Privacy FAQ

General:

Privacy Shield and Schrems II:

  • How is PagerDuty responding to the Schrems II ruling and the invalidation of Privacy Shield?

    While PagerDuty remains compliant with its commitments under the Privacy Shield Framework, PagerDuty uses Standard Contractual Clauses as its mechanism to transfer personal data subject to EU law from and to its customers and Sub-processors. Consistent with the ruling in Schrems II and related guidance from EU supervisory authorities, PagerDuty couples its use of Standard Contractual Clauses with various technical and organizational safeguards as appropriate to particular transfers.

    PagerDuty is closely monitoring the privacy landscape in light of the Schrems II decision and the ongoing updates from various EU supervisory authorities. Please see below for additional answers to how PagerDuty remains compliant with the EU General Data Protection Regulation (GDPR) considering new recommendations stemming from Schrems II.

  • What is the valid transfer mechanism implemented by PagerDuty for transfers of Personal Data from the European Economic Area (EEA) to third countries?

    PagerDuty includes the Standard Contractual Clauses as part of its customer Data Processing Addendum. PagerDuty also includes Standard Contractual Clauses in its Sub-processor agreements.

  • What adequate level of protection does PagerDuty offer?

    PagerDuty maintains administrative, technical, and organizational security measures to protect Personal Data outlined in the PagerDuty Data Security Policy located here: https://www.pagerduty.com/data-security-policy/.

    Included in PagerDuty's Data Security Policy are a range of technical and organizational measures, such as encryption at rest and in transit over public networks, that address the core deficiencies cited in the Schrems II decision—bulk Interceptions under EO 12333 and bulk surveillance under FISA § 702.

  • Is PagerDuty eligible to receive a FISA § 702 directive in connection with the Services?

    PagerDuty has not been found by any court to be the type of entity eligible to receive process issued under FISA Section 702 (i.e., an "electronic communication service provider" within the meaning of 50 U.S.C § 1881(b)(4) or a member of any of the categories of entities described within that definition).

  • What about "upstream" or bulk surveillance orders under FISA § 702?

    Even if PagerDuty were deemed an electronic communication service provider as to some of its services, as the U.S. government has interpreted and applied FISA § 702, PagerDuty is not eligible to receive the type of order that was of principal concern to the CJEU in the Schrems II decision—a 702 order for "upstream" surveillance. As the U.S. Government has applied FISA § 702, it uses upstream orders only to target traffic flowing through internet backbone providers that carry traffic for third parties (i.e., telecommunications carriers).  PagerDuty does not provide such backbone services, as it only carries traffic involving its own customers.  As a result, it is not eligible to receive the type of order principally addressed in, and deemed problematic by, the Schrems II decision.