Legal

General Data Protection Regulation (GDPR)

This page is specifically about the European Union's General Data Protection Regulation (GDPR). For more general privacy information, see our privacy policy.

Octopus Deploy's GDPR compliance

The European Union's General Data Protection Regulation (GDPR) approved and adopted by the EU Parliament in April 2016 aims primarily to give control back to EU citizens and residents over their personal data, and to simplify the regulatory environment for international business by unifying the regulation within the EU.

As the GDPR came into effect on the 25th of May 2018, all companies processing and storing the personal data of subjects residing in the EU must comply with it, regardless of their location.

Octopus and GDPR

Octopus is able to comply with the European Union's General Data Protection Regulation (GDPR). A priority at Octopus is the security of our customers' data. We have followed the EU's transition to the GDPR and continue to take important strides in the area of data protection, many of which are applicable under the GDPR.

We are here to help

We can provide further details about categories of data, assistance in facilitating deletion of data subjects, and discuss the impact of such deletions. We are also introducing features into the Octopus Deploy application to help you meet the requirements defined by the GDPR.

We value our customers and take all reasonable steps to protect their privacy. We follow up to date industry standards in securing infrastructure and how it relates to application code.

If a data breach does occur, Octopus Deploy is ready to respond in accordance with the GDPR.

Octopus Deploy will respond in accordance with rights granted by the GDPR when we receive a request to provide or delete a data subject's Personally Identifiable Information (PII).

Our Trust Team is ready to help you trust@octopus.com

Billing, octopus.com, and GDPR

Octopus Deploy stores PII on infrastructure we control and on 3rd Party systems for billing purposes. This includes starting a free trial without providing payment details. That data is comprised of:

  • Company Details;
  • a Technical Contact (name, email); and
  • a Billing Contact (name, email, address)
  • IP address

Contact

Onward data transfer location(s)

Purpose / Data stored

Transfer mechanism

privacy@amplitude.com

Product analytics platform for measuring behavioral product actions. Data includes a users company, country, region, device metadata and product events associated to an octopus user identifier.

SCCs

dataprivacy@avalara.com

USA, EU, Switzerland, India, Brazil

Tax platform that contains data subject's name, company, email and billing address.

SCCs

USA, UK, EU, Australia, New Zealand, Canada

Cloud computing platform. Data subject's name, email, phone, billing address.

SCCs

privacy@docusign.com

EU

Electronic agreement software. Data subject's name, email, phone, company name and billing address.

BCRs

USA

Cloud productivity and collaboration tools, from Google. Data subject's name, email, phone, company name and billing address.

SCCs

security@gearset.com

UK, USA

Salesforce deployment & backup management platform. Data subject's name, email, phone, company name and billing address.

SCCs

dpo@hotjar.com

EU, UK, USA

User behavior analysis tool. Data subjects name, email, phone, cookie IDs.

SCCs

privacy@employinc.com

Australia, Canada, EU, UK, USA

Talent acquisition software. Data subject's name, address, email, phone, education and employment history.

SCCs

dpo@adobe.com

UK, USA

Marketing automation platform. Data subject's name, email, phone, and company details.

SCCs

dpo@outreach.com

USA

Cookie consent management platform. Visitor preference information in relation to tracking and other scripts which may fire on Octopus websites.

SCCs

USA, Ireland, Belgium, Netherlands

Sales engagement platform. Data subject's name, email, phone, company name and billing address.

SCCs

EU

Planhat is a customer success SaaS platform that enables companies to automate tasks/workflows, collaborate internally and externally with their customers and to tell stories with company data.

SCCs

support@postmarkapp.com

USA

Email delivery assurance cloud based software. Data subject name and email.

SCCs

privacy@salesforce.com

USA

Sales CRM software. Data subject's name, email, phone, company name and billing address.

SCCs

legalnotices@twilio.com

USA, EU, UK

Cloud based email and marketing automation software. Data subject name and email.

BCRs

legal-orders@shopify.com

Australia, Canada, UK, USA

If you purchase Octopus merchandise, e.g. t-shirts. Data subject’s name, email address, billing address, and shipping address.

SCCs

privacy@slack.com

USA

Notifications from our websites to inform our employees of important interactions with customers.

SCCs

dpo@snowflake.com

USA

Cloud data storage platform, used for reporting and analytics. Data subject's name, email, phone, and company details.

SCCs

privacy@qlik.com

EU, Switzerland, UK, USA

Data integration tool. Octopus license information, CRM & sales data, order information and support ticket details such and other data as may be transferred from one processing platform to another.

SCCs

dpo@stripe.com

Australia, Canada, UK, USA

Payment gateway. Data subject's name, email, credit card data and billing address.

SCCs

dataprocessing@tackle.io

USA

Marketplace automation platform. Data subject's name, email, phone, and company details.

SCCs

privacy@userinterviews.com

USA

A platform to find participants for, and facilitate, user interviews. Data subject's name, email, phone, and company details.

SCCs

privacy@workato.com

USA

Tax Platform that contains data subject's name, company, email and billing address.

SCCs

USA

Cloud based financial software. Data Subject's name, email and company name.

SCCs

privacy@zuora.com

Billing Platform that contains data subject's name, company, email, credit card data, and billing address.

SCCs

In addition to the general purpose and identification of data set out above, sub-processors rendering services such as cloud services may also collect technical and behavioral data, such as internet protocol addresses, device identifiers, times of connection, etc., including as part of the inherent nature of supplying such services.

GDPR and Octopus Deploy

Your Octopus Deploy installation may be self-hosted on infrastructure Octopus does not have access to, or cloud-hosted on infrastructure managed by Octopus.

Data Protection Agreement (DPA)

Our Data Processing Agreement (DPA) is an addendum to our Customer Agreement, this means that as a customer you do not need to take any action to agree with our DPA.

Download the DPA

Data Subjects and PII

The PII stored by your Octopus Deploy installation is limited to data about the users (data subjects):

  • Names
  • Email addresses
  • Data related to 3rd party Single Sign On (SSO) services
  • Behavioral data, through the audit log actions, including the time performed by data subjects exists and maps directly to the other PII they have supplied

PII not stored by your Octopus Deploy installation:

  • Profile pictures may be displayed in the web portal, these are not stored by Octopus Deploy. This feature uses an external service called Gravatar which stores the data subject's email address and profile photo on the data subject's behalf.

Custom PII

Octopus Deploy enables your users to write and execute custom code. Octopus Deploy does not take any responsibility for PII recorded by custom code. You are solely responsible for the PII recorded by custom code.

GDPR and self-hosted Octopus

As a self-hosted customer of Octopus Deploy, your company hosts and manages the Octopus Deploy installation on your own infrastructure. Alternatively, you might have agreements with an external company to provide the hosting and management on your behalf.

Octopus Deploy staff do not have access to that infrastructure, the data stored on it, or the ability to log into that application.

Responsibilities outlined in the GDPR reside solely with your company (or the third-party company) related to storing and securing Personal Identifiable Information (PII) of data subjects and responding/notifying them if a data breach is detected.

GDPR and cloud-hosted Octopus

As a cloud-hosted customer of Octopus Deploy the infrastructure on which your Octopus Deploy installation runs is controlled, managed and secured by Octopus. Octopus staff have no "standing-access" to your installation instance. If you need assistance at any point, and you give us explicit permission to log in to your instance for the purposes of support.

In order to monitor and act on the health of customer instances, and to report on general feature usage, Octopus Deploy performs data-processing on task timings, network/disk/CPU utilization, and feature usage. Examples include deployment durations, timings of communication with external resources. No Personal Identifiable Information (PII) of data subjects stored in the instance forms part of this data processing.

Responsibilities outlined in the GDPR still reside with your company related to storing and securing Personal Identifiable Information (PII) of data subjects in your Octopus Deploy installation. The infrastructure is managed by Octopus, we will follow GDPR guidelines for securing the infrastructure on which the Octopus Deploy application runs, and for responding/notifying data subjects if a data breach is detected.

Contact

Onward data transfer location(s)

Purpose / Data stored

Transfer mechanism

USA

Cloud computing platform. Operational instances of Octopus Deploy, logging and backups that contain PII stored in the Octopus Deploy application.

SCCs

privacy@amplitude.com

USA

Product Analytics Platform for measuring behavioral product actions. Data includes a users company, country, region, device metadata and product events associated to an octopus user identifier.

SCCs

USA, UK, EU, Australia, New Zealand, Canada

Cloud computing platform. Operational instances of Octopus Deploy, logging and backups that contain PII stored in the Octopus Deploy application.

SCCs

emea-privacy@sumologic.com

Germany

Cloud monitoring, log management, Cloud SIEM tools, and real-time insights.

SCCs

Octopus Support and GDPR

In the event we are provided with a backup of your Octopus Deploy database (usually for the purpose of diagnosing an issue) we:

  • Purge PII about data subjects (as described earlier)
  • Scrub sensitive data, we will also not store your data for longer than it takes to resolve the issue (typically a few days, but longer if necessary) while it is being used it is stored on full disk encrypted hard drives

When a customer contacts Octopus they can optionally use any of the following services:

Contact

Onward data transfer location(s)

Purpose / Data stored

Transfer mechanism

USA, UK, EU, Australia, New Zealand, Canada

Cloud computing platform. Sending files to Octopus for the purpose of support, any PII supplied example in database backups.

SCCs

regis.hanol@discourse.org

USA

Public help forums, data subject name, email any other PII supplied.

SCCs

privacy@disqus.com

India, Philippines, USA

Blog comments, data subject name, email any other PII supplied.

SCCs

dpo@github.com

Cloud based version control and issue tracker, data subject name, email any other PII supplied.

SCCs

USA

Email and file hosting service for the purpose of support / tracking customers, billing and contact data subject PII.

SCCs

privacy@slack.com

USA

Company slack contains alerts for support queries, trial requests and license purchases. Community chat about Octopus, for the data stored see here, any other PII supplied.

SCCs

privacy@sproutsocial.com

USA

Social media management Tool for the management of social media user engagement. If users interact with our social media accounts, this tool may collect social media profile information. Types of information varies depending on the social media platform and typically includes username, profile picture, and first/last name if provided), geographic location, usage, social media content (e.g. posts, comments, pages, profiles, likes, feeds) and engagement and analytics metrics, including social media metadata (e.g. number of social media followers, number of posts, number of tweets)

SCCs

privacy@zendesk.com

Australia, Germany, Ireland, Japan, USA

Email Octopus Deploy support, data subject name, email any other PII supplied.

SCCs

Other important documents

Frequently asked questions

Where can I access my data?
  • If the data is hosted within Octopus, you can visit the My Profile page.

  • If the data relates to your contact with Octopus about purchasing, being the technical contact, or requesting support then you can contact us and we will assist in determining which systems house your data.

How can I change or erase data about me?
  • If the data is hosted within Octopus, you will need to contact those responsible for administering your Octopus installation.

  • If the data relates to your contact with Octopus about purchasing, being the technical contact, or requesting support then you can contact us and we will assist in making changes or deletions.

Octopus and the invalidation of the EU-US Privacy Shield?

Despite the invalidation of the EU-US Privacy Shield recently, Octopus Deploy remains committed to meet GDPR compliant standards as per our GDPR statement (this page) and Privacy Policy to support the customers rights under GDPR in all jurisdiction that we store their data. Octopus Deploy was not and is not a registered EU-US or Swiss-US Privacy Shield participant, as such the recent EU court decisions haven't changed the way that we operate and treat your data.

We are here to help, we can help customers and their Octopus administrators meet requirements outlined under the GDPR. If you have any questions about this or you want to access, correct, or request that we delete your personal data email us directly.