The GDPR is a data privacy regulation passed by the European Union that protects personal information. The GDPR applies to organizations located in the EU Member States, and organizations that collect EU individuals’ personal data. As a French company that collects EU customer and employee data, Platform.sh must comply with the GDPR.See how we comply.
The California Consumer Privacy Act (CCPA) is a data privacy law that regulates how businesses may collect, use, and share California residents’ personal information. On January 1, 2023, the California Privacy Rights Act (CPRA) came into effect. As a business that handles California consumers’ personal information, Platform.sh must comply with this regulation.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US federal law that sets national standards for the protection of sensitive patient health information. It addresses the use and disclosure of individuals’ health information, including in an electronic format. As a company with customers who may use Platform.sh services to host HIPAA workloads, we must comply with relevant HIPAA requirements.See how we comply.
SOC2 - Privacy Trust Service Criteria
The AICPA Trust Services Criteria defines five touchstones for evaluating an organization's security controls for SOC 2 compliance: security, availability, processing integrity, confidentiality, and privacy. As part of our SOC 2 audit, Platform.sh undergoes a yearly third-party audit of our privacy practices to ensure we meet industry standards.See how we comply.
Australian Privacy Act
The Privacy Act and its 13 Australian Privacy Principles (APPs) regulate the handling of individuals’ personal information by Australian Government agencies and organizations. As an organization that operates in Australia and has an Australian link, Platform.sh must comply with the Privacy Act.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the Canadian federal privacy law for private-sector organizations that collect, use, or disclose personal information in the course of a commercial activity. As an organization that operates in Canada and handles personal information of Canadians, Platform.sh must adhere to PIPEDA.
The Freedom of Information and Protection of Privacy Act (FIPPA) is an Act from British Columbia setting out the requirements for the public sector to collect, use, disclose and safeguard individuals' personal information and for the records in the custody of a public body. As a company with customers who may use Platform.sh services to host FIPPA workloads, we must comply with relevant FIPPA requirements.
With inspiration from the EU Commission’s Article 28 DPA, Platform.sh’s DPA directly addresses our services and how our privacy commitments apply to you and your data. This agreement applies to all of our customers, regardless of geographical location.Find our DPA here
The European Commission’s module-based standard contractual clauses (SCCs) for transfers of EU personal data to non-adequate countries are required. Platform.sh executes the appropriate SCC module with all applicable third parties (vendors) whose services we may use, and we have the SCCs automatically incorporated into the DPA we send to our vendors. If you have any questions regarding SCCs, please contact firstname.lastname@example.org
Subprocessors and Record of Processing Activities
Platform.sh as a Processor may use subprocessors to assist with certain processing, such as backend hosting providers. When Platform.sh is a Controller, it may engage processors to help with account management, marketing, processing payments, etc. Our subprocessor list contains these vendors and details the purpose of processing, types of personal data, data location, and more.
With respect to the EU GDPR, Platform.sh’s Blackfire service operates as a Controller. We maintain a list of all processors that Blackfire engages, including details like the purpose of processing, type of personal data, data location, and more.
In accordance with GDPR Article 30, Platform.sh maintains a record of processing activities that lists its processing activities under its responsibility as a Controller as well as categories of processing activities carried out by Platform.sh when acting as a Processor of its customers’ personal data.
Platform.sh’s Blackfire service does not intentionally collect end-user personal data nor operates as a processor of personal data. However, the Blackfire service may collect personal data as a Controller as detailed in its record of processing activities.