Platform.sh has taken numerous steps to prepare for GDPR. We believe we meet the spirit of the regulation.
As part of our measures we have implemented the following:
- Data Protection Officer: Appointment of a Security Officer who also holds the Data Protection Officer (DPO) role.
- Data Breach Policy: We have updated our data breach policy and procedures and have reviewed that all our suppliers are compliant with breach notifications.
- Consent: We've confirmed that all of our customer communication, both business-related and marketing-related, is opt-in and no information is shared with us without a customer's consent.
- Data Governance: We have internally audited all of our suppliers on their internal security and their GDPR compliance status and can confirm that our in-scope suppliers are GDPR compliant.
- Data Protection by design: We've implemented policies in the company to ensure all of our employees follow the necessary training and protocols around security. In addition, privacy protection is part of every project during instantiation.
- Enhanced Rights: The GDPR provides rights to individuals such as the right to portability, right of rectification, and the right to be forgotten. We've made sure we comply with these rights. Nearly all information can be edited through a user's account, and we can delete accounts upon request.
- Personally identifiable information (PII): We've audited our systems to confirm that we encrypt and protect your personal data.
- Data Flows: We have identified data, mapped the high level data flow, and mapped data shared with vendors - including cross-border transfers.
- PIA: We have performed an internal Privacy Impact Analysis (PIA) using the CNIL's PIA Software to ensure we comply with the GDPR.
- Security: We have created https://platform.sh/security to document our security features.
- Data Collection: We've documented information about what data we collect.
- Data Retention: We documented information about our data retention.