Before we go further, let us state clearly that we do not, nor have ever, sought to analyze, combine, collate, provide to a third party, or otherwise draw insights from any data that resides on our customer’s clusters. For the purposes of delivering uptime and availability, we mostly access machine-generated data pertaining to the health of your cluster and your indexes. For those that host data that might be subject to the regulation, you should obtain a Data Processing Addendum (DPA) for your compliance purposes. Qbox meets the definition of a “processor”, whereas you, the customer, meet the definition of “controller” (see below). The exception to this is when we collect data about our customers during the normal course of providing our service.
A Condensed List of What We Have Done
Who Is Subject to GDPR?
The regulation is pretty clear that both our company and our customers are subject to the regulation, by definition, no matter where your business is domiciled. Our business of hosting infrastructure, specifically databases like Elasticsearch and container orchestration like Kubernetes, means that the likelihood is high that, even if you do not reside in the EU, you have data on residents of the EU. Second, we broke down our data collection efforts into three processes: “using our service”, support, and sales and marketing. Each of these will be discussed below, but if you are reading this, you are probably most keenly seeking our compliance for your downstream data.
Do I Need to Obtain a Data Processing Addendum (DPA)?
You will need to obtain a DPA if:
Even if you do not meet the above criteria, we need you to affirm your compliance within our dashboard. You will notice an annoying red banner that asks you to affirm either: “I do not transfer data from the EU” or “I need a DPA.”
We disclose the third parties that we use for aggregating and analyzing our sales, marketing, and support data that is collected for the purpose of delivering our service. With this data, you have the right to:
We also have disclosed our data retention policy for customers that are no longer customers of Qbox.
How Will I Know That Your Vendors Are Compliant?
We have compiled a list and obtained our own DPA’s from vendors. Please contact our support team if you would like to review it.
Under what circumstances can Qbox access data residing on our Qbox nodes?
To state again, it is important to understand the fundamental truth that we do not ever seek access to our customer’s data. We use data generated by machines to assess your cluster health, node health, and index health in order to provide the uptime and availability that is required of us to meet our Service Level Agreements. In rare circumstances, customers may require us to examine logs to ascertain some facts about the health of your Elasticsearch performance. Generated logs may contain data points, but those logs are never subject to analysis by machine or human. Customers that need to us to access this data will need to have a DPA on file.
What is the difference between a data processor and data controller?
It is clear that Qbox meets the definition of a data processor, whereas you, the customer, are the data controller. In most cases, neither Qbox employees nor tools even know what type of data you have, whereas you, the customer, control the “purposes and means” and the “why and how” that this data will be utilized. Thus, you, the customer, must be responsible for your own GDPR Compliance.
How Can I Contact Your Data Protection Officer?
Qbox has hired an attorney specializing in privacy issues and data protection compliance to be our Data Protection Officer (DPO). The DPO will be regularly auditing our practices to ensure compliance with our handling of sales, marketing, and support data, as well as protecting the security and transfer of the data residing on our customers’ nodes. All inquiries can be directed to firstname.lastname@example.org.
We could not be more aware that SLA Support and our competency at managing clusters at scale is the sole reason customers pay us in the first place. We hope that these changes will give you the confidence to both trust our service and be compliant yourself.