Scalingo is GDPR ready

As the GDPR comes into application today all over Europe, we can confirm that we're GDPR ready. What does that mean for you?

What is GDPR?

The 2016/679 EU regulation, aka General Data Protection Regulation aka GDPR, comes into application today. It's a regulation that aims at unifying EU member state data privacy regulations into a single regulation, enforced on the EU single market.

The GDPR is not only relevant for Europe but also applies outside of the EU whenever: (1) an EU data subject’s personal data is processed in connection with goods/services offered to him/her; or (2) the behavior of individuals within the EU is “monitored”.

If your company needs to ensure it is GDPR-compliant, it also needs to ensure its providers (ie. Scalingo) are also GDPR compliant. Scalingo is GDPR-compliant, and strictly enforces the regulation as to protect the user data we store. The list of our providers (ie. Data Processors) is available, and kept up to date, in our Data Processing Agreement (DPA).

GDPR at Scalingo

Two types of personal data may be collected by Scalingo: (1) billing informations of our direct customers and (2) personal data on behalf of our customers (the personal data of the users of our customer web applications) thus acting as a Data Processor in GDPR terminology. The handling of billing personal informations is pretty straightforward under GDPR: we need them to let you use our service. Of course you will be much more interested in how we handle the second type of personal data.

This is a list of measures in place at Scalingo to ensure GDPR compliancy:

• Data Processing Agreement: our DPA is available online. It lists all our commitments regarding GDPR. In fact it's in place for more than 1 year know and if you're using our service you already accepted this DPA.
• Data Protection Officer: we have appointed our CEO, Yann Klis, to be our DPO. If you have any GDPR or data privacy questions, feel free to reach him at dpo@scalingo.com.
• Data Privacy by design: our entire team (marketing and developers) have been trained on personal data privacy matters, especially in the context of GDPR. That means that every time we manipulate personal data we take great care to not send them to any third party or send anonymized data if really necessary (especially relevant when using marketing tools).
• Data Governance: Having internally audited all of our suppliers on their internal security and their GDPR compliance status, we can confirm that our in-scope suppliers are GDPR compliant.
• Data Breach Policy: Technical and Organisational Measures are in place to ensure your data are in safe hands at Scalingo. In case a data breach may occur we've setup a notification channel to communicate on the matter. We have reviewed that all our suppliers that their breach notifications are at an acceptable standard.
• Personally identifiable information (PII): We’ve implemented key actions to encrypt and protect personal identifiable information, be there hot (in usage on the platform) or cold (stored in backups).

How to sign a GDPR DPA with Scalingo?

We have made it easy for you to comply with your own obligations. If you are a Scalingo customer and have determined that you qualify as a Data Controller under the GDPR, you may need a Data Processing Agreement (DPA) in place with Scalingo as a qualifying vendor. We’ve made that part of the process easy for you.

This is all you need to do:

• Go here to find our GDPR-compliant DPA, which has been pre-signed on behalf of Scalingo.
• To complete the DPA, you should fill in the information in the "On behalf of the Customer" box and sign on Page 8.
• Submit the completed and signed DPA to Scalingo via dpo@scalingo.com.
• Upon submitting the validly completed DPA to the email address provided above, the DPA will become legally binding.

Banner image courtesy of GregMontani via Wikimedia Commons