# Data protection in Amazon Q Developer
The AWS [shared responsibility model](http://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in Amazon Q Developer. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the [Data Privacy FAQ](http://aws.amazon.com/compliance/data-privacy-faq). For information about data protection in Europe, see the [AWS Shared Responsibility Model and GDPR](http://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr) blog post on the *AWS Security Blog*.
For data protection purposes, we recommend that you protect AWS account credentials and set up individual users with AWS Identity and Access Management (IAM). That way each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:
+ Use multi-factor authentication (MFA) with each account.
+ Use SSL/TLS to communicate with AWS resources. We recommend TLS 1.2 or later.
+ Set up API and user activity logging with AWS CloudTrail.
+ Use AWS encryption solutions, along with all default security controls within AWS services.
+ Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3.
+ If you require FIPS 140-2 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see [Federal Information Processing Standard (FIPS) 140-2](http://aws.amazon.com/compliance/fips/).
We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into [tags](https://docs.aws.amazon.com/tag-editor/latest/userguide/security_data-protection.html) or free-form text fields such as a **Name** field. This includes when you work with Amazon Q or other AWS services using the AWS Management Console, API, AWS Command Line Interface (AWS CLI), or AWS SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. For more information about how Amazon Q Developer uses content, see [Amazon Q Developer service improvement](service-improvement.md).
**Topics**
+ [Data storage in Amazon Q Developer](data-storage.md)
+ [Data encryption in Amazon Q Developer](data-encryption.md)
+ [Amazon Q Developer service improvement](service-improvement.md)
+ [Opt out of data sharing in the IDE and command line](opt-out-IDE.md)
+ [Cross-region processing in Amazon Q Developer](cross-region-processing.md)
# Data storage in Amazon Q Developer
Amazon Q stores your questions, its responses, and additional context, such as console metadata and code, to generate responses to your questions and requests. For information about how data is encrypted, see [Data encryption in Amazon Q Developer](data-encryption.md). For information about how AWS may use some questions that you ask Amazon Q and its responses to improve our services, see [Amazon Q Developer service improvement](service-improvement.md).
## AWS Regions where content is processed and stored
If you're an IAM Identity Center workforce user, at the Amazon Q Developer Pro tier, your content is stored in the AWS Region where your Amazon Q Developer profile was created only for the following features:
+ Amazon Q chat in the AWS Management Console
+ Diagnosing AWS console errors with Amazon Q
+ Amazon Q in Eclipse, JetBrains IDEs, Visual Studio Code, and Visual Studio
+ Amazon Q on the command line
When you use any other feature at the Amazon Q Developer Pro tier, your content may be stored and processed in a US Region. If you are using a Q Developer profile in a non-US Region, you can create a service control policy (SCP) to block access to features that store content and perform inference in the US. For an example SCP, see [Manage access to Amazon Q Developer with policies](security_iam_manage-access-with-policies.md).
For other Amazon Q features and integrations, and when using the Amazon Q Developer Free tier, your content is stored in a Region in the US. Data processed during diagnosing console error sessions is stored in the US West (Oregon) Region. All other data is stored in the US East (N. Virginia) Region. Note the following features that store data differently.
**Note**
When you use Amazon Q artifacts, your visualizations-related content is stored in a US Region.
When you use [Console to Code with Amazon Q](console-to-code.md), content is stored in your console Region and processed in a US Region.
When you use Amazon Q generative SQL in Amazon Redshift, your content is stored and processed in your console Region. For more information, see [Interacting with Amazon Q generative SQL](https://docs.aws.amazon.com/redshift/latest/mgmt/query-editor-v2-generative-ai.html) in the *Amazon Redshift Management Guide*.
When you create an investigation with Amazon CloudWatch investigations, your content may be stored and processed in other Regions. For more information, see the [Security in CloudWatch investigations](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Investigations-Security.html#cross-region-inference) topic in the *Amazon CloudWatch User Guide*.
With cross-region inferencing, your requests to Amazon Q Developer may be processed in a different Region within the geography where your content is stored. For more information, see [Cross-region inference](cross-region-processing.md#cross-region-inference).
# Data encryption in Amazon Q Developer
This topic provides information specific to Amazon Q Developer about encryption in transit and encryption at rest.
## Encryption in transit
All communication between customers and Amazon Q and between Amazon Q and its downstream dependencies is protected using TLS 1.2 or higher connections.
## Encryption at rest
Amazon Q stores data at rest using Amazon DynamoDB and Amazon Simple Storage Service (Amazon S3). The data at rest is encrypted using AWS encryption solutions by default. Amazon Q encrypts your data using AWS owned encryption keys from AWS Key Management Service (AWS KMS). You don’t have to take any action to protect the AWS managed keys that encrypt your data. For more information, see [AWS owned keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) in the *AWS Key Management Service Developer Guide*.
For IAM Identity Center workforce users subscribed to Amazon Q Developer Pro, administrators can set up encryption with customer managed KMS keys for data at rest for the following features:
+ Chat in the AWS console
+ Diagnosing AWS console errors
+ Customizations
+ Agents in the IDE
You can only encrypt data with a customer managed key for the listed features of Amazon Q in the AWS console and the IDE. Your conversations with Amazon Q on the AWS website, AWS Documentation pages, and in chat applications are only encrypted with AWS-owned keys.
Customer managed keys are KMS keys in your AWS account that you create, own, and manage to directly control access to your data by controlling access to the KMS key. Only symmetric keys are supported. For information on creating your own KMS key, see [Creating keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html) in the *AWS Key Management Service Developer Guide*.
When you use a customer managed key, Amazon Q Developer makes use of KMS grants, allowing authorized users, roles, or applications to use a KMS key. When an Amazon Q Developer administrator chooses to use a customer managed key for encryption during configuration, a grant is created for them. This grant is what allows the end user to use the encryption key for data encryption at rest. For more information on grants, see [Grants in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html).
If you change the KMS key used to encrypt chats with Amazon Q in the AWS console, you must start a new conversation to begin using the new key to encrypt your data. Any conversations that were encrypted with the previous key won’t be retained, and only future conversations will be encrypted with the updated key. If you want to maintain your conversations from a previous encryption method, you can revert to the key you were using during those conversations. If you change the KMS key used to encrypt diagnosing console error sessions, you must start a new diagnose session to being using the new key to encrypt your data.
## Using customer managed KMS keys
After creating a customer managed KMS key, an Amazon Q Developer administrator must provide the key in the Amazon Q Developer console to use it to encrypt data. For information on adding the key in the Amazon Q Developer console, see [Managing the encryption method in Amazon Q Developer](manage-encryption.md).
To set up a customer managed key to encrypt data in Amazon Q Developer, administrators need permissions to use AWS KMS. The required KMS permissions are included in the example IAM policy, [Allow administrators to use the Amazon Q Developer console](id-based-policy-examples-admins.md#q-admin-setup-admin-users).
To use features that are encrypted with a customer managed key, users need permissions to allow Amazon Q to access the customer managed key. For a policy that grants the needed permissions, see [Allow Amazon Q access to customer managed keys](id-based-policy-examples-users.md#id-based-policy-examples-allow-q-access-encryption).
If you see an error related to KMS grants while using Amazon Q Developer, you likely need to update your permissions to allow Amazon Q to create grants. To automatically configure the needed permissions, go to the Amazon Q Developer console and choose **Update permissions** in the banner at the top of the page.
# Amazon Q Developer service improvement
To help Amazon Q Developer provide the most relevant information, we may use certain content from Amazon Q, such as questions that you ask Amazon Q and its responses, for service improvement. This page explains what content we use and how to opt out.
## Amazon Q Developer Free tier content used for service improvement
We may use certain content from Amazon Q Developer Free tier for service improvement. Amazon Q may use this content, for example, to provide better responses to common questions, fix Amazon Q operational issues, for de-bugging, or for model training.
Content that AWS may use for service improvement includes, for example, your questions to Amazon Q and the responses and code that Amazon Q generates.
We do not use content from Amazon Q Developer Pro or Amazon Q Business for service improvement.
**Note**
Amazon Q Developer for GitHub (Preview) does not currently use your content for service improvement. If we enable this in the future, we will provide you with adequate notice and a way for you to opt out of such use.
## How to opt out
The way you opt out of Amazon Q Developer Free Tier using content for service improvement depends on the environment where you use Amazon Q.
For the AWS Management Console, AWS Console Mobile Application, AWS websites, and in chat applications, configure an AI services opt-out policy in AWS Organizations. For more information, see [AI services opt-out policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html) in the *AWS Organizations User Guide*.
In the IDE, for Amazon Q Developer Free Tier, adjust your settings in the IDE. For more information, see [Opt out of data sharing in the IDE and command line](opt-out-IDE.md).
# Opt out of data sharing in the IDE and command line
This page explains how to opt out of sharing your data in the IDE or command line where you use Amazon Q, including third-party IDEs and AWS coding environments. For information on how Amazon Q uses this data, see [Amazon Q Developer service improvement](service-improvement.md).
## Opting out of sharing your client-side telemetry
Your client-side telemetry quantifies your usage of the service. For example, AWS may track whether you accept or reject a recommendation. Your client-side telemetry does not contain actual code.
### Telemetry collected in IDEs
To learn more about the telemetry data collected by Amazon Q in the IDE, see the [commonDefinitions.json](https://github.com/aws/aws-toolkit-common/blob/main/telemetry/definitions/commonDefinitions.json) document in the `aws-toolkit-common` Github repository.
For detailed information about the telemetry data collected by each IDE where you use Amazon Q, reference the resource documents in the following GitHub repositories:
+ [Amazon Q extension for VS Code](https://github.com/aws/aws-toolkit-vscode/blob/master/packages/core/src/shared/telemetry/vscodeTelemetry.json)
+ [Amazon Q plugin for JetBrains](https://github.com/aws/aws-toolkit-jetbrains/blob/main/plugins/core/jetbrains-community/resources/telemetryOverride.json)
+ [Amazon Q plugin for Eclipse](https://github.com/aws/amazon-q-eclipse/blob/main/plugin/codegen-resources/definitions/commonDefinitions.json)
+ [AWS Visual Studio Toolkit with Amazon Q](https://github.com/aws/aws-toolkit-visual-studio/blob/main/Telemetry/vs-telemetry-definitions.json)
### Telemetry collected in the Q CLI
To learn more about the telemetry data collected by the Q CLI, see the [telemetry\$1definitions.json](https://github.com/aws/amazon-q-developer-cli/blob/main/crates/chat-cli/telemetry_definitions.json) document in the `amazon-q-developer-cli` Github repository.
### Telemetry collected in the command line tool for transformations
Telemetry collection helps AWS understand how the Q command line transformation tool is performing, learn how features are used, and improve our services. For transformations on the command line, we collect telemetry on your tool version and Maven plugin version.
**Note**
Don’t add personally identifiable information (PII) or other confidential or sensitive information in free text fields.
Choose your IDE for instructions on opting out of sharing your client-side telemetry.
------
#### [ Visual Studio Code ]
To opt out of sharing your telemetry data in VS Code, use this procedure:
1. Open **Settings** in VS Code.
1. If you are using VS Code workspaces, switch to the **Workspace** sub-tab. In VS Code, workspace settings override user settings.
1. In the Settings search bar, enter `Amazon Q: Telemetry`.
1. Deselect the box.
**Note**
This is a decision for each developer to make inside their own IDE. If you are using Amazon Q as part of an enterprise, your administrator will not be able to change this setting for you.
------
#### [ JetBrains ]
To opt out of sharing your telemetry data in JetBrains, use this procedure:
1. In your JetBrains IDE, open **Preferences** (on a Mac, this will be under **Settings**).
1. In the left navigation bar, choose **Tools**, and then choose **AWS**.
1. Deselect **Send usage metrics to AWS**.
![\[The settings panel in JetBrains\]](http://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/images/JB-usage.png)
**Note**
This is a decision for each developer to make inside their own IDE. If you are using Amazon Q as part of an enterprise, your administrator will not be able to change this setting for you.
------
#### [ Eclipse ]
To opt out of sharing your telemetry data in Eclipse IDEs, use this procedure:
1. Open **Settings** in your Eclipse IDE.
1. Choose **Amazon Q** from the left navigation bar.
1. Deselect the box next to **Send usage metrics to AWS**.
1. Choose **Apply** to save your changes.
**Note**
This is a decision for each developer to make inside their own IDE. If you are using Amazon Q as part of an enterprise, your administrator will not be able to change this setting for you.
------
#### [ Visual Studio ]
To opt out of sharing your telemetry data in the AWS Toolkit for Visual Studio, use this procedure:
1. Under **Tools**, choose **Options**.
1. In the **Options** pane, choose **AWS Toolkit**, and then choose **General**.
1. Deselect **Allow AWS Toolkit to collect usage information**.
**Note**
This is a decision for each developer to make inside their own IDE. If you are using Amazon Q as part of an enterprise, your administrator will not be able to change this setting for you.
------
#### [ AWS Cloud9 ]
1. From inside your AWS Cloud9 IDE, choose the AWS Cloud9 logo at the top of the window, then choose **Preferences**.
1. On the **Preferences** tab choose **AWS Toolkit**.
1. Next to **AWS: client-side telemetry**, toggle the switch to the off position.
**Note**
This setting affects whether or not you share your AWS Cloud9 client-side telemetry in general, not just for Amazon Q.
------
#### [ Lambda ]
When you use Amazon Q with Lambda, Amazon Q does not share your client-side telemetry with AWS.
------
#### [ SageMaker AI Studio ]
1. From the top of the SageMaker AI Studio window choose **Settings**.
1. From the **Settings** dropdown, choose **Advanced Settings Editor**.
1. In the Amazon Q dropdown, select or deselect the box next to **Share usage data with Amazon Q**.
------
#### [ JupyterLab ]
1. From the top of the JupyterLab window choose **Settings**.
1. From the **Settings** dropdown, choose **Advanced Settings Editor**.
1. In the Amazon Q dropdown, select or deselect the box next to **Share usage data with Amazon Q**.
------
#### [ AWS Glue Studio Notebook ]
1. From the bottom of the AWS Glue Studio Notebook window choose **Amazon Q**.
1. From the pop-up menu, toggle the switch next to **Share telemetry with AWS**.
**Note**
Pausing the sharing of client-side telemetry will be valid only for the duration of the current AWS Glue Studio Notebook.
------
#### [ Command line ]
In the command line tool, under **Preferences**, toggle **Telemetry**.
------
#### [ Transformations on the command line ]
Telemetry collection is enabled by default with the command line tool for transformations. To disable it, complete the following procedure.
**To update telemetry preferences**
1. Run `qct configure` and provide the requested configuration details, or press enter to use the existing configuration.
1. When prompted whether you want to allow telemetry collection, enter `N` to prevent AWS from collecting telemetry data.
1. If you'd like to re-enable telemetry collection, run `qct configure` again and enter `Y` when prompted.
------
## Opting out of sharing your content
For information on content AWS uses, see [Amazon Q Developer service improvement](service-improvement.md).
------
#### [ Visual Studio Code ]
At the Amazon Q Developer Pro Tier, Amazon Q does not collect your content.
At the Amazon Q Developer Free Tier, to opt out of sharing your content in VS Code, use the following procedure.
1. Open **Settings** in VS Code.
1. If you are using VS Code workspaces, switch to the **Workspace** sub-tab. In VS Code, workspace settings override user settings.
1. In the Settings search bar, enter `Amazon Q: Share Content`.
1. Deselect the box.
------
#### [ JetBrains ]
At the Amazon Q Developer Pro Tier, Amazon Q does not collect your content.
At the Amazon Q Developer Free Tier, to opt out of sharing Amazon Q data in JetBrains, use the following procedure.
1. Make sure you are using the latest version of JetBrains.
1. In your JetBrains IDE, open **Preferences** (on a Mac, this will be under **Settings**).
1. In the left navigation bar, choose **Tools** --> **AWS** --> **Amazon Q**.
1. Under **Data sharing**, deselect **Share Amazon Q content with AWS**.
![\[Options for sharing Amazon Q data in VS Code.\]](http://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/images/JB-content.png)
------
#### [ Eclipse ]
At the Amazon Q Developer Pro tier, Amazon Q does not collect your content.
At the Amazon Q Developer Free tier, to opt out of sharing Amazon Q data in Eclipse IDEs, use the following procedure.
1. Make sure you are using the latest version of your Eclipse IDE.
1. In your Eclipse IDE, open **Settings**.
1. In the left navigation bar, choose **Amazon Q**.
1. Deselect the box next to **Share Amazon Q content with AWS**.
1. Choose **Apply** to save your changes.
------
#### [ Visual Studio ]
At the Amazon Q Developer Pro Tier, Amazon Q does not collect your content.
At the Amazon Q Developer Free Tier, to opt out of sharing your content in Visual Studio, use the following procedure.
Go to **Tools** -> **Options** -> **AWS Toolkit** -> **Amazon Q**
Toggle **Share Amazon Q Content with AWS** to **True** or **False**.
------
#### [ AWS Cloud9 ]
When you use Amazon Q with AWS Cloud9, Amazon Q does not share your content with AWS.
**Note**
The AWS Cloud9 settings do contain a toggle switch for sharing Amazon Q content with AWS, but that switch is non-functional.
------
#### [ Lambda ]
When you use Amazon Q with Lambda, Amazon Q does not share your content with AWS.
**Note**
The Lambda settings do contain a toggle switch for sharing Amazon Q content with AWS, but that switch is non-functional.
------
#### [ SageMaker AI Studio ]
When you use Amazon Q with SageMaker AI Studio, Amazon Q does not share your content with AWS.
------
#### [ JupyterLab ]
1. From the top of the JupyterLab window choose **Settings**.
1. From the **Settings** dropdown, choose **Advanced Settings Editor**.
1. In the Amazon Q dropdown, select or deselect the box next to **Share content with Amazon Q**.
------
#### [ AWS Glue Studio Notebook ]
When you use Amazon Q with AWS Glue Studio Notebook, Amazon Q does not share your content with AWS.
------
#### [ Command line ]
In the command line tool, under **Preferences**, toggle **Share Amazon Q content with AWS**.
------
#### [ Transformations on the command line ]
When you use the Amazon Q command line tool for transformation, Amazon Q does not share your content with AWS.
------
# Cross-region processing in Amazon Q Developer
The following sections describe how cross-region inference and cross-region calls are used to provide the Amazon Q Developer service.
## Cross-region inference
Amazon Q Developer is powered by Amazon Bedrock, and uses cross-region inference to distribute traffic across different AWS Regions to enhance large language model (LLM) inference performance and reliability. With cross-region inference, you get:
+ Increased throughput and resilience during high demand periods
+ Improved performance
+ Access to newly launched Amazon Q Developer capabilities and features that rely on the most powerful LLMs hosted on Amazon Bedrock
Cross-region inference requests are kept within the AWS Regions that are part of the geography where the data originally resides. For example, a request made from a Amazon Q Developer profile created in the US is kept within the AWS Regions in the US. Some Amazon Q Developer features and integrations may perform inference in Regions other than where your Q Developer profile was created. For more information, see [Supported regions for Amazon Q Developer cross-region inference](#inference-regions).
Although cross-region inferencing doesn’t change where your data is stored, your requests and output results may move outside of the Region where the data originally resides. All data is encrypted while transmitted across Amazon's secure network. There's no additional cost for using cross-region inference.
Cross region inference doesn’t affect where your data is stored. For information on where data is stored when you use Amazon Q Developer, see [Data protection in Amazon Q Developer](data-protection.md).
### Supported regions for Amazon Q Developer cross-region inference
The following table describes what Regions your requests may be routed to depending on the geography where the request originated.
****
| **Supported Amazon Q Developer geography** | **Inference regions** |
| --- | --- |
| United States | US East (N. Virginia) (us-east-1) US West (Oregon) (us-west-2) US East (Ohio) (us-east-2) |
| Europe | Europe (Frankfurt) (eu-central-1) Europe (Ireland) (eu-west-1) Europe (Paris) (eu-west-3) Europe (Stockholm) (eu-north-1) |
| Asia Pacific\$1 | Asia Pacific (Mumbai) (ap-south-1) Asia Pacific (Seoul) (ap-northeast-2) Asia Pacific (Singapore) (ap-southeast-1) Asia Pacific (Sydney) (ap-southeast-2) Asia Pacific (Tokyo) (ap-northeast-1) |
\$1Cross-region inferencing in the Asia Pacific Regions is only supported when you use Amazon Q generative SQL in the Asia Pacific (Seoul) Region.
For a complete list of Regions where you can use Amazon Q Developer, see [Supported Regions for Amazon Q Developer](regions.md).
## Cross-region calls
Certain requests that you make to Amazon Q Developer may require cross-region calls. Cross-region calls are API calls made by Amazon Q from one AWS Region to another AWS Region. Amazon Q makes cross-region calls when your request requires it to retrieve information from a Region different from your current Region. For example, when you ask Amazon Q questions about your AWS resources that are located in different Regions, it will make a cross-region call to access your resources and retrieve the relevant data to respond to your question. In addition, if a response from Amazon Q requires information from a global AWS service endpoint, Amazon Q may make calls outside of the Region where your data is stored. For more information on global services, see [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) in the *AWS Fault Isolation Boundaries AWS Whitepaper*.
If you’d like to disable cross-region calls made by Amazon Q Developer, you can create a policy that prevents Amazon Q from making API calls on your behalf. By doing so, you won’t have access to features that require Amazon Q to make API calls on your behalf, even if Amazon Q is making calls within your current Region. For an IAM policy that prevents Amazon Q from making API calls on your behalf, including cross-region calls, see [Deny Amazon Q permission to perform actions on your behalf](id-based-policy-examples-users.md#id-based-policy-examples-deny-actions).