Figure Eight Secure Data Access

When utilizing Figure Eight’s Secure Data Access, your team maintains ownership and governance overall source data. The data that your team supplies never leave your servers. For added security, private buckets can be used while processing training data in the Figure Eight platform.

Your team serves the source data via secure URLs hosted in private buckets inside your cloud storage. The only data that is passed to Figure Eight are the URLs for your private bucket, which will be assigned a unit ID. Corresponding annotations for the data can be downloaded from the Figure Eight platform and can subsequently be associated with source data via the unit ID.

  1. Secure content is rendered through signed URLs
  2. Signed URLs expire immediately after the content is rendered
  3. Your content is never stored or saved within the Figure Eight platform
  4. Content is rendered only to authenticated contributors and requestors with access to specific Figure Eight tasks. 


Note: For access to this feature, please contact your Customer Success Manager or Account Executive. The feature is supported for the following uses cases:

  1. Data categorization, validation and transcription of text, image, audio and video files
    1. All filenames should not contain spaces
  2. Image Annotation Tool
  3. Secure Data Access will now be available for Text Annotation jobs. The result links will be hosted by Figure Eight and expire 7 days after the initial generation.

    If you need to access the result links after the 7 day expiration period, you can re-generate the report and new expiring links will be generated.

Guide to setup Secure Data Access with AWS

Team or Organization Admin must complete the following tasks: 

    1. Create an AWS S3 Private bucket, permission policy, and role.
      1. Have your DevOps team create a new S3 private bucket, permission policy and a role. You can use an existing S3 bucket, but a new permission policy and role should be created.
        1. Permission Policy JSON example:
             "Version": "2012-10-17",
             "Statement": [
                   "Sid": "AllowReadOnlyOperations",
                   "Effect": "Allow",
                   "Action": [
                   "Resource": [
        2. Role example:

          1. Create new IAM role for S3.

          2. Select permission policy created in earlier step.

          3. Give the role any name.

          4. Copy the role’s ARN (AWS Resource Name) and region (ex: us-west-2) to provide to the Figure Eight platform in a later step.

          5. Setup the Trust Relationship.
            ExternalID and AWS Account ID will be provided when completing Step 2.5

            1. Trust Relationship JSON Example:



                 "Version": "2012-10-17",
                 "Statement": [
                       "Effect": "Allow",
                       "Principal": {
                          "Service": ""
                       "Action": "sts:AssumeRole"
                       "Effect": "Allow",
                       "Principal": {
                          "AWS": "arn:aws:iam::F8-AWS-Account-ID:root"
                       "Action": "sts:AssumeRole",
                       "Condition": {
                          "StringEquals": {
                             "sts:ExternalId": "insert string after completing step 2.5"




    2. Create a Storage Integration
        1. Login to your Figure Eight account and go to Account > Data & Security in your Account settings page.
          1. If you cannot find Data & Security, please reach out to your Figure Eight Customer Success Manager.
        2. Click Create New Secure Storage
        3. Fill in details from AWS into this form.
          Storage CML Name - you can define as this is what will be referenced within your data set:
          • Note: There is a 10-character (maximum) limit for the Storage CML Name.
        4. Screen_Shot_2019-07-12_at_2.29.29_PM.png

        1. Copy the External ID and provide this to your DevOps team. They will need to update the AWS Role Trust Relationship (step 1.1.2
        2. Once the above steps have been completed, the new Storage Provider integration should be listed as "Pending". Additionally, “External ID” & “Figure Eight Account ID” values will be displayed in Secure Storage view.Screen_Shot_2019-07-12_at_2.31.50_PM.png

      1. After your DevOps team has updated the Role Trust Relationship with your External ID and Figure Eight Account ID, please notify your Figure Eight Customer Success Manager about completion of this step.
        1. Figure Eight team will work on enabling Secure Data Access after confirming this has been setup.
      2. When the Figure Eight team has enabled the Storage Provider on the platform, you should see the status change from Pending to Active:Screen_Shot_2019-07-12_at_2.34.31_PM.png

  1. Verify access to your private content
    1. Set up a job that uses secure content and modify the CML tag as per the instruction described below
    2. In the job secure data columns should be marked with a CML liquid tag in the job design. The CML liquid tag is the "Storage CML Name" that was configured during storage  integration. For example if a Storage Provider was created with a "Storage CML name" of "secure_s3" then the job CML will have the following tag: 
      1. <img src="{{image_url|secure:'secure_s3'}}">
      2. Screen_Shot_2019-03-27_at_10.39.44_PM.png
      3. Note: When using videos with Secure Data Access make sure to include the following tag in the CML section of your job: preload="auto"
    3. Confirm that the secure content is visible when previewing the job
      1. URLs for secure content should follow this format:
        1. s3://secure-bucket/image_1.jpg
    4. Please share the "Storage CML Name" with your team so they can start using private buckets for Figure Eight jobs. 

Additional Instructions: 

  1. You can update or delete an existing storage integration
    1. Please note that changing the "Storage CML name" for a store provider will prevent any existing jobs that use that name in the CML from accessing private S3 content. So if value of "Storage CML Name" is modified the new value should be updated in the jobs accessing private data. 
    2. Modifying AWS Resource Name or AWS Region Name will break the existing integration. 
  2. The team can set up multiple storage provider integrations
  3. Team admins can add storage provider integration for their teams
  4. Org admins can add storage provider integration for all the teams within the Org




Was this article helpful?
0 out of 0 found this helpful

Have more questions? Submit a request
Powered by Zendesk