Customer wants to implement push notifications as the 2nd factor authentication method. Customer will rely on Google Firebase for this and use the out of the box CA Mobile Authenticator app. Due to GDPR concerns, please help answer the below questions:

1) When a user no longer exists in the Strong Authentication organization, are his/her details removed immediately from the Firebase database?

2) If not, how long is this data kept in the DB? 

3) When using Strong Authentication with the out of the box push notification implementation (meaning we use the FCM server key that comes by default with the CA Adapter) is it possible for us to perform any user management operations (via the provided APIs) like removing user from the Firebase DB?

4) Is Broadcom able to differentiate between push notifications sent by different customers in the Firebase console? Can we request Broadcom to provide an activity report regarding push notifications for our implementation for example? Because from what I understand most of the customers will use the push notification feature with the default server key. So I assume that details about all the transaction that use the same server key will be visible in one instance of the Firebase console.

5) Whenever there are delivery issues with push notifications will Broadcom support provide us details from the Firebase console end? For example we can see in the Strong Authentication logs that the push notification was relied to Google Firebase but the user did not receive it.

6) In case we use a different FCM server key on our CA Adapter implementation for push notifications, will this give us access to a Firebase console where we can see all the transactions related to our company?

Release : 9.1

Component : AuthMinder(Arcot WebFort)

1) When a user no longer exists in the Strong Authentication organization, are his/her details removed immediately from the Firebase database? 

Google Firebase is GDPR complaint, please refer the below link for more information - https://firebase.google.com/support/privacy 

2) If not, how long is this data kept in the DB? 

Google FCM is GDPR compliant 

3) When using Strong Authentication with the out of the box push notification implementation (meaning we use the FCM server key that comes by default with the CA Adapter) is it possible for us to perform any user management operations (via the provided APIs) like removing user from the Firebase DB? 

No it is not possible as the FCM key is provided by us and we have an account with Google FCM, customer can not do anything from their side in this. 

4) Is Broadcom able to differentiate between push notifications sent by different customers in the Firebase console? Can we request Broadcom to provide an activity report regarding push notifications for our implementation for example? Because from what I understand most of the customers will use the push notification feature with the default server key. So I assume that details about all the transaction that use the same server key will be visible in one instance of the Firebase console. 

This need some help from internal teams, multiple customers use the same ServerKey so differentiation may not be possible and it will per request basis only, we send user and org information at the time of Auth so that can be a lookup identifier. 

5) Whenever there are delivery issues with push notifications will Broadcom support provide us details from the Firebase console end? For example we can see in the Strong Authentication logs that the push notification was relied to Google Firebase but the user did not receive it. 

We have not had any issues as as of now and none of the customers reported any issues about delivery, Issues were on product side in past but answer would be Yes if that is needed and we can work with engineering. 

6) In case we use a different FCM server key on our CA Adapter implementation for push notifications, will this give us access to a Firebase console where we can see all the transactions related to our company? 

Yes in that case you can built your own Push app and manage the account, we provide Mobile SDK to do that.