Data security and cloud storage integrations
Updated at June 12th, 2025
Data security is at the core of everything we do at Sama. As organizations increasingly rely on cloud storage and integrations to manage large volumes of data, it’s critical to ensure that this data remains protected, private, and accessible only to the right people at the right time.
 |
|
This document covers key safeguards like encryption, access control, and incident response.
How Sama Keeps Your Data Safe
The table below outlines the key principles and practices Sama follows to protect your data. It covers areas such as data access, security protocols, cloud provider standards, and how we handle privacy and incident response. These measures reflect our commitment to maintaining a secure and compliant data environment across all platforms and integrations.
| Category | Practices | Details |
| Limitation of Purpose, Data, and Storage | Data minimization and controlled access | • Access is limited to relevant assets and APIs • Manual request process for data deletion • Data strictly limited to annotation-related material |
| Security | Layered security and best practices | • Role-based access control (RBAC) — physical & logical • Least privilege principle enforced • Secure APIs for task and asset deletion • Encryption for data in transit and at rest • Ongoing security training • Routine penetration testing |
| Operational Excellence | Infrastructure reliability and traceability | • Tier 1 cloud service providers • Strong configuration management controls • Logging and alerting systems in place |
| Data Subject Requests and Receipt | Transparent access and tracking | • Requests submitted via customers • Data identified using asset IDs • All actions logged and auditable |
| Privacy | Controlled access and anonymization | • Data access restricted to authorized personnel only • IDs are auto-generated to ensure anonymity |
| Notification | Incident response readiness | • Hosted on tier 1 cloud providers (e.g., Azure, GCP) • 72-hour incident response SLA |
The following table outlines additional safeguards Sama uses to protect your data throughout its lifecycle. These practices support secure data residency, encrypted communication, restricted access, continuous vulnerability testing, and secure work environments, ensuring a robust and compliant infrastructure across all levels of our operations.
| Category | Focus Area | Practices |
| Data Residency | Legal compliance by region | • Adheres to in-country laws related to privacy, banking, government, and IP protection |
| Data Transit Protection | Encrypted communication | • Data exchanged between Sama clients and servers is secured using TLS/SSL industry standards |
| Limited Data Access | Role-based access control | • Only authorized personnel have access • Enforced through the Principle of Least Privilege (POLP) • Amazon S3 access control per tenant |
| Vulnerability Testing | Threat detection and prevention | • External penetration tests to identify risks • Automated white-hat security scanning |
| Secure Work Environment | Physical and logical access controls | • ISO-certified delivery centers • Biometric access controls • Two-factor authentication (2FA) for users |
Cloud Storage Integration Options
Sama offers multiple options for integrating and managing your assets via cloud storage. Depending on your technical setup, security requirements, and operational needs, you can choose between full integration with your own cloud provider or using Sama-managed storage. Assets can also be uploaded to or accessed directly from Sama’s S3 infrastructure, with storage locations in Europe, the USA, and India. Read more
| Integration Type | Benefits | Considerations |
| Full integration with your cloud storage (Azure, GCP, S3) | • You maintain full control over assets and storage • Enables direct access, with optional CDN acceleration |
• Requires configuration of cloud permissions • Security outside the workspace depends on your infrastructure • GCP/Azure support images, videos, and 3D; S3 supports images only |
| Assets fetched from your cloud but cached in Sama’s S3 | • No file size restrictions • Full compatibility with all annotation types • Improved loading speeds from Sama’s delivery centers |
• Assets are temporarily copied to Sama’s S3 • Temporary disruptions may affect availability |
| Direct upload to Sama’s S3 (Europe, USA, India) |
• Highest stability during annotation • Sama secures your data with robust policies and access controls. |
• Assets are stored in Sama’s S3 for the duration of the project |
Azure Blob Storage Integration
Sama supports secure integration with Azure Blob Storage, allowing you to connect your own storage account so Sama can read and write assets like images, videos, and 3D files. The integration is secure, does not require storing passwords or secrets, and Sama never retains copies of your data.
What You’ll Need
- An Azure Storage Account and Blob Container
- Access to Azure Active Directory
- Access to your Sama platform settings
Step-by-Step Setup Guide
Step 1: Set up your Azure Storage
- Go to your Azure portal.
- Create (or use an existing) Storage Account.
- Inside it, create a Blob Container where Sama will access and store your assets.
Step 2: Register Sama as an App in Azure
- In Azure Active Directory, go to App registrations.
- Click "New registration", and name the app something like
sama-access. - After registering, copy the following:
- Application (client) ID
- Directory (tenant) ID
- You’ll need both later when configuring Sama.
Step 3: Add Federated Credentials
- In your new App, go to Certificates & secrets → Federated credentials → Add credential.
- Set Scenario to “Other issuer”.
- Use the following values:
-
Issuer:
https://cognito-identity.amazonaws.com -
Subject identifier:
eu-west-1:72a28b0b-b4cc-443f-9032-a397c1ef692a -
Audience:
eu-west-1:e4639e61-9b32-4a7f-aeb9-9987f28d102d
-
Issuer:
💡 This allows Sama to authenticate securely without storing passwords, using a method called Workload Identity Federation.
Step 4: Give Sama Access to Your Storage
- Go to your Storage Account or Blob Container in Azure.
- Select Access Control (IAM).
- Click Add role assignment, then:
- Choose
Storage Blob Data Contributor(for container access). - Choose
Storage Blob Delegator(for account-level delegation).
- Choose
✅ If you prefer Sama to only read files (and not write back), you can assign the
Storage Blob Data Readerrole instead.
Step 5: Configure CORS (Cross-Origin Resource Sharing)
- In your Blob Storage settings, go to Resource Sharing (CORS).
- Add the following configuration:
-
Allowed origins:
*andapp.lola.com -
Allowed methods:
GET, PUT -
Max age:
3000
-
Allowed origins:
⚠️ This ensures Sama can securely fetch and upload files from your storage.
Step 6: Connect Azure to Your Sama Account
- Log into your Sama account at https://accounts.sama.com.
- Go to your Organization Details page.
- In the Azure Integration section:
- Paste your Azure Application client ID
- Paste your Directory (tenant) ID
- Also fill in the Storage Account Name and Container Name.
Step 7: Test Your Connection
- Use a test asset URL from your Azure container to confirm Sama can read your file.
- If successful, your integration is complete!
📘Note
- Sama may transform certain files (like video or 3D) to make them compatible with our platform. These transformed files are written back to your Azure storage.
- If you don’t want to use your own storage, you can also upload assets directly to Sama’s managed S3 storage in Germany, USA, or India.
AWS S3 Integration
Sama can access your assets stored in Amazon S3 using a secure cross-account setup. This means Sama will read files (like images, videos, and 3D models) directly from your S3 bucket without needing you to upload them separately.
What You’ll Need
- An existing S3 bucket that contains your assets
- Access to edit bucket policies and CORS settings
- Your Sama platform
Step-by-Step Setup Guide
Step 1: Give Sama Permission to Access Your Bucket
You’ll need to update your S3 Bucket Policy so Sama can access the files it needs. This gives read-only access to the bucket.
Configure your S3 bucket policy as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "sama-s3-getobjects",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::596059236576:user/hub-prod"
},
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::<BUCKET_NAME>",
"arn:aws:s3:::<BUCKET_NAME>/*"
]
}
]
}Replace <BUCKET_NAME> with the name of your actual bucket.
If more granular access is needed, the arn:aws:s3:::<BUCKET resource can be replaced with a list of resources that include the paths to which Sama will be granted access, such as arn:aws:s3:::<BUCKET and arn:aws:s3:::<BUCKET_NAME>/other/path/that/sama/needs/*
"Resource": [
"arn:aws:s3:::your-bucket-name/path/to/assets/*"
]💡 More help: AWS documentation on bucket policies
Step 2: Configure CORS (Cross-Origin Resource Sharing)
CORS lets Sama’s platform access files in your S3 bucket from the web.
- The Origin will be https://app.sama.com
- The Access-Control-Request-Method is
GET
Here is a sample AWS S3 CORS bucket configuration that will enable the Sama platform to properly serve images:
[
{
"AllowedHeaders": [],
"AllowedMethods": [
"GET"
],
"AllowedOrigins": [
"*"
],
"ExposeHeaders": [],
"MaxAgeSeconds": 3000
}
]💡 More help: AWS guide on configuring CORS
Google Cloud Storage Integration
Sama can securely access your assets in Google Cloud Storage (GCS) so our platform can read and write files (like images, video, and 3D models) during annotation. This guide walks you through how to set up access using a service account.
What You’ll Need
- A Google Cloud Storage bucket (existing or new)
- Permissions to manage IAM roles and service accounts in your GCP project
- For the best security practices, it is recommended that you create a standalone service account for use with Sama.
- Your Sama platform credentials
Step-by-Step Setup Guide
Step 1: Create or Choose a Service Account
- Go to the IAM & Admin > Service Accounts section in your GCP Console.
- Click “Create Service Account.”
- Name the account something like:
sama-cloud-storage. - (Optional) Add a short description like “Used for Sama integration.”
- Click “Done” to finish.
💡 If you already have a service account you'd like to use, skip to Step 2.
Step 2: Grant Permissions to Sama and Your Service Account
- Click on the service account you just created.
- Open the Permissions tab.
- Click “Grant Access.”
- Under Add principals, add:
-
sama-external@rd-prod-398911.iam.gserviceaccount.com(this is Sama’s account) - The email address of the service account you just created (e.g.,
sama-cloud-storage@your-project.iam.gserviceaccount.com)
-
- Under Assign roles, add:
Service Account Token Creator
💡 This role allows Sama to impersonate the account securely using a short-term token.
- Click “Save.”
- Send Sama the full email address of the service account you created.
Step 3: Set Permissions on Your Storage Bucket
- Go to the Cloud Storage section in the GCP Console.
- Click the name of the bucket you want Sama to access.
- Open the Permissions tab.
- Click “Grant Access.”
- Under Add principals, add the same service account you created (e.g.,
sama-cloud-storage@...). - Under Assign roles, choose:
-
Storage Object User(this gives Sama read/write access)- OR
Storage Object Viewer(for read-only access — Sama won’t be able to save data back to the bucket if you choose this)
- OR
-
- Click “Save.”
- Send Sama the name of the bucket(s) you want to connect.
✅ Tips & Recommendations
- For best security, create a dedicated service account just for Sama.
- If needed, you can create a custom IAM role or apply IAM conditions to limit Sama’s access to only specific folders or actions.
- Make sure your storage bucket is in the correct region and has enough space for transformed assets.
💡More Help GCP Docs – Creating and managing service accounts
Pre-signed and Public URLs
You can also send pre-signed or public URLs of your assets as an alternative to IAM Delegated Access or Cross-Account Access.