Preparing for the GDPR

Written by Anna Burman

The General Data Protection Regulation (GDPR) is approaching and will set the bar high in regards to protecting the integrity of the individual in the EU. ElephantSQL is currently working with preparing our business for compliance. This post is intended to give our customers an update on our current status in regards to GDPR.

The General Data Protection Regulation (GDPR) is the new legal regulation for personal data, applying to all organizations operating within the EU (as well as non-EU organizations with customers who are individuals in the EU zone). The definition of personal data under GDPR has been boiled down into “any information relating to an identified or identifiable person”.

The purpose of GDPR is to harmonize the data protection laws across all member countries of the EU to strengthen the integrity of the individual. The law will come to effect on May 25th, 2018.

GDPR applies to both data controllers and data processors. The data controller is the party who determines the purposes and the manner in which personal data is processed. While the data processor is a third-party processing personal data on behalf of the controller.

What does this mean?

This means that ElephantSQL is both a data controller and a data processor. We are a data controller in the sense that we are storing personal data such as your email address and billing address etc. But as a cloud hosting company providing a service where your data resides on, our main responsibility is as a data processor, processing your data.

What is ElephantSQL doing?

We are currently working on getting GDPR compliant. By doing so we’re examining and updating our internal data systems and processes to make sure we’re compliant by May. We will also update our Terms of Service and Privacy Policy in line with the GDPR restrictions. We will send information regarding this to all our customers once this process is finished (which will be before May 25th).

Further, there must exist a Data Processing Agreement (DPA) between the data controller and the data processor, in the cases the data controller is affected by GDPR. The data controller is affected by the GDPR, if it is a controller of personal data of end-users in the European Union. The DPA lay out the foundation of the obligations of the data processing.

Soon (sometime during the upcoming month), we’ll be releasing a DPA to allow our customers to continue to lawfully transfer EU personal data to ElephantSQL when the GDPR goes into effect. Once the DPA is available we will send an email to you. At this time, we are also in the process of signing DPAs with our sub-processors.

How ElephantSQL handles your data

ElephantSQL doesn’t know what kind of data you are handling while using our service. We don't look at your data, we don't copy your data to other server others than yours, and all data are encrypted in transit and can be encrypted for additional security of data at rest, but such an encryption has to be handled by you. Therefore, we don't (and will not) "manage" personal data, which means that if you would store personal information data in your database - we will not know.

The data you store in ElephantSQL is stored until you remove the data from the database. Backups are deleted after 30 days.

What are the datacenters doing?

When using ElephantSQL, you can decide between seven data centers in regards to where to host your data. Below you find links to what each particular data center is working with in regards to GDPR:

Further information

If you have any questions in regards to GDPR and your use of ElephantSQL, feel free to email