My company uses PagerDuty and would like to have a Data Processing Addendum (DPA) in place. How do I go about getting one?
PagerDuty's Data Processing Addendum is available here: https://www.pagerduty.com/data-processing-addendum/. When you agree to the PagerDuty Terms of Service, or sign your Order Form incorporating them, you also agree to the PagerDuty DPA which is incorporated by reference within the Terms of Service.
How can customers enter into EU Standard Contractual Clauses with PagerDuty?
The PagerDuty DPA includes the Standard Contractual Clauses as an attachment to the DPA, so no additional action is required to include them.
How does PagerDuty demonstrate compliance with privacy laws?
PagerDuty maintains various policies demonstrating compliance here: https://www.pagerduty.com/legal/.
Additionally, the PagerDuty Terms of Service includes our Data Processing Addendum, which covers various privacy laws, and the EU Standard Contractual Clauses.
Finally, the PagerDuty Privacy team monitors and implements privacy requirements from the applicable privacy laws to ensure ongoing compliance.
- Where can I go with privacy questions that are still not answered here?
Privacy Shield and Schrems II:
How is PagerDuty responding to the Schrems II ruling and the invalidation of Privacy Shield?
While PagerDuty remains compliant with its commitments under the Privacy Shield Framework, PagerDuty uses Standard Contractual Clauses as its mechanism to transfer personal data subject to EU law from and to its customers and Sub-processors. Consistent with the ruling in Schrems II and related guidance from EU supervisory authorities, PagerDuty couples its use of Standard Contractual Clauses with various technical and organizational safeguards as appropriate to particular transfers.
PagerDuty is closely monitoring the privacy landscape in light of the Schrems II decision and the ongoing updates from various EU supervisory authorities. Please see below for additional answers to how PagerDuty remains compliant with the EU General Data Protection Regulation (GDPR) considering new recommendations stemming from Schrems II.
What is the valid transfer mechanism implemented by PagerDuty for transfers of Personal Data from the European Economic Area (EEA) to third countries?
PagerDuty includes the Standard Contractual Clauses as part of its customer Data Processing Addendum. PagerDuty also includes Standard Contractual Clauses in its Sub-processor agreements.
What adequate level of protection does PagerDuty offer?
PagerDuty maintains administrative, technical, and organizational security measures to protect Personal Data outlined in the PagerDuty Data Security Policy located here: https://www.pagerduty.com/data-security-policy/.
Included in PagerDuty's Data Security Policy are a range of technical and organizational measures, such as encryption at rest and in transit over public networks, that address the core deficiencies cited in the Schrems II decision—bulk Interceptions under EO 12333 and bulk surveillance under FISA § 702.
Is PagerDuty eligible to receive a FISA § 702 directive in connection with the Services?
PagerDuty has not been found by any court to be the type of entity eligible to receive process issued under FISA Section 702 (i.e., an "electronic communication service provider" within the meaning of 50 U.S.C § 1881(b)(4) or a member of any of the categories of entities described within that definition).
What about "upstream" or bulk surveillance orders under FISA § 702?
Even if PagerDuty were deemed an electronic communication service provider as to some of its services, as the U.S. government has interpreted and applied FISA § 702, PagerDuty is not eligible to receive the type of order that was of principal concern to the CJEU in the Schrems II decision—a 702 order for "upstream" surveillance. As the U.S. Government has applied FISA § 702, it uses upstream orders only to target traffic flowing through internet backbone providers that carry traffic for third parties (i.e., telecommunications carriers). PagerDuty does not provide such backbone services, as it only carries traffic involving its own customers. As a result, it is not eligible to receive the type of order principally addressed in, and deemed problematic by, the Schrems II decision.