Important Notice: ElephantSQL is shutting down. Read all about it in our End of Life Announcement

GDPR Compliance

ElephantSQL and GDPR

Introduction

The General Data Protection Regulation (GDPR) is an EU regulation on data security and privacy related to personal data. GDPR applies to all organizations operating within the EU as well as to non-EU organizations offering goods or services or monitoring the behavior of data subjects in the Union. The definition of personal data under GDPR is defined as any information relating to an identified or identifiable person. The purpose of GDPR is to coordinate the data protection laws across all EU member countries to strengthen the integrity of an individual’s data.

DATA CONTROLLER VS. DATA PROCESSOR

GDPR applies to both Data Controllers and Data Processors. A Data Controller is the party that determines the purpose and the manner in which personal data is processed. A Data Processor is a third-party that processes personal data on behalf of the Data Controller. This means that ElephantSQL acts as both a Data Controller and a Data Processor.

ElephantSQL is a Data Controller as we store personal data of our customers, such as email addresses, billing addresses, etc. Nevertheless, as a cloud hosting company providing a service (SaaS) and handling data, our main responsibility is as a Data Processor.

ELEPHANTSQL AS A DATA CONTROLLER

ElephantSQL follows GDPR’s rules for proper storage of personal data, and we honor the rights of individuals such as the right to be informed, the right of access, the right of rectification, and the right to be forgotten. Our ambition is to constantly work with integrity, honesty, transparency, and responsibility towards our customers. We have a Privacy Policy where we state how information in our care is handled.

ELEPHANTSQL AS A DATA PROCESSOR

ElephantSQL is compliant with GDPR and has executed Data Processing Agreements (DPAs) with our subprocessors (including cloud infrastructure providers) and other suppliers when applicable. We also include a DPA as an exhibit to our Terms of Service, meaning that if your business is covered by the GDPR, you’re enrolled in our DPA by default when signing up to our service. This makes it easy to continue to lawfully transfer EU personal data when using ElephantSQL. You can find our DPA here. Customers from other providers (Heroku, AWS Marketplace, Azure Marketplace, etc.) should email us to request access to our DPA.

ElephantSQL doesn't physically host any of the servers involved in our cloud hosting service. Instead, we use data centers provided by external cloud platforms (e.g. Amazon Web Services, Azure, and Google Cloud Platform). Customers are in full control as to where their data is hosted by choosing the region for the data center.

How ElephantSQL handles your data

All data that 84codes holds about its customers is encrypted both at rest and in transit. All data that the Data Controller inserts to the service is encrypted at rest by default on 84codes' side (at the cloud platforms that support it). Data in transit can be encrypted by the Data Controller for additional security.

Further, ElephantSQL has no knowledge of what kind of data is being handled by customers using the service. Employees of ElephantSQL do not look at customer data nor do they copy data to a server other than the one chosen. All data stored in the service is stored until the customer removes the data, either manually or by policies. Backups (where applicable) are deleted after 30 days. Therefore, ElephantSQL doesn't (and will not) "manage" personal data. Meaning that if customers use our service for processing personal data - we will not know.

ElephantSQL's Commitment to GDPR Compliance and Data Privacy

We take GDPR seriously, and we’re applying GDPR standards to all our data processing, not just EU personal data. This gives our customers peace of mind that their data meets protection regulatory frameworks around the world when using ElephantSQL.

We have taken several measures to comply with GDPR, which are as follows below:

POLICIES AND PROCESSES

Our internal policies and processes are updated with the latest GDPR regulations. This includes everything from our Information Security Program, Business Continuity Plan, how we train our staff in security, and how we train staff to handle personal data. We have also made an inventory of what personal data we handle internally, as well as creating a data flow mapping of personal data.

DATA PROCESSING AGREEMENT (DPA)

Our DPA is an exhibit of our Terms of Service. Meaning that if your business is covered by the GDPR, you’re enrolled in our DPA per default when signing up for our service. Our DPA meets GDPR requirements and reflects our data privacy and security commitments to our customers and their data. You can read our DPA here.

SECURITY

A certain amount of confidence is needed when relying on third-party vendors to handle your data. We understand that even small gaps in security coverage can put everything at risk including data, customer information, uptime, and potentially a company’s reputation. Therefore, we want to ensure our customers that security is something we prioritize above anything else.

A well-built environment starts with high coding standards that guard against attempted security breaches. Our system components undergo tests and source code reviews to assess the security level before being added to our code in production. We use SSL/TLS to secure data in transit. SSL certificates are updated on a regular basis or, in the event of a security advisory, from external security centers. Data at rest can be encrypted for additional security, and IP allows listing is also an option.

If you want to know more about how we’re dealing with customer data, please read our Security Policy.

BREACH MANAGEMENT

We have updated our Information Security Program in regard to the GDPR regulations and specified the escalation process and requirements for customer notifications in case of a breach.

THIRD-PARTY SELECTION

External suppliers or subprocessors are required to meet the same security standards as we have in place (at a minimum). We also make sure that they are GDPR compliant when entering into a business agreement with them and sign a DPA with them when applicable.

Data Centers

When using ElephantSQL, customers choose between five data centers as the location that hosts their data. Below are links to what each particular data center has in place with regard to GDPR:

Further Information

If you have any questions in regards to GDPR and your use of ElephantSQL, or other legal or security-related questions, feel free to email compliance@elephantsql.com.

GDPR FAQ

WHAT IS THE GDPR?

The General Data Protection Regulation (GDPR) is a European privacy law that was enforced on May 25, 2018. The GDPR will apply as a single data protection law throughout the EU. The law governs the way that businesses collect, use, and share personal data about individuals of the EU. Among other things, it requires firms to process an individual’s personal data fairly and lawfully and allows individuals to exercise legal rights in respect of their data. For example, to access, correct, or delete their personal data. The law also ensures that appropriate security protections are put in place to protect the personal data that are being processed.

WHO DOES THE GDPR APPLY TO?

The GDPR applies to all entities and individuals based in the EU, as well as entities and individuals, whether or not based in the EU, that process the personal data of EU individuals. The GDPR defines personal data as any information relating to an identified or identifiable natural person. This includes data that is obviously personal, such as an individual’s name or contact details, as well as data that can be used to identify an individual indirectly (such as an individual’s IP address).

DOES THE GDPR APPLY TO AN INDIVIDUAL DEVELOPER USING THE SERVICE?

Yes, if the individual developer (i.e. using our service as a private person) is processing personal data of EU individuals.

DO YOU PROVIDE A DATA PROCESSING AGREEMENT (DPA)?

Yes. Our DPA offers terms that meet GDPR requirements and that reflect our data privacy and security commitments to our customers and their data. The DPA is an exhibit of our Terms of Service.

CAN A CUSTOMER OF YOURS SHARE THE DPA WITH ITS CUSTOMERS?

Yes. Our customers who wish to share the DPA with their customers to confirm our security measures are allowed to do so.

WHAT IS YOUR ROLE UNDER GDPR?

ElephantSQL is both a Data Controller and a Data Processor. We are a Data Controller in the sense that we are storing (customer-related) personal data such as email addresses, billing addresses, etc. But as a cloud hosting company providing a service (SaaS) where customer data resides, our main responsibility is as a Data Processor.

WHAT HAVE YOU DONE TO COMPLY WITH GDPR?

We have conducted an analysis of our operations to ensure we comply with the new requirements of the GDPR. We have, with the help of external advisors, reviewed our services, Term of Service, Privacy Policy, and arrangements with third parties for compliance with the GDPR. The work of being GDPR compliant is a continuous process. Thus, we are constantly up-to-date with eventual changes in the GDPR to stay compliant.

WHAT PERSONAL DATA DO YOU COLLECT AND STORE FROM YOUR CUSTOMERS?

In our role as Data Controller, we may collect and store contact information when customers sign up for our services or seek support help. The information we store includes data such as our customers’ email addresses and physical addresses for billing purposes. We may also collect other identifying information from our customers, such as IP address, Paypal ID, SSH public keys, or Oauth tokens for external services. You can read more in our Privacy Policy.

Separately, we act as a Data Processor when customers use our service to process personal data belonging to individuals in the EU. Our customers decide what personal data (if any) is sent via our services.

DO YOU HAVE A DATA PROTECTION OFFICER (DPO)?

No, we don’t have a formal DPO. However, we have a Compliance Manager responsible for compliance. Her name is Anna Burman, and she can be reached at compliance@84codes.com.

Please note that this page is for informational purposes only, and should not be considered legal advice.