Basics of GDPR in bucket.io
OverviewBucket.io prioritizes customer trust. We know that customer data is important to our customers’ values and operations. That is why we keep it private and safe.
Bucket.io supports thousands of customers in over 120 countries and territories. Our customers entrust us with large amounts of information.
Bucket.io helps customers maintain control of their privacy and data security in a myriad of ways:
- Data Security: We provide our customers compliance with high security standards, such as encryption of data in motion over public networks, auditing standards, Distributed Denial of Service (“DDoS”) mitigation, and a Support team that is available for outreach.
- Disclosure of Customer Service Data: bucket.io only discloses Service Data to third parties where disclosure is necessary to provide services or as required to respond to lawful requests from public authorities.
- Trust: bucket.io has developed security protections and control processes to help our customers ensure a secure environment for their information.
- Access Management: bucket.io provides an advanced set of access and encryption features to help customers effectively protect their information. We do not access or use customer content for any purpose other than providing, maintaining and improving the bucket.io services and as otherwise required by law.
Service Data is any information, including personal data, which is stored in or transmitted via the Bucket.io services, by, or on behalf of, our customers and their end-users.
What is Service Data?
From a privacy perspective, the customer is the controller of Service Data, and Bucket.io is a processor. This means that throughout the time that a customer subscribes to services with Bucket.io, the customer retains ownership of and control over Service Data in its account.
Who owns and controls Service Data?
Bucket.io maintains an up-to-date list of the names and locations of all sub-processors (including members of the Bucket.io Group and third parties) used for hosting or other processing of Service Data, which can be found on the bucket.io website.
Who are Bucket.io’s sub-processors?
We use Service Data to operate and improve our services, help customers access and use the services, respond to customer inquiries, and send communication related to the services.
How does Bucket.io use Service Data?
Bucket.io prioritizes data security and combines enterprise-class security features with comprehensive audits of our applications, systems, and networks to ensure customer and business data is always protected.
What steps does Bucket.io take to secure Service Data?
For example, Bucket.io servers are hosted at Tier IV or III+, SSAE-16, PCI DSS, or ISO 27001 compliant facilities.
Bucket.io currently has data centers in United States, and plans to add regional data centers in the future.
Where will Service Data be stored?
Bucket.io recognizes that privacy and data security issues are top priorities for customers.
How does Bucket.io Respond to Information Requests
- Where we need to act publicly to protect customers, we do. Bucket.io has voiced its support for the USA Liberty Act that seeks to reform the surveillance program under Section 702 of the Foreign Intelligence Surveillance Act (“FISA”).
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may disclose personal data to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims. We may also share such information with relevant law enforcement agencies or public authorities if we believe same to be necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Master Subscription Agreement, or as otherwise required by law.
How does Bucket.io respond to legal requests for Service Data?
Does bucket.io process personal data of our customers?
Where do we send customer data?
Bucket.io services require that all data be transferred to the US, where it is stored, as noted above. Additionally, our employees and contractors may require access to data stored in the EU from a non-EU country (e.g., US or Colombia) for technical and support related requests and troubleshooting. In cases where data is transferred outside of the E.U., Bucket.io is committed to ensuring such transfers are compliant with applicable data transfer laws, including GDPR.
Can you guarantee that my data will stay in a certain location (e.g., Europe)?
EU DirectiveThe EU Data Protection Directive (also known as “Directive 95/46/EC“) addresses the processing of personal data and the free movement of such data. Broadly, this Directive sets out a number of data protection principles and requirements which must be adhered to when personal data is processed.
Directive 95/46/EC established the Article 29 Working Party (“WP29”), which is comprised of representatives from the data protection authorities of all the EU Member States as well as from the European Commission. WP29 works to harmonize the application of data protection rules throughout the EU and also advises the EU Commission on the adequacy of data protection standards in non-EU countries.
Bucket.io customers that collect and store personal data are considered data controllers under Directive 95/46/EC. Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant EU data protection law, including Directive 95/46/EC and the GDPR as of May 25, 2018.
How does the EU Directive apply to customers?
Bucket.io offers customers a robust Data Processing Agreement (“DPA”), governing the relationship between the customer (acting as a data controller) and Bucket.io (acting as a data processor). The DPA facilitates Bucket.io’s customers’ compliance with their obligations under EU data protection law. Our DPA contains strong privacy commitments that few software companies can match, and has been updated to confirm our compliance with the GDPR as and from May 25, 2018. Our DPA contains data transfer frameworks to ensure that our customers can lawfully transfer personal data to Bucket.io outside of the European Union by relying on one of three mechanisms: our Binding Corporate Rules, our Privacy Shield certification, or Standard Contractual Clauses. (please proceed to download a copy here, sign it, and send it back to us by emailing firstname.lastname@example.org with the subject: DAP compliance document. Please also include the name of the bucket.io account user (you) and the email address associated to the bucket.io account in the body of the email.)
What is a Data Processing Agreement (“DPA”)?
The European Commission has approved a set of standard provisions called the Standard Contractual Clauses (“Model Clauses”) which provide a data controller a compliant mechanism to transfer personal data to a data processor outside the European Economic Area (“EEA”). The Model Clauses are appended to the Bucket.io DPA to help provide adequate protection for data transfer outside of the EEA or Switzerland.
What are the “Model Clauses”?
Bucket.io periodically replicates data for purposes of archival, backup and audit logs. We use Amazon Web Services (AWS) to store some of the information that is backed up, such as database information and attachment files.
Does Bucket.io replicate the Service Data it stores?
Bucket.io may utilize any of its global data centers to host Service Data, although there are future plans to allow data storage location choices.
Does Service Data hosted in the EU region ever leave that region?
GDPRSince our founding, Bucket.io’s model has been anchored with a strong commitment to privacy, security, compliance and transparency. This model includes supporting our customers’ compliance with EU data protection requirements, including those set out in the General Data Protection Regulation (“GDPR”), which becomes enforceable on May 25, 2018.
If a company collects, transmits, hosts or analyzes personal data of EU citizens, GDPR requires the company to use third-party data processors who guarantee their ability to implement the technical and organizational requirements of the GDPR. To further earn our customers’ trust, our DPA has been updated to provide our customers with contractual commitments regarding our compliance with applicable EU data protection law and to implement additional contractual provisions required by the GDPR. Our contractual commitments guarantee that customers can:
- Respond to requests from data subjects to correct, amend or delete personal data.
- Be made aware of and report personal data breaches to relevant supervisory authorities and data subjects in accordance with GDPR timeframes.
- Demonstrate their compliance with the GDPR as pertaining to Bucket.io’s Services.