) to Yellow in the Privacy Portal*.<br> 
+5. Securely store your private key.  <br> **Note:** Once you finish setting up the destination, you cannot retrieve the key.
+6. Click **Save**.
+
+> error "Private Key is not recoverable"
+> Segment does not save the private key created during the data encryption setup flow, and cannot retrieve the key after you finish setting up your destination. You can generate a new key using the instructions in the [Configure new key pairs](#configure-new-key-pairs) section. Any data encrypted prior to generating a new key pair cannot be decrypted with the new key. 
+
+### Configure new key pairs
+
+If you lose access to your private key, you can generate a new key pair in your destination's Data Encryption tab. Any data previously encrypted using the previous key pair is unaffected, but cannot be decrypted using the new key.
+
+To generate a new key pair:
+1. Open the [My destinations page](https://app.segment.com/goto-my-workspace/destinations){:target="_blank”} in the Segment app.
+2. Select the destination you'd like to create new keys for and click **Data Encryption**.
+3. Click **Regenerate Encryption Keys**.
+4. Securely store your private key.  <br> **Note:** Once you finish setting up the destination, you cannot retrieve the key.
+5. Click **Save Changes** to update the key pair. 
+
+### Edit encrypted fields
+
+After enabling encryption for a destination, you can add or remove encrypted data fields in your destination's **Data Encryption** tab. All changes made to fields are forward-looking. You may experience some latency between making the changes and having the changes take effect.
+
+To make changes to your selected fields:
+1. Open the [My destinations page](https://app.segment.com/goto-my-workspace/destinations){:target="_blank”} in the Segment app.
+2. Select the destination you'd like to edit your selected fields for and click **Data Encryption**.
+3. Add or remove fields. 
+  - To add fields, click the **Fields** box to open the dropdown and select the fields you'd like to add.
+  - To remove fields, click the **x** icon next to the name of the field you'd like to remove. 
+4. Click **Save Changes**. 
+
+
+### Remove encryption
+
+Disabling the data encryption setting removes encryption on all previously configured data.
+
+To remove encryption from incoming data:
+1. Open the [My destinations page](https://app.segment.com/goto-my-workspace/destinations){:target="_blank”} in the Segment app.
+2. Select a destination, and click **Data Encryption**.
+3. On the Data Encryption page, deselect the **Have Segment encrypt sensitive data** checkbox.
+4. On the **Turn off data encryption?** popup, click **Confirm**.
+
+> success ""
+> Disabling the data encryption setting does not decrypt existing data, but does prevent any future data from being encrypted. 
