PagerDuty's Data Processing Addendum is available here: https://www.pagerduty.com/data-processing-addendum/. When you agree to the PagerDuty Terms of Service, or sign your Order Form incorporating them, you also agree to the PagerDuty DPA which is incorporated by reference within the Terms of Service.

The PagerDuty DPA includes the Standard Contractual Clauses, so no additional action is required to include them.

PagerDuty maintains various policies demonstrating compliance here: https://www.pagerduty.com/legal/.

Additionally, the PagerDuty Terms of Service includes our Data Processing Addendum, which covers various privacy laws, and the EU Standard Contractual Clauses.

Finally, the PagerDuty Privacy team monitors and implements privacy requirements from the applicable privacy laws to ensure ongoing compliance.

Please consult the PagerDuty Privacy Policy and https://www.pagerduty.com/legal/ generally. If you're still not having luck, you may direct specific questions to privacy@pagerduty.com.

PagerDuty uses Standard Contractual Clauses as its mechanism to transfer personal data subject to EU law from and to its customers and Sub-processors. Consistent with the ruling in Schrems II and related guidance from EU supervisory authorities, PagerDuty couples its use of Standard Contractual Clauses with various technical and organizational safeguards as appropriate to particular transfers.

PagerDuty closely monitors the privacy landscape and the ongoing updates from various EU supervisory authorities, including the release of new Standard Contractual Clauses from the European Commission in June 2021. Please see below for additional answers to how PagerDuty remains compliant with the EU General Data Protection Regulation (GDPR) considering new recommendations stemming from Schrems II.

PagerDuty includes the Standard Contractual Clauses as part of its customer Data Processing Addendum. PagerDuty also requires that all of its subprocessors enter into a DPA which includes Standard Contractual Clauses.

Yes, our DPA has been updated to include the new Standard Contractual Clauses effective September 27, 2021. New and current customers will be on these terms going forward.

For processing of Personal Data that's subject to UK data protection laws, the 2010 Standard Contractual Clauses will still apply, and they are incorporated into the DPA as well. If the UK Data Protection Law changes to require either the 2021 Standard Contractual Clauses, the use of a different form of Standard Contractual Clauses, or other equivalent agreement then PagerDuty will update the DPA to incorporate the required terms.

For processing of Personal Data that's subject to Swiss data protection laws, we’ve incorporated terms to include the FADP and Swiss Supervisory Authority into the DPA and new Standard Contractual Clauses.

PagerDuty maintains administrative, technical, and organizational security measures to protect Personal Data outlined in the PagerDuty Data Security Policy located here: https://www.pagerduty.com/data-security-policy/.

Included in PagerDuty's Data Security Policy are a range of technical and organizational measures, such as encryption at rest and in transit over public networks, that address the core deficiencies cited in the Schrems II decision—bulk Interceptions under EO 12333 and bulk surveillance under FISA § 702.

PagerDuty has not been found by any court to be the type of entity eligible to receive process issued under FISA Section 702 (i.e., an "electronic communication service provider" within the meaning of 50 U.S.C § 1881(b)(4) or a member of any of the categories of entities described within that definition).

Even if PagerDuty were deemed an electronic communication service provider as to some of its services, as the U.S. government has interpreted and applied FISA § 702, PagerDuty is not eligible to receive the type of order that was of principal concern to the CJEU in the Schrems II decision—a 702 order for "upstream" surveillance. As the U.S. Government has applied FISA § 702, it uses upstream orders only to target traffic flowing through internet backbone providers that carry traffic for third parties (i.e., telecommunications carriers). PagerDuty does not provide such backbone services, as it only carries traffic involving its own customers. As a result, it is not eligible to receive the type of order principally addressed in, and deemed problematic by, the Schrems II decision.