Qbox is fully committed to achieving compliance with the General Data Protection Regulation (GDPR) by the May 25 deadline.
Update to original post: Our GDPR policies and requirements were fully met by May 25, 2018. See our updated Privacy Center here.
Before we go further, let us state clearly that we do not, nor have ever, sought to analyze, combine, collate, provide to a third party, or otherwise draw insights from any data that resides on our customer’s clusters. For the purposes of delivering uptime and availability, we mostly access machine-generated data pertaining to the health of your cluster and your indexes. For those that host data that might be subject to the regulation, you should obtain a Data Processing Addendum (DPA) for your compliance purposes. Qbox meets the definition of a “processor”, whereas you, the customer, meet the definition of “controller” (see below). The exception to this is when we collect data about our customers during the normal course of providing our service.
A Condensed List of What We Have Done
- Created a Data Processing Addendum (DPA). You can get yours here, or read more about it here.
- Created a “cookie-bot” tool that allows users to know and to modify what is being tracked about their behavior on the site
- Appointed a Data Protection Officer
- Obtained our own Data Processing Addenda from third parties that we use for sales, support, and marketing purposes.
- Created a Privacy Center, which more transparently explains your options
- Created a “Right to Be Forgotten” form for users who wish us to expunge completely any information that we have collected
- Defined our data retention policies with regard to our sales, support, and marketing data
- Streamlined support processes to ensure maximal compliance with the regulation when interacting in real time with our support staff
Who Is Subject to GDPR?
The regulation is pretty clear that both our company and our customers are subject to the regulation, by definition, no matter where your business is domiciled. Our business of hosting infrastructure, specifically databases like Elasticsearch and container orchestration like Kubernetes, means that the likelihood is high that, even if you do not reside in the EU, you have data on residents of the EU. Second, we broke down our data collection efforts into three processes: “using our service”, support, and sales and marketing. Each of these will be discussed below, but if you are reading this, you are probably most keenly seeking our compliance for your downstream data.
Do I Need to Obtain a Data Processing Addendum (DPA)?
You will need to obtain a DPA if:
- You are using our service to host data about subjects of the European Union
- Are marketing to subjects of the European Union
- Have downstream customers that might have personally identifiable information about subjects of the European Union
Even if you do not meet the above criteria, we need you to affirm your compliance within our dashboard. You will notice an annoying red banner that asks you to affirm either: “I do not transfer data from the EU” or “I need a DPA.”
We disclose the third parties that we use for aggregating and analyzing our sales, marketing, and support data that is collected for the purpose of delivering our service. With this data, you have the right to:
- View the information that we collect with our cookie-bot
- Request your “Right to Be Forgotten”
- Request “data portability”, or for us to export what we know about you and send it to you
We also have disclosed our data retention policy for customers that are no longer customers of Qbox.
How Will I Know That Your Vendors Are Compliant?
We have compiled a list and obtained our own DPA’s from vendors. This list can be retrieved here.
Under what circumstances can Qbox access data residing on our Qbox nodes?
To state again, it is important to understand the fundamental truth that we do not ever seek access to our customer’s data. We use data generated by machines to assess your cluster health, node health, and index health in order to provide the uptime and availability that is required of us to meet our Service Level Agreements. In rare circumstances, customers may require us to examine logs to ascertain some facts about the health of your Elasticsearch performance. Generated logs may contain data points, but those logs are never subject to analysis by machine or human. Customers that need to us to access this data will need to have a DPA on file.
What is the difference between a data processor and data controller?
It is clear that Qbox meets the definition of a data processor, whereas you, the customer, are the data controller. In most cases, neither Qbox employees nor tools even know what type of data you have, whereas you, the customer, control the “purposes and means” and the “why and how” that this data will be utilized. Thus, you, the customer, must be responsible for your own GDPR Compliance.
How Can I Contact Your Data Protection Officer?
Qbox has hired an attorney specializing in privacy issues and data protection compliance to be our Data Protection Officer (DPO). The DPO will be regularly auditing our practices to ensure compliance with our handling of sales, marketing, and support data, as well as protecting the security and transfer of the data residing on our customers’ nodes. All inquiries can be directed to privacy[at]qbox.io.
We could not be more aware that SLA Support and our competency at managing clusters at scale is the sole reason customers pay us in the first place. We hope that these changes will give you the confidence to both trust our service and be compliant yourself.