Data collection

As part of our normal business operations we do collect various pieces of data.

In GDPR terms:

  • Article 4: Our accounts system contains some (routine) Article 4 items (name, address, phone, etc.) in order to allow us to bill your account appropriately. This information can be verified, changed, and deleted by logging into your account.
  • Article 9: We don't capture and store any Article 9 special identifiers (such as race, religion, sexual orientation, or other attributes that are irrelevant to our business).
  • Article 30: The only Article 30 items we keep are IP address and Log files. These reside on AWS/Azure/Orange (depending on your hosting), and may be sent to Sentry.io when there are crashes.

Application logs

Application logs are those generated by the host application or application server (such as PHP-FPM). They are immutable to Customers to prevent tampering. These logs are secured behind key-based SSH so that only the Customer and our relevant teams have access.

System logs

Platform.sh records routine system logs. We do not access Customer-specific system logs or the customer environment unless requested to do so to help solve a problem.

In the future, we will be rolling out better log segregation to allow a Customer to get easier access to their own logs for diagnostic purposes.

Access logs

There are two main types of access logs: web and ssh.

Web access logs

Application access logs are immutable to Customers to prevent tampering. These logs are secured behind key-based SSH so that only the Customer and our relevant teams have access.

SSH access logs

SSH access logs are securely stored in our infrastructure and not accessible to customers. They can be accessed by Platform.sh support personnel as part of an audit if requested.

Access by customers and Platform.sh support personnel to customer environments is logged. However, we only log the connection itself, not what was done during the session, as that would be a violation of customer privacy.

Vendor data sharing

We have identified and mapped all data we collect and share with vendors (such as AWS, Azure, and Orange). We know what we capture and where it goes. All of our vendors have been vetted for security and GDPR compliance. We have enacted contract amendments and Data Processing Agreements (DPAs) where applicable.