The General Data Protection Regulation (GDPR) is an EU regulation on data security and privacy related to personal data. GDPR applies to all organizations operating within the EU as well as to non-EU organizations offering goods or services or monitoring the behavior of data subjects in the Union. The definition of personal data under GDPR is defined as any information relating to an identified or identifiable person. The purpose of GDPR is to coordinate the data protection laws across all EU member countries to strengthen the integrity of an individual’s data.
GDPR applies to both Data Controllers and Data Processors. A Data Controller is the party that determines the purpose and the manner in which personal data is processed. A Data Processor is a third-party that processes personal data on behalf of the Data Controller. This means that ElephantSQL acts as both a Data Controller and a Data Processor.
ElephantSQL is a Data Controller as we store personal data of our customers, such as email addresses, billing addresses, etc. Nevertheless, as a cloud hosting company providing a service (SaaS) and handling data, our main responsibility is as a Data Processor.
ElephantSQL follows GDPR’s rules for proper storage of personal data, and we honor the rights of individuals such as the right to be informed, the right of access, the right of rectification, and the right to be forgotten. Our ambition is to constantly work with integrity, honesty, transparency, and responsibility towards our customers. We have a Privacy Policy where we state how information in our care is handled.
ElephantSQL is compliant with GDPR and has executed Data Processing Agreements (DPAs) with our subprocessors (including cloud infrastructure providers) and other suppliers when applicable. We also include a DPA as an exhibit to our Terms of Service, meaning that if your business is covered by the GDPR, you’re enrolled in our DPA by default when signing up to our service. This makes it easy to continue to lawfully transfer EU personal data when using ElephantSQL. You can find our DPA here. Customers from other providers (Heroku, AWS Marketplace, Azure Marketplace, etc.) should email us to request access to our DPA.
ElephantSQL doesn't physically host any of the servers involved in our cloud hosting service. Instead, we use data centers provided by external cloud platforms (e.g. Amazon Web Services, Azure, and Google Cloud Platform). Customers are in full control as to where their data is hosted by choosing the region for the data center.
All data that 84codes holds about its customers is encrypted both at rest and in transit. All data that the Data Controller inserts to the service is encrypted at rest by default on 84codes' side (at the cloud platforms that support it). Data in transit can be encrypted by the Data Controller for additional security.
Further, ElephantSQL has no knowledge of what kind of data is being handled by customers using the service. Employees of ElephantSQL do not look at customer data nor do they copy data to a server other than the one chosen. All data stored in the service is stored until the customer removes the data, either manually or by policies. Backups (where applicable) are deleted after 30 days. Therefore, ElephantSQL doesn't (and will not) "manage" personal data. Meaning that if customers use our service for processing personal data - we will not know.
We take GDPR seriously, and we’re applying GDPR standards to all our data processing, not just EU personal data. This gives our customers peace of mind that their data meets protection regulatory frameworks around the world when using ElephantSQL.
We have taken several measures to comply with GDPR, which are as follows below:
Our internal policies and processes are updated with the latest GDPR regulations. This includes everything from our Information Security Program, Business Continuity Plan, how we train our staff in security, and how we train staff to handle personal data. We have also made an inventory of what personal data we handle internally, as well as creating a data flow mapping of personal data.
Our DPA is an exhibit of our Terms of Service. Meaning that if your business is covered by the GDPR, you’re enrolled in our DPA per default when signing up for our service. Our DPA meets GDPR requirements and reflects our data privacy and security commitments to our customers and their data. You can read our DPA here.
A certain amount of confidence is needed when relying on third-party vendors to handle your data. We understand that even small gaps in security coverage can put everything at risk including data, customer information, uptime, and potentially a company’s reputation. Therefore, we want to ensure our customers that security is something we prioritize above anything else.
A well-built environment starts with high coding standards that guard against attempted security breaches. Our system components undergo tests and source code reviews to assess the security level before being added to our code in production. We use SSL/TLS to secure data in transit. SSL certificates are updated on a regular basis or, in the event of a security advisory, from external security centers. Data at rest can be encrypted for additional security, and IP allows listing is also an option.
If you want to know more about how we’re dealing with customer data, please read our Security Policy.
We have updated our Information Security Program in regard to the GDPR regulations and specified the escalation process and requirements for customer notifications in case of a breach.
External suppliers or subprocessors are required to meet the same security standards as we have in place (at a minimum). We also make sure that they are GDPR compliant when entering into a business agreement with them and sign a DPA with them when applicable.
When using ElephantSQL, customers choose between five data centers as the location that hosts their data. Below are links to what each particular data center has in place with regard to GDPR:
If you have any questions in regards to GDPR and your use of ElephantSQL, or other legal or security-related questions, feel free to email compliance@elephantsql.com.
The General Data Protection Regulation (GDPR) is a European privacy law that was enforced on May 25, 2018. The GDPR will apply as a single data protection law throughout the EU. The law governs the way that businesses collect, use, and share personal data about individuals of the EU. Among other things, it requires firms to process an individual’s personal data fairly and lawfully and allows individuals to exercise legal rights in respect of their data. For example, to access, correct, or delete their personal data. The law also ensures that appropriate security protections are put in place to protect the personal data that are being processed.
The GDPR applies to all entities and individuals based in the EU, as well as entities and individuals, whether or not based in the EU, that process the personal data of EU individuals. The GDPR defines personal data as any information relating to an identified or identifiable natural person. This includes data that is obviously personal, such as an individual’s name or contact details, as well as data that can be used to identify an individual indirectly (such as an individual’s IP address).
Yes, if the individual developer (i.e. using our service as a private person) is processing personal data of EU individuals.
Yes. Our DPA offers terms that meet GDPR requirements and that reflect our data privacy and security commitments to our customers and their data. The DPA is an exhibit of our Terms of Service.
Yes. Our customers who wish to share the DPA with their customers to confirm our security measures are allowed to do so.
ElephantSQL is both a Data Controller and a Data Processor. We are a Data Controller in the sense that we are storing (customer-related) personal data such as email addresses, billing addresses, etc. But as a cloud hosting company providing a service (SaaS) where customer data resides, our main responsibility is as a Data Processor.
We have conducted an analysis of our operations to ensure we comply with the new requirements of the GDPR. We have, with the help of external advisors, reviewed our services, Term of Service, Privacy Policy, and arrangements with third parties for compliance with the GDPR. The work of being GDPR compliant is a continuous process. Thus, we are constantly up-to-date with eventual changes in the GDPR to stay compliant.
In our role as Data Controller, we may collect and store contact information when customers sign up for our services or seek support help. The information we store includes data such as our customers’ email addresses and physical addresses for billing purposes. We may also collect other identifying information from our customers, such as IP address, Paypal ID, SSH public keys, or Oauth tokens for external services. You can read more in our Privacy Policy.
Separately, we act as a Data Processor when customers use our service to process personal data belonging to individuals in the EU. Our customers decide what personal data (if any) is sent via our services.
No, we don’t have a formal DPO. However, we have a Compliance Manager responsible for compliance. Her name is Anna Burman, and she can be reached at compliance@84codes.com.
Please note that this page is for informational purposes only, and should not be considered legal advice.