General Data Protection Regulation
What is GDPR?
The European Union General Data Protection Regulation (GDPR) is the primary law regulating how companies protect EU citizen’s personal data. The regulation that took effect on May 25th, 2018 gives individuals broad rights to their data, and creates strong safeguards for the processing of any data. Any company that processes or stores customer data in the EU must be ready for GDPR by its effective date.
Will PagerDuty be compliant with GDPR?
PagerDuty is committed to ongoing GDPR compliance. PagerDuty will execute a Data Processing Agreement (DPA) with customers, which pertains to how PagerDuty uses and protects Personal Data acting in the Processor Role. For more information, please contact privacy@pagerduty.com.
How has PagerDuty prepared for GDPR?
PagerDuty is committed to protecting customer data and privacy, and we take our obligations regarding data compliance seriously and transparently. We have a GDPR core team comprised of senior members of our Legal, Security, and Product teams, dedicated to monitoring PagerDuty’s ongoing compliance. We have also updated our Privacy Policy to conform with the new requirements under the GDPR, and have self-certified with the EU-US and Swiss-US Privacy Shield Program.
PagerDuty’s ongoing commitment to data protection is evidenced in a variety of ways:
- PagerDuty only uses trusted, certified US datacenters, and does not participate in offshore data activities. Both AWS and Azure carry with them certifications, including ISO 27001 and SOC.
- PagerDuty enters into EU-approved Standard Contractual Clauses with customers to ensure adequate protections for the privacy of EU data subjects and compliance with the regulation.
- PagerDuty has self-certified with the EU-US and Swiss-US Privacy Shield and is pending formal confirmation to be listed on the Shield’s program.
- PagerDuty is currently in the process of obtaining a SOC-2, Type II report.
- All data in transit and at rest is encrypted.
What is considered “personally identifiable information” (PII)?
Personal Data is any information relating to an identified or identifiable natural person (aka “data subject”). An identifiable data subject is someone who can be identified, directly or indirectly, such as by reference to an identifier like a name, an ID number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What customer PII data is collected?
PagerDuty requires the following categories of data in order to deliver the services provided on the PagerDuty platform:
- First and last name
- Email address
- Phone number
Where will customer PII data be stored?
Customer Personal Data is stored in ISO 27001 certified data centers. This complies with GDPR, as the regulation governs the protection of customer data and does not require EU data residency.
How do you provide for the adequate transfer of data outside of the EU?
The EU provides for approved mechanisms for transferring data outside of the EU, one of which is the Standard Contractual Clauses between data controllers (you) and processors (PagerDuty). PagerDuty’s Data Processing Agreement contains the Standard Contractual Clauses stipulating how we use and protect Personal Data when acting in the Processor role. This is a key requirement for compliance with GDPR. For more information, please contact privacy@pagerduty.com.