The General Data Protection Regulation (GDPR) is a new European privacy law that goes into effect on May 25, 2018. The GDPR will replace the EU Data Protection Directive, also known as Directive 95/46/EC, and will apply a single data protection law throughout the EU.
Data protection laws govern the way that businesses collect, use, and share personal data about individuals. Among other things, they require businesses to process an individual’s personal data fairly and lawfully, allow individuals to exercise legal rights in respect of their personal data (for example, to access, correct or delete their personal data), and ensure appropriate security protections are put in place to protect the personal data they process.
HighOps Limited, the company behind AtlasHost, has taken steps to ensure that we will be compliant with GDPR by May 25, 2018.
It applies to all entities and individuals based in the EU and to entities and individuals, whether or not based in the EU, that process the personal data of EU individuals. The GDPR defines personal data as any information relating to an identified or identifiable natural person. This is a broad definition, and includes data that is obviously personal (such as an individual’s name or contact details) as well as data that can be used to identify an individual indirectly (such as an individual’s IP address).
HighOps/AtlasHost roles under GDPR
We act as both a data processor and a data controller.
As a data processor
When customers use our services to process EU personal data, we act as a data processor. For example, we are a processor of EU personal data and information that gets uploaded into an Atlassian application. This means we will, in addition to complying with our customers’ instructions, need to comply with the legal obligations that apply directly to processors under the GDPR.
As a data controller
We act as a data controller for the EU customer information we collect to provide our services and to provide timely customer support. This customer information includes things such as customer name and contact information.
What personal data is collected and stored from our customers?
We store data that customers have given us voluntarily. For example, in our role as data controller, we may collect and store contact information, such as name, email address, phone number, or physical address, when customers sign up for our services or seek support help. We also may collect other identifying information from our customers, such as IP address, Payment Processors ID, SSH public keys or OAuth tokens for external services where required to accomplish tasks explicitly requested by our customers.
We separately act as a data processor when customers use our services to process EU personal data, such as uploading personal data to an Atlassian Jira ticket the customer owns. Customers decide what personal data, if any, is uploaded to their Atlassian products that we host for them.
What is the Data Processing Agreement (“DPA”)?
Customers that handle EU personal data are required to comply with the privacy and security requirements under GDPR. As part of this, they must ensure that the vendors they use to process the EU personal data also have privacy and security protections in place.
Our DPA outlines the privacy and security protections we have in place. We are committed to GDPR compliance and to helping our customers comply with the GDPR when they use our services. We have therefore made our DPA available to all our customers and it can be found here: Data Processing Agreement.
In order to use our services you need to accept our DPA linked above. By agreeing to our terms of service, you are automatically accepting our DPA and do not need to sign a separate document.
Customers who wish to share it with their own customers to confirm our security measures and other terms may feel free to do so.
Do you transfer data internationally?
The GDPR replicates the Data Protection Directive restrictions on transferring data outside the EU and prohibits the export of personal data outside of the EU to non-EU recipients unless the export meets certain criteria.
HighOps/AtlasHost, being headquartered in Europe and using solely data centers located in Europe, has never trasferred data internationally and never will.
All data has always been and always will be stored and processed in EU.
How do you handle delete instructions from customers?
Customers have the ability to remove or delete information they have uploaded to the Atlassian applications they own and we host for them. Likewise, customers may deactivate their account and request that all personal data we have collected and stored is deleted. Log a support request as usual to request anything.