The General Data Protection Regulation (GDPR) is an EU regulation on data security and privacy related to personal data, applying to all organizations operating within the EU (as well as non-EU organizations with customers who are individuals in the EU zone). The definition of personal data under GDPR has been boiled down into “any information relating to an identified or identifiable person”. The purpose of GDPR is to harmonize the data protection laws across all member countries of the EU to strengthen the integrity of the individual.
GDPR applies to both Data Controllers and Data Processors. The Data Controller is the party who determines the purposes and the manner in which personal data is processed. While the Data Processor is a third-party processing personal data on behalf of the Data Controller.
This means that ElephantSQL is both a Data Controller and a Data Processor. We are a Data Controller in the sense that we are storing personal data such as your email address and billing address etc. But as a cloud hosting company providing a service (SaaS) where your data resides on, our main responsibility is as a Data Processor, processing your data.
As a customer at ElephantSQL, we have made sure that you can follow GDPR. You decide for yourself where you want to host your data by choosing the region of your data center. ElephantSQL is compliant w ith GDPR and has executed Data Processing Agreements (DPAs) with our subcontractors (including our cloud infrastructure providers), and other suppliers. We also provide a DPA for GDPR, which allows our customers to continue to lawfully transfer EU personal data to ElephantSQL. The DPA is available for agreement in the customer console under the “Agreements”-section.
If you are a customer from another provider (Heroku, Azure Marketplace, IBM cloud, etc.), please send us an email to request access to our DPA.
ElephantSQL doesn’t know what kind of data you are handling while using our service. We don't look at your data, we don't copy your data, and all data can be encrypted in transit and can also be encrypted for additional security of data at rest, but such an encryption has to be handled by you. Therefore, we don't (and will not) "manage" personal data, which means that if you would store personal information data in your database - we will not know.
The data you store in ElephantSQL is stored until you remove the data from the database. Backups are deleted after 30 days.
We take GDPR seriously, and we’re applying GDPR standards to all our data processing, and not just EU personal data. That way, you will be well positioned with data protection regulatory frameworks around the world when using ElephantSQL.
We have taken several measures to comply with GDPR. Some of them are found below.
We have reviewed our internal policies and processes and updated them to be compliant with GDPR’s regulations. This concerns everything from our Data Retention Policy to Business Continuity Plan to how we train our staff in security and how to handle personal data. We have also made an inventory of what personal data we handle in our business, as well as a data flow mapping of personal data.
For all our customers who collect personal data from individuals in the EU, we offer a DPA. Our DPA offers terms that meet GDPR requirements and that reflect our data privacy and security commitments to our customers and their data. The DPA is available for all our customers in their control panel under the section “Agreements”.
A DPO is a person at company/organization who is responsible for reviewing and reporting internal procedures regarding the handling of personal data. According to article 37 under the GDPR, a DPO must be appointed if:
84codes doesn’t apply to any of these criteria, but because of our dedication to the integrity of our customers, we have decided to appoint a DPO even though we’re not legally obligated to do so. Our DPO is Lovisa Johansson, she has more than 10 years of experience in programming and has been working with the GDPR implementation at 84codes. She can be reached at firstname.lastname@example.org .
A certain amount of confidence is needed when relying on third party-vendors to manage and handle your online data securely. We understand that even small gaps in security coverage can put everything at risk including your data, customer information, uptime, and potentially a company’s reputation. Therefore, we want to ensure you that security is something we prioritize above anything else.
A well-built environment start with high coding standards that guard against attempted security breaches. Our system components undergo tests and source code reviews to assess the security before we are adding our code to production. We use SSL/TLS to secure data in transit. SSL certificates are updated on a regular basis or in an event of a security advisory from external security centers. Data can be encrypted for additional security of data at rest. IP whitelisting is also an option.
If you want to know more about how we’re dealing with your data, please read our Security Policy. In which you can also find the Technical and Organizational Measures (TOMS) we have taken for GDPR compliance.
We have updated our internal breach management plan in regards to the GDPR regulations concerning the escalation process and requirements for notification.
When we work with external suppliers or subcontractors, we require them to apply at least the same security standards as us. We also make sure that they are GDPR compliant and establish a DPA with them when applicable.
When using ElephantSQL, you can decide between 7 data centers in regards to where to host your data. Below you find links to what each particular data center is working with in regards to GDPR:
The General Data Protection Regulation (GDPR) is a new European privacy law that goes into effect on May 25, 2018. The GDPR will apply a single data protection law throughout the EU.
The law governs the way that businesses collect, use, and share personal data about individuals of the EU. Among other things, it requires firms to process an individual’s personal data fairly and lawfully and allowing individuals to exercise legal rights in respect of their data. For example, to access, correct or delete their personal data. The law also ensures that appropriate security protections are put in place to protect the personal data they process.
The GDPR applies to all entities and individuals based in the EU and to entities and individuals, whether or not based in the EU, that process the personal data of EU individuals.
The GDPR defines personal data as any information relating to an identified or identifiable natural person. This includes data that is obviously personal, such as an individual’s name or contact details, as well as data that can be used to identify an individual indirectly (such as an individual’s IP address).
Yes, if the individual developer is a customer of ElephantSQL and they are processing the personal data of EU individuals when using our products and services.
ElephantSQL is both a Data Controller and a Data Processor. We are a Data Controller in the sense that we are storing (customer related) personal data such as your email address and billing address etc. But as a cloud hosting company providing a service (SaaS) where your data resides on, our main responsibility is as a Data Processor, processing your data.
In our role as data controller, we may collect and store contact information, such as email address, and physical address, when customers sign up for our services or seek support help. We also may collect other identifying information from our customers, such as IP address, Paypal ID, SSH public keys or Oauth tokens for external services.
We separately act as a Data Processor when customers use our service to process personal data belonging to individuals in the EU. Our customers decide what personal data (if any) that is sent via our services.
Yes. Our DPA offers terms that meet GDPR requirements and that reflect our data privacy and security commitments to our customers and their data. The DPA is available for all our customers in their control panel under the section “Agreements”.
Yes, if the customer is using ElephantSQL to process personal data belonging to individuals of the EU, a DPA has to be in place between ElephantSQL and the customer according to Article 28(3) in the GDPR.
Yes. Customers who wish to share the DPA with their customers to confirm our security measures are allowed to do so.
No. You are not required to notify any third party or us upon accepting our DPA.
Yes. Her name is Lovisa Johansson, and she can be reached at email@example.com
If you have any questions in regards to GDPR and your use of ElephantSQL, or other legal or security-related questions, feel free to email firstname.lastname@example.org
Please note that this page is for informational purposes only, and should not be considered legal advice.