Pivotal is committed to the security and privacy of our customers. The General Data Protection Regulation (“GDPR”) comes into effect on May 25, 2018 and will impact any company processing the data of EU citizens or residents, even if the company is not EU-based. The GDPR sets forth how companies should handle privacy issues, securely store data, and respond to security breaches. GDPR places obligations on both service providers (the controller) but also to third parties subcontracted by service providers (subprocessors).

Ultimately, the law makes it easier for customers to understand how we use and protect their personal information.

As a result, Pivotal has been working diligently to ensure that Pivotal Network is in compliance with the GDPR when GDPR comes into effect, without sacrificing the performance and quality that our customers have come to expect from Pivotal Network.

On this page, we’ll explain our methods and plans to achieve GDPR compliance both for Pivotal Network users and ourselves.

WHAT IS PIVOTAL, THE COMPANY BEHIND PIVOTAL NETWORK

Pivotal Network is managed by Pivotal, a fast-growing cloud software company, backed by Dell, Ford, Microsoft, and VMware. Founded in 2013, Pivotal combines a leading cloud-native platform, tools, and methodology to empower the world’s largest organizations to adapt to change and build great software.

More can be found on the Pivotal website.

PREPARING FOR THE GDPR

The GDPR contains significant obligations for companies who may have access to the personal data of EU citizens and residents. We appreciate that Pivotal Network users have their own requirements under GDPR that are impacted by how they use Pivotal Network, and our global team is working diligently to take steps to comply with GDPR and ensure our customers can comply with GDPR with use of our service. We will continue to monitor GDPR developments and adjust our plans as necessary to stay current.

Some examples of steps that the Pivotal Network team are taking in order to satisfy GDPR requirements that are applicable to both Pivotal and our customers include:

Reviewing and documenting data flows that involve customer information, including what personal data is stored and for what period of time
Reviewing and removing any unnecessary handling and storage of data
Defining, documenting, and implementing a process to regularly review and audit the data we hold
Updating our privacy policy (see below)
Listing all GDPR compliant subprocessors of personal data (see below)
Enabling the right to data portability
Defining, documenting, and implementing a process for handling “right to be forgotten” deletion requests
Executing Standard Contractual Clauses through our updated Data Processing Addendum in order to hold subprocessors to the same practices and standards to which we hold ourselves
Reviewing and documenting our data retention policy
Providing data privacy education for the Pivotal Network Engineering teams
Carrying out data impact assessments and, if appropriate, consulting with EU regulators
Informing our users that we use cookies, stating what their purpose is, also obtaining and recording consent to use them
Ensuring explicit opt-in for marketing emails
Making it clear how to remove consent for cookies or marketing emails

CHANGES TO PIVOTAL’S PRIVACY POLICY

Pivotal’s current Privacy Policy is available here, and the updates are effective as of May 25, 2018. The changes include:

Broadening to apply to mobile actions and other interactions (e.g., customer service inquiries, user conferences, etc.)
For EEA-based customers, requiring explicit consent to the new terms.
Offering European Union Model Clauses, also known as Standard Contractual Clauses, to meet security requirements of EEA-based customers.
More detailed instructions for requests for access, correction, deletion or transfer of personal information, or withdrawal of consent to processing
Instructions for EEA residents to contact their local EU Data Protection Authorities.

WHAT SPECIFIC INFORMATION DOES PIVOTAL NETWORK COLLECT ABOUT YOU AND HOW IS IT USED?

Pivotal identifies personal information we collect about you and why in its Privacy Policy available here. Specifically, Pivotal will have access to the following information for Pivotal Network users:

Email
Name
Company
Country
Pivotal Network User ID
IP address
Browser version
Device OS

Pivotal may share the information above with certain third parties, in each case in compliance with applicable privacy laws. Pivotal uses this information in order to enable users to sign up and use Pivotal Network, to be uniquely identified so that their activity in Pivotal Network is logged for troubleshooting and auditing purposes, so that their work in Pivotal Network can be searched for, for analysing usage so that the impact of changes to Pivotal Network can be measured and monitored, so Pivotal Network can be better enhanced to meet user needs, and so that we may send email such as Security Alerts, and notifications of new Pivotal Network releases.

INTERNATIONAL DATA TRANSFERS

In addition to our compliance efforts regarding the GDPR, Pivotal Network offers European Union Model Clauses, also known as Standard Contractual Clauses, to meet the adequacy and security requirements for our customers that operate in the European Union, and other international transfers of customer data, in order to ensure that Pivotal is compliant with applicable data protection requirements if users transfer personal data using Pivotal Network from the EU to the United States.

WHAT THIRD PARTIES DO WE SHARE INFORMATION WITH?

To support delivery of our Service Offering, Pivotal Network may engage and use data processors with access to certain customer data (each, a “Subprocessor”). Pivotal Network Sub processors include:

Entity Name	Subprocessing Activities	Entity Country
Amazon Web Services	Provides compute for both platform and customer workloads, object storage for platform and customer assets, object storage for platform logs, data services for platform components.	Ireland - S3 United States - RDS, logs Global - CDN
Papertrail	Platform log aggregation	United States
Marketo	Email marketing	United States
Google Analytics	Web site analytics	United States
Visual Compliance	Export compliance	United States
Sendgrid	Sends out mailers	United States

Our Subprocessors may change as our product evolves. We will endeavor to provide customers with notices of any new Subprocessors, and post such updates here.

DATA PORTABILITY SOLUTIONS AND DATA MANAGEMENT TOOLS

To assist our customers in their own efforts to comply with the GDPR, Pivotal Network provides the following compliance-related tools:

Pivotal Network user accounts can be removed by contacting privacy@pivotal.io.

GO-FORWARD EFFORTS

Remaining compliant with the GDPR and applicable privacy laws requires ongoing review and iteration, and is of the utmost importance to Pivotal. The content of this document will be updated by Pivotal from time to time as more GDPR-related information becomes available. Should you have any questions, please do not hesitate to email us at privacy@pivotal.io.

PIVOTAL NETWORK AND DATA SECURITY AND RELIABILITY

DOES PIVOTAL PROCESS PERSONAL DATA OF ITS CUSTOMERS?

Yes. In order to provide the Pivotal Network offering, Pivotal processes customer personal data for the limited purposes set forth in our Privacy Policy.

WHERE IS PIVOTAL NETWORK HOSTED, AND WHERE IS MY DATA LOCATED?

The Pivotal Network production environment runs on Pivotal Web Services.

Pivotal Network relies on a number of high-availability, scalable AWS services, including S3, and RDS for data storage. Pivnet’s S3 is in Ireland, and Pivnet’s RDS Database is US East.

Amazon Web Services compliance and security documentation can be found on the AWS Compliance site.

Pivotal Network does not store any customer credit card information.

IS ANY CUSTOMER DATA STORED OUTSIDE OF THE UNITED STATES?

All Pivotal Network services run within AWS regions in the United States, and Ireland. Platform logs are securely transmitted to a subprocessor, Papertrail, whose SaaS offering resides in United States.

WHAT CONTROLS ARE IN PLACE TO PROTECT PIVOTAL NETWORK SERVERS AND DATA?

Access to the production environment (on AWS) is restricted to a small subset of the Pivotal Network development and operations team, who are all highly trusted, permanent Pivotal employees, located in the United States, and Canada. Access is managed by AWS IAM system.

All requests to the Pivotal Network platform are logged and indexed, and include originating IP information.

All connections to the Pivotal Network platform default to either SSL or TLS depending on the user’s browser settings. Certificates use SHA-256 with RSA encryption.

HOW IS DATA BACKED UP?

Pivotal Network utilizes the AWS RDS Multi AZ instances, with daily backup capability provided by AWS RDS Snapshots.

Customer data stored in AWS S3 and RDS is not backed up as we consider it durable storage. Information about AWS S3 durability can be found here.

DOES PIVOTAL NETWORK HAVE A DISASTER RECOVERY PLAN?

The Pivotal Network Engineering team maintains a documented disaster recovery process that involves internal contact and escalation procedures, user communication, hosting provider contact and escalation, as well as system recovery instructions.

Should the availability zone where our database services are go down, the primary instance fail, or any other event resulting in the primary database instance becoming unavailable, Amazon handles this with multi-AZ deployment.

HOW DO YOU RESPOND TO KNOWN SECURITY VULNERABILITIES IN PIVNET?

From time to time, vulnerabilities in widely used software tools and libraries are identified that could lead to undesirable exploits. The Pivotal Network team monitors various sources, including internal Pivotal IT security announcements, for new discoveries of such vulnerabilities, and takes immediate action to address any that affect Pivotal Network.

Security patches and updates are applied continuously, and we have enabled automatic maintenance updates for our AWS resources.

IS PIVOTAL NETWORK CERTIFIED TO ANY DOCUMENTED STANDARDS (E.G., ISO 27001, SSAE16 SOC-1, SOC-2, GSA, PCI, OR HIPAA)?

Pivotal Network relies on a number of high-availability, scalable AWS services, including S3, and RDS for data storage. As an infrastructure-as-a-service (“IaaS”) provider invested in the security of their environments, AWS makes use of a wide range of industry certifications and independent third-party attestations. Detailed IaaS-specific security information can be obtained from AWS Cloud Compliance. The following are some examples of security certifications held by AWS:

SOC 1, SOC 2, and SOC 3 reports
PCI DSS Level 1 certification
ISO 27001 certification
ISO 27017 certification

HOW CAN I GET MORE INFORMATION?

For any questions or additional information, please email pivnet-eng@pivotal.io.

Disclaimer: This document is provided for informational purposes only and represents Pivotal’s current offerings as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of Pivotal’s products or services, each of which is provided “as is” without warranty of any kind, whether express or implied. This document does not create any warranties, representations, contractual commitments, conditions or assurances from Pivotal, its affiliates, suppliers or licensors. The responsibilities and liabilities of Pivotal to its customers are controlled by Pivotal agreements, and this document is not part of, nor does it modify, any agreement between Pivotal and its customers.

GDPR and Data Security FAQs

PIVOTAL NETWORK AND GDPR COMPLIANCE

OUR COMMITMENT TO YOU AND THE PROTECTION OF YOUR DATA