Last Updated: May 24, 2018
PIVOTAL NETWORK AND GDPR COMPLIANCE
OUR COMMITMENT TO YOU AND THE PROTECTION OF YOUR DATA
WHAT IS PIVOTAL, THE COMPANY BEHIND PIVOTAL NETWORK
CHANGES TO PIVOTAL’S PRIVACY POLICY
WHAT SPECIFIC INFORMATION DOES PIVOTAL NETWORK COLLECT ABOUT YOU AND HOW IS IT USED?
WHAT THIRD PARTIES DO WE SHARE INFORMATION WITH?
DATA PORTABILITY SOLUTIONS AND DATA MANAGEMENT TOOLS
PIVOTAL NETWORK AND DATA SECURITY AND RELIABILITY
DOES PIVOTAL PROCESS PERSONAL DATA OF ITS CUSTOMERS?
WHERE IS PIVOTAL NETWORK HOSTED, AND WHERE IS MY DATA LOCATED?
IS ANY CUSTOMER DATA STORED OUTSIDE OF THE UNITED STATES?
WHAT CONTROLS ARE IN PLACE TO PROTECT PIVOTAL NETWORK SERVERS AND DATA?
HOW IS CUSTOMER DATA BACKED UP?
DOES PIVOTAL NETWORK HAVE A DISASTER RECOVERY PLAN?
HOW DO YOU RESPOND TO KNOWN SECURITY VULNERABILITIES?
HOW CAN I GET MORE INFORMATION?
Pivotal is committed to the security and privacy of our customers. The General Data Protection Regulation (“GDPR”) comes into effect on May 25, 2018 and will impact any company processing the data of EU citizens or residents, even if the company is not EU-based. The GDPR sets forth how companies should handle privacy issues, securely store data, and respond to security breaches. GDPR places obligations on both service providers (the controller) but also to third parties subcontracted by service providers (subprocessors).
Ultimately, the law makes it easier for customers to understand how we use and protect their personal information.
As a result, Pivotal has been working diligently to ensure that Pivotal Network is in compliance with the GDPR when GDPR comes into effect, without sacrificing the performance and quality that our customers have come to expect from Pivotal Network.
On this page, we’ll explain our methods and plans to achieve GDPR compliance both for Pivotal Network users and ourselves.
Pivotal Network is managed by Pivotal, a fast-growing cloud software company, backed by Dell, Ford, Microsoft, and VMware. Founded in 2013, Pivotal combines a leading cloud-native platform, tools, and methodology to empower the world’s largest organizations to adapt to change and build great software.
More can be found on the Pivotal website.
The GDPR contains significant obligations for companies who may have access to the personal data of EU citizens and residents. We appreciate that Pivotal Network users have their own requirements under GDPR that are impacted by how they use Pivotal Network, and our global team is working diligently to take steps to comply with GDPR and ensure our customers can comply with GDPR with use of our service. We will continue to monitor GDPR developments and adjust our plans as necessary to stay current.
Some examples of steps that the Pivotal Network team are taking in order to satisfy GDPR requirements that are applicable to both Pivotal and our customers include:
Pivotal’s current Privacy Policy is available here, and the updates are effective as of May 25, 2018. The changes include:
Pivotal identifies personal information we collect about you and why in its Privacy Policy available here. Specifically, Pivotal will have access to the following information for Pivotal Network users:
Pivotal may share the information above with certain third parties, in each case in compliance with applicable privacy laws. Pivotal uses this information in order to enable users to sign up and use Pivotal Network, to be uniquely identified so that their activity in Pivotal Network is logged for troubleshooting and auditing purposes, so that their work in Pivotal Network can be searched for, for analysing usage so that the impact of changes to Pivotal Network can be measured and monitored, so Pivotal Network can be better enhanced to meet user needs, and so that we may send email such as Security Alerts, and notifications of new Pivotal Network releases.
In addition to our compliance efforts regarding the GDPR, Pivotal Network offers European Union Model Clauses, also known as Standard Contractual Clauses, to meet the adequacy and security requirements for our customers that operate in the European Union, and other international transfers of customer data, in order to ensure that Pivotal is compliant with applicable data protection requirements if users transfer personal data using Pivotal Network from the EU to the United States.
To support delivery of our Service Offering, Pivotal Network may engage and use data processors with access to certain customer data (each, a “Subprocessor”). Pivotal Network Sub processors include:
Entity Name |
Subprocessing Activities |
Entity Country |
Amazon Web Services |
Provides compute for both platform and customer workloads, object storage for platform and customer assets, object storage for platform logs, data services for platform components. |
Ireland - S3 United States - RDS, logs Global - CDN |
Papertrail |
Platform log aggregation |
United States |
Marketo |
Email marketing |
United States |
Google Analytics |
Web site analytics |
United States |
Visual Compliance |
Export compliance |
United States |
Sendgrid |
Sends out mailers |
United States |
Our Subprocessors may change as our product evolves. We will endeavor to provide customers with notices of any new Subprocessors, and post such updates here.
To assist our customers in their own efforts to comply with the GDPR, Pivotal Network provides the following compliance-related tools:
Pivotal Network user accounts can be removed by contacting privacy@pivotal.io.
Remaining compliant with the GDPR and applicable privacy laws requires ongoing review and iteration, and is of the utmost importance to Pivotal. The content of this document will be updated by Pivotal from time to time as more GDPR-related information becomes available. Should you have any questions, please do not hesitate to email us at privacy@pivotal.io.
Yes. In order to provide the Pivotal Network offering, Pivotal processes customer personal data for the limited purposes set forth in our Privacy Policy.
The Pivotal Network production environment runs on Pivotal Web Services.
Pivotal Network relies on a number of high-availability, scalable AWS services, including S3, and RDS for data storage. Pivnet’s S3 is in Ireland, and Pivnet’s RDS Database is US East.
Amazon Web Services compliance and security documentation can be found on the AWS Compliance site.
Pivotal Network does not store any customer credit card information.
All Pivotal Network services run within AWS regions in the United States, and Ireland. Platform logs are securely transmitted to a subprocessor, Papertrail, whose SaaS offering resides in United States.
Access to the production environment (on AWS) is restricted to a small subset of the Pivotal Network development and operations team, who are all highly trusted, permanent Pivotal employees, located in the United States, and Canada. Access is managed by AWS IAM system.
All requests to the Pivotal Network platform are logged and indexed, and include originating IP information.
All connections to the Pivotal Network platform default to either SSL or TLS depending on the user’s browser settings. Certificates use SHA-256 with RSA encryption.
Pivotal Network utilizes the AWS RDS Multi AZ instances, with daily backup capability provided by AWS RDS Snapshots.
Customer data stored in AWS S3 and RDS is not backed up as we consider it durable storage. Information about AWS S3 durability can be found here.
The Pivotal Network Engineering team maintains a documented disaster recovery process that involves internal contact and escalation procedures, user communication, hosting provider contact and escalation, as well as system recovery instructions.
Should the availability zone where our database services are go down, the primary instance fail, or any other event resulting in the primary database instance becoming unavailable, Amazon handles this with multi-AZ deployment.
From time to time, vulnerabilities in widely used software tools and libraries are identified that could lead to undesirable exploits. The Pivotal Network team monitors various sources, including internal Pivotal IT security announcements, for new discoveries of such vulnerabilities, and takes immediate action to address any that affect Pivotal Network.
Security patches and updates are applied continuously, and we have enabled automatic maintenance updates for our AWS resources.
Pivotal Network relies on a number of high-availability, scalable AWS services, including S3, and RDS for data storage. As an infrastructure-as-a-service (“IaaS”) provider invested in the security of their environments, AWS makes use of a wide range of industry certifications and independent third-party attestations. Detailed IaaS-specific security information can be obtained from AWS Cloud Compliance. The following are some examples of security certifications held by AWS:
For any questions or additional information, please email pivnet-eng@pivotal.io.
Disclaimer: This document is provided for informational purposes only and represents Pivotal’s current offerings as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of Pivotal’s products or services, each of which is provided “as is” without warranty of any kind, whether express or implied. This document does not create any warranties, representations, contractual commitments, conditions or assurances from Pivotal, its affiliates, suppliers or licensors. The responsibilities and liabilities of Pivotal to its customers are controlled by Pivotal agreements, and this document is not part of, nor does it modify, any agreement between Pivotal and its customers.