The General Data Protection Regulation (GDPR) approved and adopted by the EU Parliament in April 2016 aims primarily to give control back to EU citizens and residents over their personal data, and to simplify the regulatory environment for international business by unifying the regulation within the EU.
When the GDPR comes into effect on the 25th of May 2018, all companies processing and storing the personal data of subjects residing in the EU must comply with it, regardless of their location.
How Octopus is preparing for the GDPR
A priority at Octopus is the security of our customers' data. We are following the EU's transition to the GDPR and have already made important strides in the area of data protection, many which are applicable to the GDPR.
Octopus Deploy will be GDPR compliant by the 25th of May 2018 enforcement date.
We are here to help
We can provide further details about categories of data, assistance in facilitating deletion of data subjects, and discuss the impact of such deletions. We are also introducing features into the Octopus Deploy application to help you meet requirements defined by the GDPR.
We value our customers and take all reasonable steps to protect their privacy. We follow up to date industry standards in securing infrastructure and how it relates to application code.
If a data breach does occur, Octopus Deploy is ready to respond in accordance with the GDPR.
Octopus Deploy will respond in accordance with rights granted by the GDPR when we receive a request to provide or delete a data subject's Personally Identifiable Information (PII).
Billing, octopus.com, and GDPR
Octopus Deploy stores PII on infrastructure we control and on 3rd Party systems for billing purposes. This includes starting a free trial without providing payment details. That data is comprised of:
- Company Details;
- a Technical Contact (name, email, phone); and
- a Billing Contact (name, email, phone).
|Entity||Purpose / Data Stored||GDPR Compliance|
|Braintree||Payment gateway. Credit Card data, data subject name, email, phone, billing address||In Progress|
|Xero||Cloud based financial software. Company and billing data subject name, email, phone number||In Progress|
|PayPal||Payment gateway. Credit Card data, data subject name, email, phone, billing address||In Progress|
|Azure||Cloud computing platform. Company and technical/billing data subject name, email, phone, billing address||In Progress|
|G-Suite||Cloud productivity and collaboration tools, from Google. Company and technical/billing data subject name, email, phone, billing address||In Progress|
|Drip||Cloud based marketing automation software. Data subject name and email||In Progress|
|Postmark||Email delivery assurance cloud based software. Data subject name and email||In Progress|
|Shopify||If you purchase Octopus merchandise, e.g. t-shirts||In Progress|
GDPR and self-hosted Octopus Deploy
As an existing customer of Octopus Deploy, your company hosts and manages the Octopus Deploy installation on your own infrastructure. Alternatively, you might have agreements with an external company to provide the hosting and management on your behalf.
Octopus Deploy staff do not have access to that infrastructure, the data stored on it, or the ability to log into that application.
Responsibilities outlined in the GDPR reside solely with your company (or the third-party company) related to storing and securing Personal Identifiable Information (PII) of data subjects and responding/notifying them if a data breach is detected.
Data Subjects and PII
The PII stored by your Octopus Deploy installation is limited to data about the users (data subjects):
- Email addresses
- Data related to 3rd party Single Sign On (SSO) services
- Behavioral data, through the audit log actions, including the time performed by data subjects exists and maps directly to the other PII they have supplied
PII not stored by your Octopus Deploy installation:
- Profile pictures may be displayed in the web portal, these are not stored by Octopus Deploy. This feature uses an external service called Gravatar which stores the data subject's email address and profile photo on the data subject's behalf.
Octopus Deploy enables your users to write and execute custom code. Octopus Deploy does not take any responsibility for PII recorded by custom code. You are solely responsible for the PII recorded by custom code.
Octopus Support and GDPR
In the event we are provided with a backup of your Octopus Deploy database (usually for the purpose of diagnosing an issue) we:
- Purge PII about data subjects (as described earlier)
- Scrub sensitive data, we will also not store your data for longer than it takes to resolve the issue (typically a few days, but longer if necessary) while it is being used it is stored on full disk encrypted hard drives
We use the following services in the course of providing support to Octopus Deploy customers:
|Platform||Purpose / Data Stored||Contact Point||GDPR Compliant|
|Discourse||Public help forums, data subject name, email any other PII supplied||Octopus Deploy||In Progress|
|Slack||Community chat about Octopus, for data the stored see here see here, any other PII supplied||Octopus Deploy||In Progress|
|HelpScout||Email Octopus Deploy support, data subject name, email any other PII supplied||Octopus Deploy||In Progress|
|Disqus||Blog comments, data subject name, email any other PII supplied||Octopus Deploy||In Progress|
|SmartFile||Sending files to Octopus for the purpose of support, any PII supplied example in database backups||Octopus Deploy||In Progress|
|Dropbox||File hosting service for the purpose of support / tracking customers, billing and contact data subject PII||Octopus Deploy||In Progress|
|GitHub||Cloud based version control and issue tracker, data subject name, email any other PII supplied||Octopus Deploy||In Progress|
If you have any questions about this or you want to access, correct, or request that we delete your personal data email us directly.