GDPR overview

Platform.sh has taken numerous steps to ensure compliance with the General Data Protection Regulation (GDPR).

Measures

As part of our measures, we have implemented the following:

• Data Protection Officer: Appointment of a Data Protection Officer (DPO).
• Data Breach Policy: We have a data breach policy and incident response process.
• Third Parties Due Dilligence: All vendors undergo a compliance review and a security review. We utilize Data Processing Agreements (DPAs)  with all vendors that process personal data.
• Employee training: We implemented company policies to ensure that all of our employees receive the necessary compliance training and follow proper protocols regarding security and data protection handling.
• Data Subject Rights: The GDPR provides rights to individuals such as the right to portability, the right to rectification, and the right to be forgotten. We comply with these individual rights. 
• Data Flows: We identified and classified data, and created a high-level data flow diagram that maps out data shared with vendors, including cross-border transfers.
• Privacy Impact Assessment (PIA): We perform internal PIAs to ensure that we comply with GDPR principles and obligations.
• Security: We created https://platform.sh/trust-center/security to document our cloud compliance and security features.
• Data Collection: We documented information about what data we collect.
• Data Retention: We documented information about our data retention practices.
• Data Processing Agreement (DPA): Our DPA directly addresses our services and how our privacy commitments apply to you and your data. The DPA isn incorporated in our ToS and applies to all of our customers, regardless of geographical location.
• Audits: We undergo a yearly third-party audit that include privacy controls.

Platform.sh roles under the GDPR

In technical terms, Platform.sh operates a:

• Infrastructure Control Plane: This is Platform.sh’s orchestration, control, and management environment.
• Customer Data Plane: This is the customer’s data app and project environment.

With respect to the GDPR, Platform.sh is both a Controller and Processor:

• We are a Controller for the overall PaaS service and in particular when we have a direct relationship with data subjects (our customers) who are explicitly the users of our services. Further, because the minimal personal data we collect comes from our direct customers in our account systems, we also act as the Controller for our Infrastructure Control Plane when we use this information to establish and operate regions, provision services, networks, and so on. Our Infrastructure Control Plane is unique to our service and can’t be modified by our customers. The one exception to this situation is that incoming connections transit this infrastructure from the internet to our customers’ cardholder data environment, which may hold IP addresses and unencrypted URLs.
• We are a Processor for the customers’ project environment.
  • Note: While we provide the project environment to the customer (Controller) and store the data that the customer puts on their environment, we do not know whether this includes personal data as defined by the GDPR nor are we responsible for the Controller’s obligations as it relates to the collection of such personal data. We operate under the assumption that the Controller’s project environment includes personal data and possibly even sensitive personal data and we treat the environment accordingly, such as by applying appropriate security and data protection safeguards that are audited by third-party auditors.

 Data Processing Agreements (DPAs) are incorporated in our ToS with our customers when we are acting as a Processor. 

Subprocessors

Find the most up-to-date list on the Trust Center privacy page.

When Platform.sh acts as a Processor of our customer’s data, we may use subprocessors to assist us with such processing, such as backend hosting providers. We execute DPAs with all third parties whose services we utilize if they are processing EU personal information on our behalf. In addition, we execute relevant Standard Contractual Clauses (SCCs), incorporated into our DPA, to ensure compliance with obligations related to international transfers under the GDPR.

Similarly, when Platform.sh acts as a Controller of our customer’s data, we may engage processors to help us with certain processing, such as account management, marketing, or processing payments.

For more information on when and with whom we execute DPAs or SCCs, see a blog post on SCCs.