Part of the benefit of being a relatively small distributed company in the Internet cloud age is that we can have a global reach without requiring a lot of infrastructure and overhead. We have customers all over the world, but we have almost no presence anywhere beyond our home office. Our people can work from anywhere with a good Internet connection. Since we work in the cloud, most of our computer systems are in places we have never been. We don’t even handle payment information directly in any of our workplaces. Payment information is passed directly to our payment processors. Working in the cloud age helps all of this work smoothly and safely with very little physical infrastructure required.
The downside of all of that is that our customers are all over the place, including legal jurisdictions all over the world. The regulatory world hasn’t really caught up with the idea of cloud based distributed companies. We want to comply with all applicable requirements, but understanding what requirements apply to us in various locations isn’t always easy.
The GDPR has brought this challenge front and center for us. We do not have any actual presence in any European countries. However, we do have customers in nearly all European countries, and are subject to some data privacy protections where those customers are located. That makes sense, and we want to be good citizens, but as with many other Internet based companies it can be daunting to figure out how the regulations apply to us.
Fortunately for us, the principles established in the GDPR are principles that we were already following in our normal practices. Our customers are businesses and providers of Internet based services, and for the most part we don’t provide services to individual end users. Additionally, our customers manage their own data, have full access to the information in our systems, and we don’t process or use the information they set up in our service beyond what they configure for their own use.
We did find that there were a few requirements related to the GDPR that, while our prior practices were basically already in compliance, weren’t clearly articulated in our Terms of Service or Privacy Policy. So, we’re updating both documents to more clearly set out how our policies and practices address these areas. The updates will take effect on 2018-05-18
This includes more clearly stating that we are not collecting or processing data beyond what our customers configure to use for their monitoring. We only use contact information in our system to provide the monitoring you configure, and send the notifications you set up in the way you configure them. Our customers can download their own data whenever they want to. Beyond that, we don’t use or process information from our customers.
This is our normal practice, and applies to everyone. We don’t maintain a separate policy for customers in Europe.
Since we are a data processor, and the data is under the control of our customers who are themselves businesses providing services to others, for GDPR purposes we are a Processor rather than a Controller. Since we don’t have a presence in any EU countries, and we provide processing services to controllers in several EU countries, according to the guidelines published by the Article 29 Working Party, the lead supervisory authority will be the supervisory authority that is competent to act as lead for the controller.
If you are a data controller in a European country, or even if you aren’t, you may have questions about our systems that are necessary for you to comply with obligations you have in your location, and for your customers. If you have questions or concerns that aren’t addressed in our updated policies, please let us know.
UPDATE: We have now received our Privacy Shield certification, which required our Privacy Policy to be updated again to meet those requirements. The most recent changes are aimed specifically at the certification requirements. As always, you can see our current Privacy Policy and our Terms of Service on our web site.
NodePing 