What is GDPR?
The European Union General Data Protection Regulation (GDPR) is the primary law regulating how companies protect EU citizen’s personal data. Expected to take effect May 25, 2018, the regulation gives individuals broad rights to their data, and creates strong safeguards for the processing of any data. Any company that processes or stores customer data in the EU must be ready for GDPR by its effective date.
Will PagerDuty be compliant with GDPR?
PagerDuty is aware of the EU GDPR which goes into effect in May 2018 and will be compliant by the effective date. PagerDuty will execute a Data Processing Agreement (DPA) today, which pertains to how PagerDuty uses and protects Personally Identifiable Information acting in the Processor Role. For more information, please contact privacy@pagerduty.com.
How has PagerDuty prepared for GDPR?
PagerDuty is committed to protecting customer data and privacy, and we take our obligations regarding data compliance seriously and transparently. Like many cloud service providers, we are reviewing our data protection program and making adjustments to ensure compliance with the General Data Protection Regulation (“GDPR”) by its effective date.
PagerDuty’s ongoing commitment to data protection is evidenced in a variety of ways:
- PagerDuty only uses trusted, certified US datacenters, and does not participate in offshore data activities. Both AWS and Azure carry with them certifications, including ISO 27001 and SOC.
- PagerDuty currently enters into EU-approved Standard Contractual Clauses with customers to ensure adequate protections for the privacy of EU data subjects and compliance with the regulation.
- PagerDuty is currently in the process of self-certifying with the EU-US and Swiss-US Privacy Shield and can expect participation in the coming months.
- PagerDuty is currently in the process of obtaining a SOC-2, Type II report, anticipated to be provided within the next several months.
- All data in transit and at rest is encrypted.
What is considered “personally identifiable information” (PII)?
Personally Identifiable Information (PII) is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
What customer PII data is collected?
PagerDuty requires the following categories of data in order to deliver the services provided on the PagerDuty platform:
- First and last name
- Email address
- Phone number
Where will customer PII data be stored?
Customer PII data is stored in ISO 27001 / FedRAMP certified data centers. This complies with GDPR, as the regulation governs the protection of customer data and does not require EU data residency.
How do you provide for the adequate transfer of data outside of the EU?
The EU provides for approved mechanisms for transferring data outside of the EU, one of which is the Standard Contractual Clauses between data controllers (you) and processors (PagerDuty). PagerDuty’s Data Processing Agreement contains the Standard Contractual Clauses stipulating how we use and protect Personally Identifiable Information acting in the Processor role. This is a key requirement for compliance with GDPR. For more information, please contact privacy@pagerduty.com.