Platform.sh DPA

This Data Processing Agreement (“DPA”) amends the terms and forms part of the Agreement (defined below) by and between the Customer as identified in the Agreement and the Platform.sh contracting entity specified below, together with its subsidiaries and affiliates, (“Platform.sh”) from which Customer is purchasing products and services of Platform.sh, and will be effective on the later of (i) the effective date of the Agreement; or (ii) the date both parties execute this DPA in accordance with Section 1 below (“Effective Date”). All capitalized terms not defined in this DPA have the meanings set forth in the Agreement.

1. Instructions and Effectiveness

1.1 This DPA has been pre-signed by our Data Protection Officer on behalf of Platform.sh. If you are a Platform.sh customer, and you have agreed to the Agreement, this DPA is automatically effective, as it forms part of the Agreement, and renders any prior DPA ineffective. Effective Date: 2023-08-04.

1.2 If the details of this DPA are not acceptable to the Customer, or the Customer would like to request a change, please contact us. Where Customer makes any deletions or other revisions to this DPA without the approval and updated signature of our Data Protection Officer, this DPA will be null and void.

1.3 If the Customer would like to be strictly bound by a paper copy, they can complete the following:

 To enter into a paper form of this DPA, Customer must:

(a) be a customer of Platform.sh

(b) complete the signature block below by signing and providing all relevant information; and  
(c) submit the completed and signed DPA to Platform.sh at dpo@platform.sh.

2. Data Protection

2.1 Definitions In this DPA, the following terms have the following meanings:

(a) “Agreement” means the written contract in place between Customer and Platform.sh in connection with the purchase of products and services by Customer. In the absence of a written contract in place, “Agreement” means Platform.sh’s online Terms of Service, found at https://platform.sh/tos/. 

(b) “Applicable Data Protection Law” means U.S. Data Protection Law and European Data Protection Law that are applicable to the processing of personal data under this DPA, as well as any analogous legislation in any jurisdiction as applicable, in each case, as amended, revised, or replaced from time to time.

(c) “controller,” “processor,” “data subject,” “personal data,” and “processing” (and “process”) have the meanings given in European Data Protection Law.

(d) “Customer Personal Data” means any personal data provided by (or on behalf of) Customer to Platform.sh in connection with the product and services, as further described in Annex II.

(e) “End Users” or “Users” means an individual the Customer permits or invites to use the product or services. For the avoidance of doubt: (a) individuals invited by End Users, (b) individuals under managed accounts, and (c) individuals interacting with a product or service as Customer’s customers are also considered End Users.

(f) “Europe” means for the purposes of this DPA, the Member States of the European Economic Area (“EEA”), the United Kingdom (“UK”), and Switzerland.

(g) “European Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“EU GDPR”); (ii) in respect of the United Kingdom of the Data Protection Act 2018 and the EU GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK Data Protection Law”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) Swiss Federal Data Protection Act and its implementing regulations (“Swiss DPA”), in each case as may be amended, superseded, or replaced from time to time.

(h) “Security Incident” means any confirmed breach of security that leads to the accidental, or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data processed by Platform.sh and/or its Sub-processors in connection with the provision of the products and services. For the avoidance of doubt, "Security Incident" does not include unsuccessful attempts or activities that do not compromise the security of personal data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

(i) “special categories of personal data” or “sensitive data” means any Customer Personal Data (i) revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, (ii) that is genetic data, biometric data processed for the purposes of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, (iii) relating to criminal convictions and offences, (iv) revealing government identifiers (such as social security numbers), an account log-in, financial account, debit card, or credit card number, password, or credentials allowing access to an account, or (v) relating to contents of mail, email, and text messages.

(j) “Sub-processor” means any processor engaged by Platform.sh to assist in fulfilling its obligations with respect to providing the products and services pursuant to the Agreement or this DPA where such entity processes Customer Personal Data.

(k) “UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner's Office under S119(A) of the UK Data Protection Act 2018, as may be amended, superseded, or replaced from time to time.

(l) “U.S. Data Protection Law” means those data protection or privacy laws and regulations within the United States, including the California Consumer Privacy Act (as amended) (the “CCPA”), including as modified by the California Privacy Rights Act of 2020 (the “CPRA”), upon the CPRA’s enforcement date of July 1, 2023, as applicable to Customer Personal Data.

2.2 Relationship of the parties: Where Applicable Data Protection Law provides for the roles of “controller,” “processor,” and “sub-processor”:

(a) Where Platform.sh processes Customer Personal Data on behalf of Customer in connection with the product and services, Platform.sh will process such personal data as a processor on behalf of Customer (who, in turn, processes such personal data as a controller or processor) and this DPA will apply accordingly. A description of such processing is set out in Annex II.

(b) Platform.sh is a controller for the overall Platform as a Service (PaaS) and our infrastructure control plane, as further explained in our Trust Center (https://platform.sh/trust-center/privacy/gdpr/). Where Platform.sh processes personal data as a controller, Platform.sh will process such personal data in compliance with Applicable Data Protection Law.

2.3 Description of processing: A description of the processing of personal data related to the product and services, as applicable, is set out in Annex II. Platform.sh may update the descriptions of processing to reflect new products, features, or functionality. Platform.sh will update relevant documentation to reflect such changes in our Trust Center, which the Customer can access at: https://platform.sh/trust-center/. 

2.4 Customer processing of personal data: Customer agrees that (i) it will comply with its obligations under Applicable Data Protection Law, and (ii) it has provided notice and obtained (or will obtain) all consents and rights necessary under Applicable Data Protection Law for Platform.sh to process Customer  Personal Data (including but not limited to any special categories of personal data) and provide the product and services pursuant to the Agreement (including this DPA).

2.5 Platform.sh processing of personal data: When Platform.sh processes Customer Personal Data in its capacity as a processor on behalf of the Customer, Platform.sh will process the Customer Personal Data for the purpose of performing its obligations under the Agreement, and only in accordance with Applicable Data Protection Laws, and the documented lawful instructions of Customer (as set forth in the Agreement, in this DPA, or as directed by the Customer or Customer’s End Users through the product or services) (the “Permitted Purpose”). Platform.sh will not retain, use, disclose, or otherwise process the Customer Personal Data for any purpose other than the Permitted Purpose except where otherwise required by law. Platform.sh will not “sell” Customer Personal Data within the meaning of U.S. Data Protection Law. Platform.sh will promptly inform Customer if it becomes aware that Customer's processing instructions infringe Applicable Data Protection Law.

2.6 Sensitive Data: If the processing involves Customer Personal Data revealing Sensitive Data, Platform.sh will apply specific restrictions and/or additional safeguards.

2.7 Confidentiality of processing: Platform.sh must ensure that any person that it authorizes to process Customer Personal Data (including Platform.sh staff, agents, and Sub-processors) will be subject to a duty of confidentiality (whether a contractual duty or a statutory duty), and must not permit any person to process Customer Personal Data who is not under such a duty of confidentiality.

2.8 Security: Platform.sh and, to the extent required under the Agreement, Customer, must implement appropriate technical and organizational measures in accordance with Applicable Data Protection Law to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data. Platform.sh’s current technical and organizational measures are described in Annex III. Customer acknowledges that these measures are subject to technical progress and development and that Platform.sh may update or modify security measures from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the products and services.

2.9 Sub-processing: Customer agrees that Platform.sh may engage Sub-processors to process Customer Personal Data on Customer’s behalf. The Sub-processors currently engaged by Platform.sh and authorized by Customer are listed in the privacy section of our Trust Center which can be found at https://platform.sh/trust-center/privacy. Platform.sh will: (i) enter into a written agreement, including DPAs and Standard Contractual Clauses (SCCs) where applicable, with each Sub-processor imposing data protection terms that require the Sub-processor to protect the Customer Personal Data to the standard required by Applicable Data Protection Law (and in substance, to the same standard provided by this DPA); and (ii) remain liable to Customer if such Sub-processor fails to fulfill its data protection obligations with regard to the relevant processing activities under Applicable Data Protection Law.

2.10 Changes to Sub-processors: Platform.sh must (i) make available an up-to-date list of the Sub-processors it has appointed upon written request from Customer; and (ii) notify Customer if it adds any new Sub-processors at least fifteen (15) days prior to allowing such Sub-processor to process Customer Personal Data. Customer may object in writing to Platform.sh’s appointment of a new Sub-processor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such an event, the parties will discuss such concerns in a good faith attempt to achieve a resolution. If the parties are not able to achieve a resolution, Customer, as its sole and exclusive remedy, may terminate the parts of the service provided by the Sub-processor in question, or terminate the entire Agreement, if the service provided by the Sub-processor is essential. Customer will still be required to pay any past-due fees.

2.11 Cooperation obligations and data subjects’ rights:

(a) Taking into account the nature of the processing, Platform.sh must provide reasonable and timely assistance to Customer (at Customer’s expense) to enable Customer to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, to rectification, to erasure, to restriction, to objection, and data portability, as applicable); and (ii) any other correspondence, inquiry, or complaint received from a data subject, regulator or other third-party, in each case in respect of Customer Personal Data that Platform.sh processes on Customer’s behalf;

(b) In the event that any request, correspondence, inquiry, or complaint (referred to under paragraph (a) above) is made directly to Platform.sh, Platform.sh acting as a processor will not respond to such communication directly without Customer’s prior authorization, unless legally required to do so, except as to direct the data subject to Customer. If Platform.sh is legally required to respond to such a request, Platform.sh will promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so; and

(c) To the extent Platform.sh is required under Applicable Data Protection Law, Platform.sh will (at Customer’s request and expense) provide reasonably requested information regarding the products and services to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities, taking into account the nature of processing and the information available to Platform.sh.

2.12 Security Incidents: Upon becoming aware of a Security Incident, Platform.sh will inform Customer without undue delay, taking into account the nature of processing and the information available to Platform.sh. Platform.sh will provide details relating to the Security Incident as they are discovered or as is reasonably requested by Customer to allow Customer to fulfill its data breach reporting obligations under Applicable Data Protection Law. Platform.sh will further take reasonable steps to contain, investigate, and mitigate the effects of the Security Incident. Platform.sh’s notification of or response to a Security Incident in accordance with this Section 2.12 will not be construed as an acknowledgment by Platform.sh of any fault or liability with respect to the Security Incident.

2.13 Deletion or return of data: Upon written request from Customer, Platform.sh will delete or return to Customer all Customer Personal Data (including copies) processed on behalf of the Customer in compliance with the procedures and retention periods outlined in the DPA, and our Trust Center. This requirement does not apply to the extent Platform.sh is required by applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data it has archived on back-up systems, which Platform.sh will securely isolate and protect from any further processing, as further detailed in Annex III.

2.14 Audit:

(a) Customer acknowledges that Platform.sh is regularly audited by independent third-party auditors or otherwise including as may be described from time to time at https://platform.sh/trust-center/. Upon request, and on the condition that Customer has entered into an applicable non-disclosure agreement with Platform.sh if so required by Platform.sh, Platform.sh must:

    (i) supply (on a confidential basis) a summary copy of its audit report(s) (“Report”) to Customer, so Customer can verify Platform.sh’s compliance with the audit standards against which it has been assessed, and this DPA; and

    (ii) provide written responses (on a confidential basis and at Customer’s expense) to all reasonable requests for information made by Customer related to its Processing of Customer Personal Data, including responses to information security and audit questionnaires, that are necessary to confirm Platform.sh’s compliance with this DPA, provided that Customer cannot exercise this right more than once per calendar year, unless required by a supervisory authority

(b) Platform.sh operates as a fully remote company with employees working remotely across the world, with headquarters located in Paris, France. Notwithstanding the foregoing, Platform.sh will provide any information necessary to verify Platform.sh’s compliance, so long as the requests do not require Platform.sh to disclose to Customer or its authorized representatives, or to allow Customer or its authorized representatives to access:

    (i) any data or information of any other Platform.sh customer (or such customer’s End Users);

        ii. any Platform.sh internal accounting or financial information;

        iii. any Platform.sh trade secret;

        iv. any information that, in Platform.sh’s reasonable opinion, could: (1) compromise the security of Platform.sh systems or premises; or (2) cause Platform.sh to breach its obligations under Applicable Data Protection Law or its security, confidentiality, and/or privacy obligations to any other Platform.sh customer or any third party; or

        v. any information that Customer or its authorized representatives seek to access for any reason other than the good faith fulfillment of Customer’s obligations under the Applicable Data Protection Law and Platform.sh’s compliance with the terms of this DPA.

(c) An audit permitted in compliance with Section 2.14(b) will be limited to once per calendar year, unless i) Platform.sh has experienced a Security Incident within the prior twelve (12) months that has impacted Customer Personal Data; ii) Customer is able to evidence an incidence of Platform.sh’s material noncompliance with this DPA; or iii) Required by a supervisory authority.

2.15 Law enforcement: If a law enforcement agency sends Platform.sh a demand for Customer Personal Data (e.g., a subpoena or court order), Platform.sh will attempt to redirect the law enforcement agency to request that data directly from Customer, per our Law Enforcement Requests Guidelines on our Trust Center. As part of this effort, Platform.sh may provide Customer’s contact information to the law enforcement agency. If compelled to disclose Customer Personal Data to a law enforcement agency, then Platform.sh will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy to the extent Platform.sh is legally permitted to do so.

3. Relationship with the Agreement

3.1 The parties agree that this DPA replaces and supersedes any existing DPA the parties may have previously entered into in connection with the product or services.

3.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA will prevail to the extent that conflict is related to the processing of Customer Personal Data.

3.3 The liability of each party and each party’s affiliates under this DPA is subject to the following:

1. EXCLUSION OF DAMAGES. IN NO EVENT WILL PLATFORM.SH BE LIABLE FOR (A) ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, OR EXEMPLARY DAMAGES, INCLUDING LOST PROFITS, LOSS OF USE, LOSS OF DATA, COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, HOWEVER CAUSED, AND ON ANY THEORY OF LIABILITY, WHETHER FOR BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE AND STRICT LIABILITY), OR OTHERWISE, WHETHER OR NOT PLATFORM.SH HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES (B) ANY DAMAGES CAUSED BY CUSTOMER’S USE OF THE SERVICE OR IN CONNECTION WITH ITEMS SENT BY CUSTOMER; (C) ANY DAMAGE TO INVENTORY HELD BY PLATFORM.SH ON BEHALF OF CUSTOMER 

2. SECTION (a) ABOVE DOES NOT APPLY IN THE CASE OF GROSS NEGLIGENCE OR WILLFUL MISCONDUCT BY PLATFORM.SH.  
    

3. MAXIMUM AGGREGATE LIABILITY. TO THE EXTENT PERMITTED BY APPLICABLE LAW, PLATFORM.SH’S MAXIMUM AGGREGATE LIABILITY TO CUSTOMER UNDER, ARISING OUT OF, OR RELATING TO THIS DPA, WILL NOT EXCEED THE TOTAL AMOUNT OF FEES PAID BY CUSTOMER TO PLATFORM.SH DURING THE TWELVE (12) MONTHS PRECEDING THE DATE THE LIABILITY FIRST ARISES.

3.4 Any claims against Platform.sh or its affiliates under this DPA can only be brought by the Customer entity that is a party to the Agreement against the Platform.sh entity that is a party to the Agreement. In no event will this DPA or any party restrict or limit the rights of any data subject or of any competent supervisory authority.

3.5 This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement unless required otherwise by Applicable Data Protection Law.

3.6 If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision will not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

3.7 This DPA will terminate simultaneously and automatically upon deletion by Platform.sh of the Customer Personal Data processed on behalf of the Customer, in accordance with Section 2.13 of this DPA.

APPENDIX 

Signature not required as this DPA is incorporated into the PSH Customer Agreement

ANNEX I: LIST OF PARTIES

Controller(s): 

Name:

Address:

Contact person’s name, position, and contact details:

Signature and accession date:

Processor(s): 

Name: Platform.sh SAS

Address: 22 Rue de Palestro 75002 Paris

Contact person’s name, position, and contact details:

Stefanos Thampis

Data Protection Officer

dpo@platform.sh

ANNEX II: DESCRIPTION OF THE PROCESSING

Note: This Annex contains a description of the processing Platform.sh does as a Processor only. For an explanation of how Platform.sh may process personal data as a Controller, please see our Controller vs. Processor documentation.

Categories of data subjects whose personal data is processed

• The data subject can be any person whose personal data is being collected by the controller and contained in the customer’s project environment.

Categories of personal data processed

• Personal data that may be contained in the controller’s project environment. 
• Note: While Platform.sh provides the project environment and stores the data within as part of our service offering, Platform.sh does not know whether the environment includes personal data as defined by the GDPR, nor is Platform.sh responsible for the controller’s obligations as it relates to the collection of such personal data. However, Platform.sh operates under the assumption that the controller’s project environment includes personal information and potentially even sensitive personal data, and we treat the environment accordingly, such as applying the appropriate security and data protection safeguards which are audited by third-party auditors.

Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

• If a Platform.sh customer chooses to store sensitive personal data in their project environment.
• Note: Platform.sh does not know what types of personal data, if any, are contained in the customer’s project environment. However, Platform.sh operates under the assumption that the customer’s environment includes personal data and potentially even sensitive personal data. Thus, Platform.sh applies appropriate technical, organizational, and security measures to the environment, as described in Annex III (see below).

Nature of the processing

• Storing of personal data
• Access of personal data
• Erasure of personal data
• Destruction of personal data

Purpose(s) for which the personal data is processed on behalf of the controller

• To fulfill Platform.sh’s contractual terms related to project hosting (e.g. storage, code execution, backups, network traversal) 
• To access the customer’s project environment for the following reasons:
  • When requested to do so by the customer to fix a problem
  • To prevent an outage
  • To fix an outage
• To comply with applicable legal obligations.

Duration of the processing

• Until expressly stopped by customer, or 
• Until deletion of all customer data pursuant to termination of the Customer’s subscription, whichever event occurs first.

ANNEX III TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Note: This Annex contains a description of the technical and organisational measures including technical and organizational measures to ensure the security of the personal data implemented by Platform.sh as a Processor only.

Measures of pseudonymisation and encryption of personal data:

• We do not have a use case for anonymizing or pseudonymizing personal data. We only use personal data for the purposes of providing our service.
• Data, including backups, is encrypted at rest and in transit.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services:

• We have an internal governance program that oversees compliance with external standards that include confidentiality, integrity, availability and resilience of processing systems and services. This program, along with the technical implementation, is audited annually by a third-party assessor.
• We implement configuration standards in an automation manner whenever possible.
• We internally and externally audit technical measures to ensure compliance. 

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident:

• Backups on Platform.sh Professional are retained for at least seven (7) days. They will be purged between seven (7) days and six (6) months, at Platform.sh’s discretion.
• Platform.sh takes a byte-for-byte snapshot of Dedicated production environments every six (6) hours.
• We regularly restore data in the course of normal business operations.
• We perform an annual disaster recovery exercise that tests our ability to restore data.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing:

• Testing: We have regular quality assurance testing and annual disaster recovery testing.
• Assessing and Evaluating: We have weekly & monthly review meetings that cover our technical and organisational measures. Annually, we engage with third-party auditors to formally audit us against multiple industry standards. We also have an internal audit program that assesses our compliance with our internal and external requirements.

Measures for user identification and authorisation:

• We maintain a separate authorization system for customers which utilizes MFA.
• Internally, we use a centralized identity provider that handles authentication and authorization which utilizes MFA, and we maintain a password policy with strong requirements that all employees must follow. We also have a well defined set of access mechanisms based on need-to-know and the principal of least priviledge. Any activity that takes place is logged and stored.
• All of our sites adhere to our cryptographic controls policy, which mandates the use of strong, industry-standard cryptographic measures.
• Customers have control and governance over user access via fine-grained, per-environment permissions.

Measures for the protection of data during transmission:

• Data is encrypted in transit.

Measures for the protection of data during storage:

• Application data is encrypted at rest by default using encrypted ephemeral storage (typically using an AES-256 block cipher). 

Measures for ensuring physical security of locations at which personal data are processed:

• Platform.sh is a fully remote company and as such does not host servers or hold personal data in physical form. Thus, we transfer this requirement to our IAAS providers.

Measures for ensuring events logging:

• Infrastructure: We implement a variety of logging methods. Logs are sent to separate, protected, locations. We regularly look at logs in the course of business. We are annually audited by a third party against our logging and monitoring implementation.
• Customer environment: Logs for various tasks on an application container are available in the /var/log directory. They can be accessed on the normal shell after logging in with platform ssh. Application logs are the responsibility of the customer.

Measures for ensuring system configuration, including default configuration:

• We have implemented a configuration management system that automates standard configuration items. We also have CI/CD processes to ensure consistent configuration. These systems are audited annually by a third-party.

Measures for internal IT and IT security governance and management:

• Platform.sh has dedicated Security and Privacy Teams to implement and manage security strategy and IT governance. Various activities such as regular meetings and reporting, internal auditing, and third-party audits have been implemented.
• We have a company-wide security strategy.

Measures for certification/assurance of processes and products:

• Platform.sh undergoes multiple third-party audits resulting in certification. Please see our website for a list of our industry certifications.

Measures for ensuring data minimisation:

• Platform.sh collects only the personal information which is necessary for the purposes identified at the time of collection (e.g. to provide you with technical support, and to improve your services).
• Platform.sh does not use or disclose personal information for purposes other than those which it has identified and received consent for in line with these Clauses and only retains personal information for as long as is necessary to fulfill such purposes.

Measures for ensuring data quality:

• Customers directly input their data into our systems.
• Customers have direct access to their data with the ability to modify that data. 

Measures for ensuring limited data retention: 

• Platform.sh’s Privacy Team mandates a company-wide Data Retention Policy and audits this information internally.
• Where feasible, we programmatically implement a data retention lifecycle.
• Our data retention standards and implementation are audited by a third-party annually.

Measures for ensuring accountability:

• We have a designated Data Protection Officer that reports to the highest level of executive management.
• We have Security and Privacy Teams who are accountable for the stewardship of personal information, including collection, usage, disclosure, retention, and transfer of personal information to third parties for processing.
• We produce an internal report on Privacy and Security activities and metrics annually which is distributed to the entire company and our board of directors.

Measures for allowing data portability and ensuring erasure:

• Customers have direct access to their own data and can export it at will.
• Data deletion is handled via our backend providers. When a volume is released back to the provider, the provider will perform a wipe on the data utilizing either NIST 800-88 or DoD 5220.22-M depending upon the offering. This wipe is done immediately before reuse. Additionally, the encryption key is destroyed when we release the volume back to the provider, adding another layer of protection.
• Data subject deletion requests where Platform is the controller are handled via a support ticket. For contracts designating Platform as the processor, deletion requests should be sent to the controller and we will forward any that we receive.

For transfers to sub-processors, also describe the specific technical and organisational measures to be taken by the sub-processor to be able to provide assistance to the controller: 

• Data processing by external parties as disclosed in our subprocessors list on our Trust Center is managed in accordance with our audited policies.
• There are no additional measures in place at this time.

Description of the specific technical and organisational measures to be taken by the processor to be able to provide assistance to the controller:

• We have a DPO email address of dpo@platform.sh for general queries.
• We have a ticketing system for customers to ask specific questions about their account including data protection and security topics.
• We have user documentation that includes security and privacy topics.