Region-Specific Data Privacy Laws

PagerDuty is proud to support the digital operations of customers across the globe and protect their data in compliance with applicable global privacy and data protection laws. This page outlines some additional information about how PagerDuty addresses several data privacy laws with respect to our products.

This page is intended for PagerDuty customers, and describes how we treat Customer Personal Data (as that term is defined in our online Data Processing Addendum) when we provide our Services to and at the direction of our customers (i.e., in our role as a processor and/or service provider). PagerDuty also conducts certain activities for our own purposes, such as marketing, recruiting, and service usage (and in those cases, acts as a controller and/or business). To read more about PagerDuty’s privacy practices in that context, please view our Privacy Policy.

CCPA/CPRA (California)
GDPR (European Union)
PIPEDA (Canada)
Privacy Act 1988 (Australia)

CCPA/CPRA (California)

What are the CCPA and CPRA?

The California Consumer Privacy Act is a California state law that was amended and expanded by the California Privacy Rights Act (“CPRA”) (together, the “CCPA”). The CCPA regulates how businesses collect, use, and share personal data, and grants individuals specific rights regarding their personal data. It applies to for-profit businesses that operate in California and meet certain thresholds, regardless of where the business is physically located. Businesses must provide clear notice about their data practices, and honor individuals’ rights, including among others, the right to know about how their personal data is collected and used, the right to request deletion, the right to correct inaccurate information, and the right to opt out of sales of their personal data.

What is PagerDuty’s role in processing Customer Personal Data?

PagerDuty is generally a service provider to our customers when we provide our Services. We process Customer Personal Data on behalf of our customers and in accordance with their written instructions. You can read more about how PagerDuty handles Customer Personal Data in our Data Processing Addendum.

Does PagerDuty “sell” or “share” Customer Personal Data?

No. Per the terms of our Data Processing Addendum, PagerDuty does not “sell” or “share” Customer Personal Data in our role as a service provider, as those terms are defined in the CCPA.

How does PagerDuty help its Customers comply with the CCPA?

As a service provider, PagerDuty cooperates with and provides assistance to customers with fulfilling their obligations under the CCPA. Some of these measures include: assistance with and the fulfillment of data subject requests, comprehensive privacy and security programs, development and implementation of incident response and security breach notification policies and procedures, and an appropriate Data Processing Addendum, which includes a specific section addressing CCPA requirements (Section 9).

GDPR (European Union)

For information on how PagerDuty complies with the GDPR, please see PagerDuty’s Privacy Knowledge Paper, “Transparency, Trust, and Compliance: PagerDuty’s GDPR Approach”. PagerDuty is self-certified under the E.U.-U.S. Data Privacy Framework, the U.K. Extension to the E.U.-U.S. DPF, and the Swiss-U.S. Data Privacy Framework. We are proud that our GDPR compliance has been third-party verified by GDPRLocal.

PIPEDA (Canada)

What is PIPEDA?

The Personal Information Protection and Electronic Documents Act, or PIPEDA, is a Canadian federal law that governs how private sector organizations collect, use, and disclose personal information in the course of commercial activities. It applies to organizations that conduct commercial activities within Canada and process the personal information of Canadian individuals, regardless of the organization’s location. PIPEDA is built on ten fair information principles, which organizations must follow when handling personal information.

How does PagerDuty address PIPEDA’s ten fair information principles?

  1. Accountability: PagerDuty’s in-house Privacy Team has built a privacy program designed to comply with global data privacy laws, including PIPEDA, and regularly evaluates and assesses its success. Our privacy program includes the development and implementation of policies and procedures regarding the protection of customer data and personal information, and all employees are required to complete data privacy and security training at least annually.
  2. Identifying purposes: PagerDuty’s Data Processing Addendum identifies the specific and limited purposes for which PagerDuty collects and processes Customer Personal Data. And when PagerDuty collects and processes personal information for our own purposes, we clearly identify those purposes in our Privacy Policy.
  3. Consent: PagerDuty obtains consent from its Customers for the processing and use of Customer Personal Data via our Data Processing Addendum. When PagerDuty collects and processes data directly from end users, we also collect consent to our Privacy Policy.
  4. Limiting collection: PagerDuty requires only a minimal amount of personal information from its end users in order to make use of the Services, and Customers agree not to provide any sensitive or special categories of personal information.
  5. Limiting use, disclosure, and retention: PagerDuty only uses, discloses, and retains Customer Personal Data as agreed upon in our Data Processing Addendum. As specified in the DPA, PagerDuty does not “sell” or “share” Customer Personal Data. PagerDuty only discloses Customer Personal Data to subprocessors that have undergone a due diligence process, including a risk assessment, and have entered into written agreements to ensure that Customer Personal Data remains adequately protected. Customers have the option to request the return or destruction of their confidential information per the applicable Terms of Service.
  6. Accuracy: PagerDuty Customers and their end users have control over the personal information they submit via the platform and its accuracy, and can update or modify their information at their discretion.
  7. Safeguards: PagerDuty has implemented a comprehensive security program following industry standard physical, administrative, organizational and technical safeguards. For more information, please visit PagerDuty’s Assurance Portal.
  8. Openness: PagerDuty is committed to ensuring that our Customers and end users understand how their personal information is processed (see our Data Processing Addendum and Privacy Policy), how PagerDuty protects it (see our Assurance Portal), and how PagerDuty complies with global data privacy laws (in addition to this page, please see our knowledge paper on PagerDuty’s GDPR Approach).
  9. Individual access: PagerDuty Customers and their end users have access to and control over the personal information they submit via the platform. The user interface allows end users to update or modify their information at their discretion. Our Privacy Team (privacy@pagerduty.com) also fulfills other data subject requests, such as the rights to access or deletion.
  10. Challenging compliance: PagerDuty takes compliance with PIPEDA seriously. If you have concerns about our compliance, please contact our Privacy Team at privacy@pagerduty.com.

Privacy Act 1988 (Australia)

What is the Privacy Act 1988?

The Privacy Act 1988 (the “Act”) is an Australian federal privacy law that regulates the collection, use, and disclosure of personal information of Australian individuals by both government and private sector organizations, including foreign organizations that conduct business in Australia. The Act includes the Australian Privacy Principles (“APPs”), a set of 13 principles that create core privacy standards covering the handling of personal information and individual access rights.

How does PagerDuty comply with the Privacy Act and the Australian Privacy Principles?

Like many other data privacy laws, the Act and the APPs grant individuals various rights, including knowing why their personal information is collected, how it is used, to whom it is disclosed, and to access and correct their personal information. These, and other individual rights granted under data privacy laws, are generally referred to as data subject rights. As described in our Data Processing Addendum with respect to Customer Personal Data as well as in our Privacy Policy more generally, PagerDuty provides assistance to customers with and fulfills data subject requests as required. Those documents also disclose how we handle the personal information of our customers and their end users.

In addition to meeting the required disclosures and individual rights, PagerDuty also addresses the Act and the APPs with our in-house privacy and security teams, which are dedicated to maintaining strong privacy and security programs. Our privacy program has been built to comply with global data privacy laws, and we regularly evaluate and assess its success. We have also implemented a comprehensive security program following industry standard physical, administrative, organizational and technical safeguards.

Capitalized terms on this page are defined according to the Data Processing Addendum. Please note that this content is intended for general information purposes only and is not a substitute for professional legal advice.