Octopus Deploy's GDPR compliance
The European Union's General Data Protection Regulation (GDPR) approved and adopted by the EU Parliament in April 2016 aims primarily to give control back to EU citizens and residents over their personal data, and to simplify the regulatory environment for international business by unifying the regulation within the EU.
As the GDPR came into effect on the 25th of May 2018, all companies processing and storing the personal data of subjects residing in the EU must comply with it, regardless of their location.
Octopus and GDPR
Octopus is able to comply with the European Union's General Data Protection Regulation (GDPR). A priority at Octopus is the security of our customers' data. We have followed the EU's transition to the GDPR and continue to take important strides in the area of data protection, many which are applicable under the GDPR.
We are here to help
We can provide further details about categories of data, assistance in facilitating deletion of data subjects, and discuss the impact of such deletions. We are also introducing features into the Octopus Deploy application to help you meet requirements defined by the GDPR.
We value our customers and take all reasonable steps to protect their privacy. We follow up to date industry standards in securing infrastructure and how it relates to application code.
If a data breach does occur, Octopus Deploy is ready to respond in accordance with the GDPR.
Octopus Deploy will respond in accordance with rights granted by the GDPR when we receive a request to provide or delete a data subject's Personally Identifiable Information (PII).
Billing, octopus.com, and GDPR
Octopus Deploy stores PII on infrastructure we control and on 3rd Party systems for billing purposes. This includes starting a free trial without providing payment details. That data is comprised of:
- Company Details;
- a Technical Contact (name, email); and
- a Billing Contact (name, email, address).
- IP address.
|Entity||Purpose / Data Stored||GDPR Compliance|
|Braintree||Payment gateway (new-customers). Data subject's name, email, credit card data and billing address||Compliant|
|Xero||Cloud based financial software. Data Subject's name, email and company name||Compliant|
|PayPal||Payment gateway (past-customers). Data subject's name, email, credit card data and billing address||Compliant|
|Azure||Cloud computing platform. Data subject's name, email, phone, billing address||Compliant|
|G-Suite||Cloud productivity and collaboration tools, from Google. Data subject's name, email, phone, company name and billing address||Compliant|
|Drip||Cloud based marketing automation software. Data subject name and email||Compliant|
|Postmark||Email delivery assurance cloud based software. Data subject name and email||Compliant|
|Shopify||If you purchase Octopus merchandise, e.g. t-shirts||Compliant|
|Hubspot||Marketing, Sales, Customer Service and CRM software. Data subject's name, email, phone, company name and billing address||Compliant|
|Lever||Talent acquisition software. Data subject's name, address, email, phone, education and employment history||Compliant|
|Tableau||Data visualization software. Data subject's name, email history||Compliant|
GDPR and Octopus Deploy
Your Octopus Deploy installation may be self-hosted (99.995% of customers) on infrastructure Octopus does not have access to, or cloud-hosted (a limited set of early-access users) on infrastructure managed by Octopus.
Data Subjects and PII
The PII stored by your Octopus Deploy installation is limited to data about the users (data subjects):
- Email addresses
- Data related to 3rd party Single Sign On (SSO) services
- Behavioral data, through the audit log actions, including the time performed by data subjects exists and maps directly to the other PII they have supplied
PII not stored by your Octopus Deploy installation:
- Profile pictures may be displayed in the web portal, these are not stored by Octopus Deploy. This feature uses an external service called Gravatar which stores the data subject's email address and profile photo on the data subject's behalf.
Octopus Deploy enables your users to write and execute custom code. Octopus Deploy does not take any responsibility for PII recorded by custom code. You are solely responsible for the PII recorded by custom code.
GDPR and self-hosted Octopus
As a self-hosted customer of Octopus Deploy, your company hosts and manages the Octopus Deploy installation on your own infrastructure. Alternatively, you might have agreements with an external company to provide the hosting and management on your behalf.
Octopus Deploy staff do not have access to that infrastructure, the data stored on it, or the ability to log into that application.
Responsibilities outlined in the GDPR reside solely with your company (or the third-party company) related to storing and securing Personal Identifiable Information (PII) of data subjects and responding/notifying them if a data breach is detected.
GDPR and cloud-hosted Octopus
As a cloud-hosted customer of Octopus Deploy the infrastructure on which your Octopus Deploy installation runs is controlled, managed and secured by Octopus. Octopus staff have no "standing-access" to your installation instance. If you need assistance at any point, and you give us explicit permission to log in to your instance for the purposes of support.
In order to monitor and act on the health of customer instances, and to report on general feature usage, Octopus Deploy performs data-processing on task timings, network/disk/CPU utilization, and feature usage. Examples include deployment durations, timings of communication with external resources. No Personal Identifiable Information (PII) of data subjects stored in the instance forms part of this data processing.
Responsibilities outlined in the GDPR still reside with your company related to storing and securing Personal Identifiable Information (PII) of data subjects in your Octopus Deploy installation. The infrastructure is managed by Octopus, we will follow GDPR guidelines for securing the infrastructure on which the Octopus Deploy application runs, and for responding/notifying data subjects if a data breach is detected.
|Platform||Purpose / Data Stored||Contact Point||GDPR Compliant|
|Amazon Web Services||Cloud computing platform. Operational instances of Octopus Deploy, logging and backups that contain PII stored in the Octopus Deploy application||Octopus Deploy||Compliant|
|Azure||Cloud computing platform. Logging and backups that contain PII stored in the Octopus Deploy application||Octopus Deploy||Compliant|
Octopus Support and GDPR
In the event we are provided with a backup of your Octopus Deploy database (usually for the purpose of diagnosing an issue) we:
- Purge PII about data subjects (as described earlier)
- Scrub sensitive data, we will also not store your data for longer than it takes to resolve the issue (typically a few days, but longer if necessary) while it is being used it is stored on full disk encrypted hard drives
When a customer contacts Octopus they can optionally use any of the following services:
|Platform||Purpose / Data Stored||Contact Point||GDPR Compliant|
|Discourse||Public help forums, data subject name, email any other PII supplied||Octopus Deploy||Compliant|
|Slack||Company slack contains alerts for support queries, trial requests and licence purchases. Community chat about Octopus, for data the stored see here see here, any other PII supplied||Octopus Deploy||Compliant|
|HelpScout||Email Octopus Deploy support, data subject name, email any other PII supplied||Octopus Deploy||Compliant|
|Disqus||Blog comments, data subject name, email any other PII supplied||Octopus Deploy||Compliant|
|GitHub||Cloud based version control and issue tracker, data subject name, email any other PII supplied||Octopus Deploy||Compliant|
|SmartFile||Sending files to Octopus for the purpose of support, any PII supplied example in database backups||Octopus Deploy||Compliant|
|Dropbox||File hosting service for the purpose of support / tracking customers, billing and contact data subject PII||Octopus Deploy||Compliant|
Frequently Asked Questions FAQ
Where can I access my data?
- If the data is hosted within Octopus, you can visit the My Profile page.
- If the data relates to your contact with Octopus about purchasing, being the technical contact, or requesting support then you can contact us and we will assist in determining which systems house your data.
How can I change or erase data about me?
- If the data is hosted within Octopus, you will need to contact those responsible for administering your Octopus installation.
- If the data relates to your contact with Octopus about purchasing, being the technical contact, or requesting support then you can contact us and we will assist in making changes or deletions.
We are here to help, we can help customers and their Octopus administrators meet requirements outlined under the GDPR. If you have any questions about this or you want to access, correct, or request that we delete your personal data email us directly.