PagerDuty is committed to championing our customers and protecting their data in compliance with applicable global privacy and data protection laws, including the General Data Protection Regulation (“GDPR”). We are also proud to be third-party verified by GDPRLocal.

What is the GDPR?

The GDPR is a European Union (EU) law that regulates how companies can collect, process, and share people’s personal data. It focuses on individual control over personal information and transparency about how organizations handle data as well as safeguard and protect it. The GDPR applies to all organizations that process the personal data of individuals in the EU, regardless of the organization’s location.

PagerDuty’s Role and Customer Personal Data

PagerDuty is generally a data processor to our customers when we provide our Services. We process Customer Personal Data on behalf of our customers and in accordance with their written instructions. We may also act as a data controller in relation to certain activities. You can read more about PagerDuty as a data controller in our Privacy Policy.

As a data processor, we understand that our customers entrust us with their data, and we take our commitment to privacy and security seriously. We have in-house privacy and security teams that are dedicated to maintaining a strong privacy program, and build privacy into our products by design.

How does PagerDuty comply with the GDPR?

Key Elements of PagerDuty’s Privacy Program

  • Our Privacy Team has built a privacy program designed to comply with the GDPR and regularly evaluates and assesses its success. Our GDPR compliance has been third-party verified by GDPRLocal.
  • Our Data Processing Addendum complies and commits us to the terms of the GDPR and incorporates the Standard Contractual Clauses to govern international transfers of data.
  • We have a published Privacy Policy and other critical documentation available in our Assurance Portal.
  • We assist our customers in meeting their obligations under the GDPR, including performing data protection impact assessments and fulfilling data subject access requests, such as the right to be forgotten.
  • Our subprocessors page lists critical information about all of our subprocessors and includes RSS feed subscription so that you can stay informed about any updates. Prior to engagement, we perform due diligence and risk assessments on all of our subprocessors, and maintain appropriate Data Processing Addenda consistent with applicable legal requirements.
  • PagerDuty regularly provides training and awareness to its employees about data privacy and security, including key GDPR requirements.

Security and Protection

PagerDuty has implemented a comprehensive security program following industry standard physical, administrative, organizational and technical safeguards. For comprehensive information, please visit PagerDuty’s Assurance Portal. Some highlights include:

  • Only PagerDuty managed workstations can access PagerDuty protected resources. Workstations are configured to standards including, but not limited to strong authentication, disk encryption, anti-malware, and endpoint detection and response (EDR) tools.
  • PagerDuty’s Cloud Environment is both logically and physically separate from corporate offices and networks. PagerDuty logically separates production environments from test and development environments. The Cloud environment is protected using Cloud-native network security technologies including network security groups, Web Application Firewalls, access gateways, application load balancers and VPC configurations.
  • PagerDuty uses state-of-the-art certified third-party data centers. All data centers comply within leading security practices and frameworks, including SOC 2, ISO 27001, and PCI DSS. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, biometric locks, and other electronic means. Only authorized personnel have access to the data centers.
  • PagerDuty uses encryption at rest using at least AES 256 or higher levels of encryption and encryption in transit using at least TLS 1.2 or above.

Data Residency and International Data Transfers

PagerDuty transfers and accesses data outside the EU. We protect Customer Personal Data in accordance with our Data Processing Addendum no matter where it is transferred or processed. Some ways that we protect Customer Personal Data include:

  • Customers have the ability to choose the geographic region of the PagerDuty data centers that host their account. Learn more on our Service Regions page.
  • We remain accountable to our customers whenever we use subprocessors. We require all subprocessors to undergo a due diligence process, including a risk assessment, and enter into written agreements to ensure that Customer Personal Data remains adequately protected.
  • When we transfer Customer Personal Data outside of the European Economic Area, United Kingdom, and Switzerland to countries without adequacy decisions, PagerDuty employs an appropriate transfer mechanism (such as the Standard Contractual Clauses) and performs a Data Transfer Impact Assessment, including adoption of any necessary supplemental measures.
  • PagerDuty is self-certified to the E.U.–U.S. Data Privacy Framework, the U.K. Extension, and the Swiss-U.S. Data Privacy Framework. For more information about PagerDuty’s commitment to these Data Privacy Frameworks, please see our Privacy Policy.

Capitalized terms on this page are defined according to the Data Processing Addendum.