Switching to Platform.sh can help IT/DevOps organizations drive 219% ROI
Organizations, the ultimate way to manage your users and projectsThese guidelines are solely intended for use by law enforcement or official representatives of government agencies (“Authority” & “Authorities”). These guidelines are not intended for requests for personal data by Platform.sh customers, Platform.sh customers’ end-users, civil litigants, criminal defendants, or other third parties.
Platform.sh provides a Platform as a Service (PaaS) in a cloud environment and operates worldwide. Thus, situations may arise where Authorities must seek customers’ account records and customers’ personal data from Platform.sh based on valid legal process. These guidelines inform Authorities on how to submit such requests for personal data.
However, please note, Platform.sh will first attempt to redirect Authorities to request the personal data directly from the customer.
Platform.sh complies with the rules and laws of the relevant jurisdictions (“Applicable Laws”) in which it operates, as well as the privacy rights of its customers. Accordingly, Platform.sh diligently reviews requests to ensure that they comply with the Applicable Laws, and only provides personal data when Platform.sh reasonably believes it is legally required to do so.
Platform.sh strictly evaluates and seeks to limit or object to requests pursuant to relevant laws, including those that are overbroad, seek a large amount of personal data, or affect a large number of users. Platform.sh also objects where there is insufficient justification to compel the release of the requested data under Applicable Laws.
How to submit a request?
Authorities transmitting a personal data request to Platform.sh must complete a Government & Law Enforcement Information Request template and send it directly from their official email address to dpo@platform.sh with the subject line “Attention: Government & Law Enforcement Information Request.”
If Authorities must submit requests via mail or in person, they should submit the template to Platform.sh’s address at: 22 Rue de Palestro 75002 Paris, France.
Please note: Requests received by post are subject to additional processing time. Acceptance of legal process by any of these means is for convenience and does not waive any objections, including lack of jurisdiction or proper service.
Requirements for Authorities submitting a request:
For Platform.sh to process an Authority’s request it must meet the following conditions:
- be sent by Authorities via a registered email domain (unless delivered via mail or in person, as stated above) and sent to dpo@platform.sh.
- include valid and enforceable legal process (e.g., a subpoena, court order, or search warrant) (see below for specifics) that compels Platform.sh to produce the personal data requested.
- contain the Authority’s name and contact information.
- state with particularity the categories of records or personal data sought.
- include sufficient personal data regarding the customers’ account, such as a phone number or account identifier, in order for Platform.sh to identify the customers’ account(s) at issue (while also limited to what is necessary).
- indicate the specific time period for which personal data is requested.
Legal Process Request Requirements
Platform.sh only discloses customers’ personal data in accordance with Platform.sh’s Terms of Service, Privacy Policy, and Applicable Laws. Depending on an Authority’s jurisdiction, a Mutual Legal Assistance Treaty request, letter rogatory, or valid search warrant issued under the Federal Rules of Criminal Procedure or equivalent state warrant procedures may be required to compel the disclosure of Platform.sh customers’ personal data.
Platform.sh’s Notice to Affected Customers
In accordance with GDPR requirements and Platform.sh’s Data Processing Agreements with customers, Platform.sh will use reasonable efforts to provide notice to Platform.sh’s customers when Platform.sh receives a request for their personal data unless Platform.sh is explicitly prohibited from doing so by Applicable Laws.
Authorities that do not want Platform.sh to notify Platform.sh’s customers of their request should include a court order or reference to other legal authority that bars Platform.sh from disclosing the existence of the request to Platform.sh’s.
If, while investigating an Authority's request for personal data, Platform.sh discovers a violation of Platform.sh’s Terms of Service by the customer at issue, Platform.sh will take action to prevent further abuse, which may alert the customer to a Platform.sh investigation. If Authorities wish to prevent Platform.sh’s customers from potentially gaining knowledge of an investigation, the request should explicitly instruct Platform.sh not to take remedial action after discovering a Terms of Service violation until after the request for personal data is fulfilled and the investigation is complete.
Emergency Situations and Child Safety Matters
Per Platform.sh’s Privacy Policy, Platform.sh may disclose personal data to Authorities during an emergency when a person is at risk of potential imminent death or serious physical injury, and Platform.sh may have personal data necessary to prevent such emergency. Platform.sh will evaluate emergency disclosure requests on a case-by-case basis in compliance with Applicable Laws.
Platform.sh will share personal data solely where it is necessary and proportionate to do so.
Platform.sh also reports apparent instances of child exploitation or missing children detected on Platform.sh’s services to the relevant Authorities, including content drawn to Platform.sh’s attention by Authorities that may discover exploits outside of their jurisdiction.
To make an emergency disclosure or child safety request for customers’ personal data, briefly describe the nature of the situation, why such personal data is requested of Platform.sh, and follow the requirements for submitting a request listed above.
Preservation Requests
Customers are free to request their personal data be deleted from Platform.sh’s systems, or data may have been deleted pursuant to Platform.sh’s data retention limits. However, Platform.sh will preserve any customers’ personal data in its possession in response to a formal and valid request from Authorities that includes a specific time range for preservation not to exceed ninety (90) days unless otherwise required by Applicable Laws. To submit a preservation request, follow the requirements for submitting a request listed above.
Note: Per Platform.sh’s Privacy Policy, Platform.sh will use reasonable efforts to provide notice to Platform.sh’s customers when Platform.sh receives a request for their personal data unless Platform.sh is explicitly prohibited from doing so by Applicable Laws. Platform.sh may notify the user of the preservation request unless explicitly prohibited from doing so by statute, subpoena, or court or administrative order.
Takedown Requests
Platform.sh abides by the Digital Millennium Copyright Act (DMCA) and will consider requests to disable content on a case-by-case basis. Platform.sh may notify the user of the request unless explicitly prohibited from doing so by statute, subpoena, or court or administrative order.
Reimbursement for Requests
Platform.sh reserves the right to seek reimbursement for costs in responding to unusual or burdensome requests. Platform.sh will not seek reimbursement for costs associated with responding to emergency requests or requests relating to missing children or child exploitation.
Response Time
Platform.sh typically responds to valid requests for personal data within two (2) business weeks. However, response times may take longer than two (2) business weeks depending on the complexity and scope of the request.
If Authorities require an expedited response, the required response deadline should be stated clearly in both the submission documentation and the formal request itself.
These guidelines are regularly reviewed by Platform.sh and are subject to change at Platform.sh’s discretion.
Last updated: 2023-28-04
