You’ve likely heard about the General Data Protection Regulation (GDPR), the new data privacy law that defines a framework for how companies use and protect European Union citizen data. With the GDPR enforcement date approaching—May 25th, 2018—we want to take this opportunity to communicate our compliance approach.
Pantheon has the dual responsibility of meeting our platform GDPR obligations as well as providing controls so customers can achieve compliance. If you hold or process the data of any European citizen, then GDPR applies to your organization, whether or not you’re located in the EU.
What is GDPR?
GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe. It strengthens the protection of “personal data” and the rights of the individual.
GDPR’s main tenants are:
Privacy by Design
Right to Access
Right to be Forgotten
What is Pantheon doing for GDPR?
We have always been conservative on the information we gather from our customers, limiting it to the minimum required for us to support them. However, in order to meet the standards required by GDPR we are making a number of important changes.
We will update all our policies/information to be compliant before May 25:
This includes but is not limited to:
Our Data Processing Addendum (DPA)
Documenting our data retention policies
Our updated policies will contain all the specific details of our compliance regimen as required by GDPR. However, in lay terms, we are taking a number of steps to protect our users and comply with the law.
We are reviewing our data gathering and retention practices:
Pantheon gathers only very high level information about the people operating on our platform: names, email addresses, organization, and titles. On some occasions we may also have mailing addresses, IP addresses, or phone numbers based on past interactions with the platform. We also keep a history of support requests (tickets or chat) as it helps us be more effective at providing the high level of support our platform is recognized for.
Some of that data is additionally scheduled to be automatically anonymized or expire on a set schedule. In addition, we are actively reviewing the GDPR compliance efforts of all our third party vendors (“sub-processors” in GDPR terms) and are working with them as necessary.
We are reviewing data retention policies:
We plan to be compliant and will delete all user data for any customer upon request. In addition to that, we are reviewing our general policies around data retention in order to further reduce risks.
This pertains to site data as well. We strive to provide the best service for our customers at all times, and historically this has meant retaining sandbox sites indefinitely so developers could resume work at any time. However, in a post-GDPR era, these neglected sandboxes can represent a liability for our users. As part of our compliance program we will likely reduce the time we retain older/frozen sites’ backups.
We are fast-tracking elements of our security roadmap:
Pantheon has already gone through external audits, pentests, and runs an active bug bounty program. We are already compliant with Privacy Shield, both EU-US and SWISS-US, and are actively working towards SOC2 compliance.
As part of this effort in light of GDPR, we are reviewing our internal policies to ensure a high level of security and transparency. Specifically, we are improving some policies around breach notifications, and adding additional security for the limited personal customer data we do retain.
How can Pantheon help you with GDPR ?
As always, you have full control over site deletions, and we guarantee that deleted sites will disappear from our systems, including any associated databases. Removing data from Pantheon should never be a problem.
For most sites today, we keep automated daily backups for 7 days and the last 4 weekly backups. Users have control over the retention of their manual backups with a maximum of 6 months, after which they are deleted.
We host sites and store backups in ISO 27001 / FedRAMP certified data centers. This complies with GDPR, as the regulation governs the protection of customer data and does not require EU data residency.
GDPR imposes monetary fines for transfers of personal data out of the EU in violation of the Regulation. Approved transfer mechanisms for personal data out of the EU include: model contractual clauses, binding corporate rules, and accredited third party certifications, such as Privacy Shield. Pantheon is certified by Privacy Shield. We ensure that our sub processors have a valid transfer mechanism in place.
Our Global CDN includes free HTTPS/TLS. Automatic provisioning and updating makes having the latest website encryption and maintaining updated digital certificates effortless. Customers using our legacy edge should consider upgrading to our Global CDN if they are interested in maintaining confidentiality of sensitive data.
Pantheon takes security of PII and personal data very seriously, and we will be fully GDPR compliant on May 25th. If you have any questions feel free to reach us at: firstname.lastname@example.org
You may also like:: Security