Legal

General Data Protection Regulation (GDPR)

This page is specifically about the European Union's General Data Protection Regulation (GDPR). For more general privacy information, see our privacy policy.

GDPR and Octopus Deploy

The General Data Protection Regulation (GDPR) aims to give individuals control over their personal data and simplify the regulatory environment for international business. Octopus Deploy is committed to complying with these regulations and supporting our customers in their own compliance journeys. This page outlines how we handle personal data across our different service offerings and deployment models.

Data subject rights and contact

We are here to help. Octopus Deploy is prepared to respond to requests related to the rights granted by the GDPR.

  • Data Subject Requests: If you require assistance in facilitating the access, provision, or deletion of a data subject's personal data, please contact our support team.
  • Data Breaches: In the event of a data breach, Octopus Deploy is ready to respond and notify you in accordance with our GDPR obligations.

Need assistance? Our Support Team is ready to help you at support@octopus.com.

Subprocessors

We utilize third-party subprocessors to deliver our services. The specific subprocessors involved depend on whether you are using Octopus Server or Octopus Cloud.

For a comprehensive and up-to-date list of our subprocessors, including their roles, data transfer locations, and processing purposes, please visit our Trust Center subprocessors page.

You can use the available filters on that page to view the relevant subprocessors based on your specific service or deployment type.

Deployment types and compliance

Your obligations under the GDPR depend on your chosen deployment model. To ensure you maintain compliance, it is important to understand the distribution of responsibilities between Octopus Deploy and your organization, as these roles differ between our self-hosted offering (Octopus Server) and our managed service (Octopus Cloud).

Octopus Server

As a self-hosted customer, you host and manage your installation within your own infrastructure. Octopus Deploy staff do not have access to that infrastructure, the personal data stored within it, or the ability to log into your application. Consequently, responsibilities for securing personal data, managing data subject rights, and breach notification reside solely with your organization.

Octopus Cloud

As an Octopus Cloud customer, the infrastructure hosting your installation is controlled, managed, and secured by Octopus Deploy. Our staff does not have "standing access" to your instance; we only access instances with explicit permission for the purpose of providing support.

While Octopus secures the underlying infrastructure and will notify you if a breach is detected within our managed environment, you maintain control over the purposes and means of your processing, and remain responsible for the personal data stored within your instance, including managing data subject rights and application-level breach notifications.

In order to monitor and act on the health of customer instances, Octopus performs data processing on task timings, network, disk, and CPU utilization. No personal data stored in your instance forms part of this telemetry processing. For a complete and up-to-date list of our third-party subprocessors, data transfer locations, and purposes, please visit our Trust Center subprocessors page.

Data Protection Agreement (DPA)

Our Data Processing Agreement (DPA) is an addendum to our Customer Agreement. This means that as a customer, you do not need to take any action to agree with our DPA.

View the Octopus Customer Agreement.

Data Ownership and Processing

Billing and account data

For billing and account management, including for customers starting a free trial, we process personal data on our corporate infrastructure and via third-party systems. This data is comprised of:

  • Company details
  • Technical contact (name, email)
  • Billing contact (name, email, address)
  • IP address

For a comprehensive list of the third-party subprocessors involved in these billing and account management processes, please visit our Trust Center Subprocessors page.

Personal data

Octopus Deploy is designed to support your GDPR compliance efforts by keeping our data processing practices transparent.

For detailed information regarding the categories of personal data we collect, our processing activities, and how we handle data subject rights, please refer to our Privacy Policy.

Custom code and shared responsibility

When using custom code, integrations, or APIs, your organization acts as the controller for the content and output of that code. You are responsible for ensuring that any personal data processed or stored via custom scripts aligns with your governance obligations. Octopus Deploy does not manage or assume responsibility for data handled within your custom code.

Generative AI

Octopus Deploy offers optional Generative AI features designed to accelerate DevOps processes and assist in deployment recovery. Our approach to these features prioritizes data privacy and security through the following principles:

  • Sub-processing and Training: We leverage pre-trained foundational models from enterprise vendors such as OpenAI and Anthropic. We do not use customer deployment data, prompts, or completions to train or fine-tune these models.
  • Data Security: AI models are hosted within private, secure cloud instances. Interactions are stateless, meaning your data is not stored by the models, and no history of interactions is retained by the AI sub-processors.
  • Data Location and Sovereignty: To accommodate regional compliance requirements, we provide an in-app region selector. This allows users to actively direct their AI traffic to US, EU, or global models based on their organization's data residency needs.
  • Sanitization: All logs related to AI features are actively sanitized to remove personal data before processing.

Note: These features are entirely optional. If you choose not to enable them, it will have zero impact on the core functionality of Octopus Server or Octopus Cloud.

For more detailed information on our AI governance and technical safeguards, please refer to our full AI Transparency Statement.

Supporting GDPR

Support and Diagnostics

When you provide a database backup for troubleshooting, we implement strict security measures to protect your information. We purge personal data from these backups, store them on full-disk encrypted drives, and retain them only for the duration required to resolve your issue.

For a complete and up-to-date list of our third-party subprocessors, data transfer locations, and purposes, please visit our Trust Center subprocessors page.

Other important documents

Frequently asked questions

Where can I access my data?
  • If the data is hosted within Octopus, you can visit the My Profile page.
  • If the data relates to your contact with Octopus about purchasing, being the technical contact, or requesting support then you can contact us and we will assist in determining which systems house your data.
How can I change or erase data about me?
  • If the data is hosted within Octopus, you will need to contact those responsible for administering your Octopus installation.
  • If the data relates to your contact with Octopus about purchasing, being the technical contact, or requesting support then you can contact us and we will assist in making changes or deletions.
Transatlantic data transfers and the EU-US Privacy Shield

Octopus Deploy was not a registered participant in the historic EU-US or Swiss-US Privacy Shield frameworks. Consequently, the past invalidation of the Privacy Shield did not alter how we operate or handle your personal data. We remain fully committed to meeting GDPR-compliant standards across all global data environments we manage, as outlined in our Privacy Policy and standard contractual terms.

We are here to support our customers and their Octopus administrators in fulfilling their obligations under the GDPR. If you have any questions regarding data transfers or wish to exercise your rights to access, correct, or delete your personal data, please contact us directly.