• Overview
    Key features
    • Observability
    • Auto-scaling
    • Multiframework
    • Security
    • Django
    • Next.js
    • Drupal
    • WordPress
    • Symfony
    • Magento
    • See all frameworks
    • PHP
    • Python
    • Node.js
    • Ruby
    • Java
    • Go
  • Industries
    • Consumer Goods
    • Media/Entertainment
    • Higher Education
    • Government
    • Ecommerce
  • Pricing
  • Featured articles
    • Switching to Platform.sh can help IT/DevOps organizations drive 219% ROI
    • Organizations, the ultimate way to manage your users and projects
  • Support
  • Docs
  • Login
  • Request a demo
  • Free Trial
Meet Upsun. The new, self-service, fully managed PaaS, powered by Platform.sh.Try it now


At Platform.sh, we care about our customers and strive to be good custodians of our customers’ data. We do not sell your data and we are transparent about how we may use your data. For more information on how we handle personal data and cloud data privacy at Platform.sh, please see our Privacy Policy and our Data Privacy Framework Notice.


GDPR Compliance

The GDPR is a data privacy regulation passed by the European Union that protects personal information. The GDPR applies to organizations located in the EU Member States, and organizations that collect EU individuals’ personal data. As a French company that collects EU customer and employee data, Platform.sh must comply with the GDPR.

See how we comply.


The California Consumer Privacy Act (CCPA) is a data privacy law that regulates how businesses may collect, use, and share California residents’ personal information. On January 1, 2023, the California Privacy Rights Act (CPRA) came into effect. As a business that handles California consumers’ personal information, Platform.sh must comply with this regulation.


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US federal law that sets national standards for the protection of sensitive patient health information. It addresses the use and disclosure of individuals’ health information, including in an electronic format. As a company with customers who may use Platform.sh services to host HIPAA workloads, we must comply with relevant HIPAA requirements.

See how we comply.

SOC2 - Privacy Trust Service Criteria

The AICPA Trust Services Criteria defines five touchstones for evaluating an organization's security controls for SOC 2 compliance: security, availability, processing integrity, confidentiality, and privacy. As part of our SOC 2 audit, Platform.sh undergoes a yearly third-party audit of our privacy practices to ensure we meet industry standards.

See how we comply.

Australian Privacy Act

The Privacy Act and its 13 Australian Privacy Principles (APPs) regulate the handling of individuals’ personal information by Australian Government agencies and organizations. As an organization that operates in Australia and has an Australian link, Platform.sh must comply with the Privacy Act.


The Personal Information Protection and Electronic Documents Act (PIPEDA) is the Canadian federal privacy law for private-sector organizations that collect, use, or disclose personal information in the course of a commercial activity. As an organization that operates in Canada and handles personal information of Canadians, Platform.sh must adhere to PIPEDA.


The Freedom of Information and Protection of Privacy Act (FIPPA) is an Act from British Columbia setting out the requirements for the public sector to collect, use, disclose and safeguard individuals' personal information and for the records in the custody of a public body. As a company with customers who may use Platform.sh services to host FIPPA workloads, we must comply with relevant FIPPA requirements.


Platform.sh DPA

With inspiration from the EU Commission’s Article 28 DPA, Platform.sh’s DPA directly addresses our services and how our privacy commitments apply to you and your data. This agreement applies to all of our customers, regardless of geographical location.

Find our DPA here


The European Commission’s module-based standard contractual clauses (SCCs) for transfers of EU personal data to non-adequate countries are required. Platform.sh executes the appropriate SCC module with all applicable third parties (vendors) whose services we may use, and we have the SCCs automatically incorporated into the DPA we send to our vendors. If you have any questions regarding SCCs, please contact dpo@platform.sh

Subprocessors and Record of Processing Activities

Platform.sh as a Processor may use subprocessors to assist with certain processing, such as backend hosting providers. When Platform.sh is a Controller, it may engage processors to help with account management, marketing, processing payments, etc. Our subprocessor list contains these vendors and details the purpose of processing, types of personal data, data location, and more.

Check the Subprocessor List

With respect to the EU GDPR, Platform.sh’s Blackfire service operates as a Controller. We maintain a list of all processors that Blackfire engages, including details like the purpose of processing, type of personal data, data location, and more.

In accordance with GDPR Article 30, Platform.sh maintains a record of processing activities that lists its processing activities under its responsibility as a Controller as well as categories of processing activities carried out by Platform.sh when acting as a Processor of its customers’ personal data.

Platform.sh’s Blackfire service does not intentionally collect end-user personal data nor operates as a processor of personal data. However, the Blackfire service may collect personal data as a Controller as detailed in its record of processing activities.

We're here to answer your questions

For high level compliance questions that are not answered in the trust center
Contact customer care
For detailed compliance questions including requests for completion of any compliance forms
Contact sales

Data subject access request (DSAR)

Please submit a Support Ticket or complete this form if you do not have an account with us and submit it via email to dpo@platform.sh.


Platform.sh is committed to upholding the principles of GDPR on a global scale, a practice we call our “GDPR Everywhere” approach to privacy. This approach transcends geographic boundaries, ensuring that individuals' rights to data protection are respected in all regions, regardless of the existence or lack of privacy regulations. By implementing GDPR principles worldwide, Platform.sh not only demonstrates its dedication to safeguarding personal information but also sets a high standard for data security and transparency across the globe.
AboutSecurity and complianceTrust CenterCareersPressContact us
Thank you for subscribing!
Field required
Leader Winter 2023
System StatusPrivacyTerms of ServiceImpressumWCAG ComplianceAcceptable Use PolicyManage your cookie preferencesReport a security issue
© 2024 Platform.sh. All rights reserved.
Supported by Horizon 2020's SME Instrument - European Commission 🇪🇺