General Data Protection Regulation (GDPR)
This page is specifically about the European Union's General Data Protection Regulation (GDPR).
For more general privacy information, see our privacy policy.
Octopus Deploy's GDPR compliance
The European Union's General Data Protection Regulation (GDPR) approved and adopted by the EU Parliament in April 2016 aims primarily to give control back to EU citizens and residents over their personal data, and to simplify the regulatory environment for international business by unifying the regulation within the EU.
As the GDPR came into effect on the 25th of May 2018, all companies processing and storing the personal data of subjects residing in the EU must comply with it, regardless of their location.
Octopus and GDPR
Octopus is able to comply with the European Union's General Data Protection Regulation (GDPR). A priority at Octopus is the security of our customers' data. We have followed the EU's transition to the GDPR and continue to take important strides in the area of data protection, many which are applicable under the GDPR.
We are here to help
We can provide further details about categories of data, assistance in facilitating deletion of data subjects, and discuss the impact of such deletions. We are also introducing features into the Octopus Deploy application to help you meet requirements defined by the GDPR.
We value our customers and take all reasonable steps to protect their privacy. We follow up to date industry standards in securing infrastructure and how it relates to application code.
If a data breach does occur, Octopus Deploy is ready to respond in accordance with the GDPR.
Octopus Deploy will respond in accordance with rights granted by the GDPR when we receive a request to provide or delete a data subject's Personally Identifiable Information (PII).
Our Trust Team is ready to help you trust@octopus.com
Billing, octopus.com, and GDPR
Octopus Deploy stores PII on infrastructure we control and on 3rd Party systems for billing purposes. This includes starting a free trial without providing payment details. That data is comprised of:
- Company Details;
- a Technical Contact (name, email); and
- a Billing Contact (name, email, address).
- IP address.
| Entity | Contact | Onward data transfer location(s) | Purpose / Data Stored | Transfer mechanism |
|---|---|---|---|---|
| Stripe | dpo@stripe.com | USA, UK, Canada, Australia | Payment gateway. Data subject's name, email, credit card data and billing address | SCCs |
| Xero | Privacy policy | USA | Cloud based financial software. Data Subject's name, email and company name | SCCs |
| Azure | Privacy policy | USA, UK, EU, Australia, New Zealand, Canada | Cloud computing platform. Data subject's name, email, phone, billing address | SCCs |
| G-Suite | GDPR at Google | USA | Cloud productivity and collaboration tools, from Google. Data subject's name, email, phone, company name and billing address | SCCs |
| Sendgrid | legalnotices@twilio.com | USA, EU, UK | Cloud based email and marketing automation software. Data subject name and email | BCRs | Postmark | support@postmarkapp.com | USA | Email delivery assurance cloud based software. Data subject name and email | SCCs |
| Shopify | legal-orders@shopify.com | Canada, USA, Australia, UK | If you purchase Octopus merchandise, e.g. t-shirts. Data subject’s name, email address, billing address, and shipping address. | SCCs |
| Outreach | GDPR at Outreach | USA, Ireland, Belgium, Netherlands | Sales Engagement Platform. Data subject's name, email, phone, company name and billing address | SCCs |
| Salesforce | privacy@salesforce.com | USA | Sales CRM software. Data subject's name, email, phone, company name and billing address | SCCs |
| Docusign | privacy@docusign.com | EU | Electronic agreement software. Data subject's name, email, phone, company name and billing address | BCRs |
| Lever | privacy@employinc.com | USA, EU, UK, Australia, Canada | Talent acquisition software. Data subject's name, address, email, phone, education and employment history | SCCs |
| Marketo | dpo@adobe.com | UK, USA | Marketing automation platform. Data subject's name, email, phone, and company details. | SCCs |
| HotJar | dpo@hotjar.com | EU, USA, UK | User behavior analysis tool. Data subjects name, email, phone, cookie IDs. | SCCs |
| Stitch | privacy@qlik.com | EU, UK, Switzerland, USA | Data integration tool. Octopus license information, CRM & sales data, order information and support ticket details such and other data as may be transferred from one processing platform to another. | SCCs |
| Tackle | dataprocessing@tackle.io | USA | Marketplace automation platform. Data subject's name, email, phone, and company details. | SCCs |
| Gearset | security@gearset.com | UK, USA | Salesforce deployment & backup management platform. Data subject's name, email, phone, company name and billing address. | SCCs |
| OneTrust | dpo@onetrust.com | USA | Cookie consent management platform. Visitor preference information in relation to tracking and other scripts which may fire on Octopus websites. | SCCs |
| Snowflake | dpo@snowflake.com | USA | Cloud data storage platform, used for reporting and analytics. Data subject's name, email, phone, and company details. | SCCs |
| User Interviews | privacy@userinterviews.com | USA | A platform to find participants for, and facilitate, user interviews. Data subject's name, email, phone, and company details. | SCCs |
| Amplitude | privacy@amplitude.com | Product Analytics Platform for measuring behavioral product actions. Data includes a users company, country, region, device metadata and product events associated to an octopus user identifier. | SCCs | |
| Slack | privacy@slack.com | USA | Notifications from our websites to inform our employees of important interactions with customers . | SCCs |
In addition to the general purpose and identification of data set out above, sub-processors rendering services such as cloud services may also collect technical and behavioral data, such as internet protocol addresses, device identifiers, times of connection, etc., including as part of the inherent nature of supplying such services.
GDPR and Octopus Deploy
Your Octopus Deploy installation may be self-hosted on infrastructure Octopus does not have access to, or cloud-hosted on infrastructure managed by Octopus.
Data Protection Agreement (DPA)
Our Data Processing Agreement (DPA) is an addendum to our Customer Agreement, this means that as a customer you do not need to take any action to agree with our DPA.
Data Subjects and PII
The PII stored by your Octopus Deploy installation is limited to data about the users (data subjects):
- Names
- Email addresses
- Data related to 3rd party Single Sign On (SSO) services
- Behavioral data, through the audit log actions, including the time performed by data subjects exists and maps directly to the other PII they have supplied
PII not stored by your Octopus Deploy installation:
- Profile pictures may be displayed in the web portal, these are not stored by Octopus Deploy. This feature uses an external service called Gravatar which stores the data subject's email address and profile photo on the data subject's behalf.
Custom PII
Octopus Deploy enables your users to write and execute custom code. Octopus Deploy does not take any responsibility for PII recorded by custom code. You are solely responsible for the PII recorded by custom code.
GDPR and self-hosted Octopus
As a self-hosted customer of Octopus Deploy, your company hosts and manages the Octopus Deploy installation on your own infrastructure. Alternatively, you might have agreements with an external company to provide the hosting and management on your behalf.
Octopus Deploy staff do not have access to that infrastructure, the data stored on it, or the ability to log into that application.
Responsibilities outlined in the GDPR reside solely with your company (or the third-party company) related to storing and securing Personal Identifiable Information (PII) of data subjects and responding/notifying them if a data breach is detected.
GDPR and cloud-hosted Octopus
As a cloud-hosted customer of Octopus Deploy the infrastructure on which your Octopus Deploy installation runs is controlled, managed and secured by Octopus. Octopus staff have no "standing-access" to your installation instance. If you need assistance at any point, and you give us explicit permission to log in to your instance for the purposes of support.
In order to monitor and act on the health of customer instances, and to report on general feature usage, Octopus Deploy performs data-processing on task timings, network/disk/CPU utilization, and feature usage. Examples include deployment durations, timings of communication with external resources. No Personal Identifiable Information (PII) of data subjects stored in the instance forms part of this data processing.
Responsibilities outlined in the GDPR still reside with your company related to storing and securing Personal Identifiable Information (PII) of data subjects in your Octopus Deploy installation. The infrastructure is managed by Octopus, we will follow GDPR guidelines for securing the infrastructure on which the Octopus Deploy application runs, and for responding/notifying data subjects if a data breach is detected.
| Platform | Contact | Onward data transfer location(s) | Purpose / Data Stored | Transfer mechanism |
|---|---|---|---|---|
| Amazon Web Services | Compliance support | USA | Cloud computing platform. Operational instances of Octopus Deploy, logging and backups that contain PII stored in the Octopus Deploy application | SCCs |
| Azure | Privacy policy | USA, UK, EU, Australia, New Zealand, Canada | Cloud computing platform. Operational instances of Octopus Deploy, logging and backups that contain PII stored in the Octopus Deploy application | SCCs |
| Sumo Logic | emea-privacy@sumologic.com | Germany | Cloud monitoring, log management, Cloud SIEM tools, and real-time insights | SCCs |
| Amplitude | privacy@amplitude.com | USA | Product Analytics Platform for measuring behavioral product actions. Data includes a users company, country, region, device metadata and product events associated to an octopus user identifier. | SCCs |
Octopus Support and GDPR
In the event we are provided with a backup of your Octopus Deploy database (usually for the purpose of diagnosing an issue) we:
- Purge PII about data subjects (as described earlier)
- Scrub sensitive data, we will also not store your data for longer than it takes to resolve the issue (typically a few days, but longer if necessary) while it is being used it is stored on full disk encrypted hard drives
When a customer contacts Octopus they can optionally use any of the following services:
| Platform | Contact | Onward data transfer location(s) | Purpose / Data Stored | Transfer mechanism |
|---|---|---|---|---|
| Discourse | regis.hanol@discourse.org | USA | Public help forums, data subject name, email any other PII supplied | SCCs |
| Slack | privacy@slack.com | USA | Company slack contains alerts for support queries, trial requests and license purchases. Community chat about Octopus, for the data stored see here, any other PII supplied | SCCs |
| Zendesk | privacy@zendesk.com | USA, Ireland, Germany, Japan, Australia | Email Octopus Deploy support, data subject name, email any other PII supplied | SCCs |
| Disqus | privacy@disqus.com | USA, India, Philippines | Blog comments, data subject name, email any other PII supplied | SCCs |
| GitHub | dpo@github.com | Cloud based version control and issue tracker, data subject name, email any other PII supplied | SCCs | |
| Azure | Privacy policy | USA, UK, EU, Australia, New Zealand, Canada | Cloud computing platform. Sending files to Octopus for the purpose of support, any PII supplied example in database backups | SCCs |
| Google - G Suite | GDPR at Google | USA | Email and file hosting service for the purpose of support / tracking customers, billing and contact data subject PII | SCCs |
| Sprout Social | privacy@sproutsocial.com | USA | Social Media Management Tool for the management of social media user engagement. If users interact with our social media accounts, this tool may collect social media profile information. Types of information varies depending on the social media platform and typically includes username, profile picture, and first/last name if provided), geographic location, usage, social media content (e.g. posts, comments, pages, profiles, likes, feeds) and engagement and analytics metrics, including social media metadata (e.g. number of social media followers, number of posts, number of tweets) | SCCs |
Frequently Asked Questions FAQ
Where can I access my data?
- If the data is hosted within Octopus, you can visit the My Profile page.
- If the data relates to your contact with Octopus about purchasing, being the technical contact, or requesting support then you can contact us and we will assist in determining which systems house your data.
How can I change or erase data about me?
- If the data is hosted within Octopus, you will need to contact those responsible for administering your Octopus installation.
- If the data relates to your contact with Octopus about purchasing, being the technical contact, or requesting support then you can contact us and we will assist in making changes or deletions.
Octopus and the invalidation of the EU-US Privacy Shield?
Despite the invalidation of the EU-US Privacy Shield recently, Octopus Deploy remains committed to meet GDPR compliant standards as per our GDPR statement (this page) and Privacy Policy to support the customers rights under GDPR in all jurisdiction that we store their data.
Octopus Deploy was not and is not a registered EU-US or Swiss-US Privacy Shield participant, as such the recent EU court decisions haven't changed the way that we operate and treat your data.
We are here to help, we can help customers and their Octopus administrators meet requirements outlined under the GDPR. If you have any questions about this or you want to access, correct, or request that we delete your personal data email us directly.