IDC Technology Spotlight SaaS WebOps Solutions Read the Report

Pantheon and GDPR Compliance Update

You’ve likely heard about the General Data Protection Regulation (GDPR), the new data privacy law that defines a framework for how companies use and protect European Union citizen data.  

Pantheon complies with all applicable data privacy laws, including GDPR.

Pantheon has the dual responsibility of meeting our platform GDPR obligations as well as providing controls so customers can achieve compliance. If you hold or process the data of any European citizen, then GDPR applies to your organization, whether or not you’re located in the EU.

General Data Protection Regulation (GDPR)

What has Pantheon done for GDPR?

Pantheon has updated our Terms of Service to be compliant (in May, 2018).

For customers with contracts that supercede the terms of service, a DPA (Data Processing Addendum to your contract) is available through sales.

Additionally, we we have reviewed our policies for data gathering and retention and updated our privacy policy and cookie policy.

For customers needing to transfer data out of the EU into the US, Pantheon complies with Privacy Shield, both EU-US and SWISS-US, a GDPR approved mechanism for transferring data. Pantheon ensures that its data sub-processors have valid transfer mechanisms in place.

We have always been conservative on the information we gather from our customers, limiting it to the minimum required for us to support them. Pantheon gathers only very high level information about the people operating on our platform: names, email addresses, organization, and titles. On some occasions we may also have mailing addresses, IP addresses, or phone numbers based on past interactions with the platform. We also keep a history of support requests (tickets or chat), as it helps us be more effective at providing the high level of support our platform is recognized for.

Some of that data is additionally scheduled to be automatically anonymized or expire on a set schedule. For example: site data is deleted 30 days after service is terminated. In addition, we have reviewed the GDPR compliance efforts of all our third party vendors (“sub-processors” in GDPR terms) and are working with them as necessary.

How can Pantheon help you with GDPR ?

As always, you have full control over site deletions, and we guarantee that deleted sites will disappear from our systems, including any associated databases. Removing data from Pantheon should never be a problem.

For most sites today, we keep automated daily backups for seven days and the last four weekly backups. Users have control over the retention of their manual backups with a maximum of six months, after which they are deleted.

We host sites and store backups in ISO 27001 / FedRAMP certified data centers. This complies with GDPR, as the regulation governs the protection of customer data and does not require EU data residency.

GDPR imposes monetary fines for transfers of personal data out of the EU in violation of the Regulation. Approved transfer mechanisms for personal data out of the EU include: model contractual clauses, binding corporate rules, and accredited third party certifications, such as Privacy Shield. Pantheon is certified by Privacy Shield. We ensure that our sub processors have a valid transfer mechanism in place.

Our Global CDN includes free HTTPS/TLS. Automatic provisioning and updating makes having the latest website encryption and maintaining updated digital certificates effortless. Customers using our legacy edge should consider upgrading to our Global CDN if they are interested in maintaining confidentiality of sensitive data.


Pantheon takes security of PII and personal data very seriously. If you have any questions feel free to reach us at:

This article is an update from our original GDPR Plan Announcement in May of 2018 

You may also like:



Topics Security

Let’s get in touch