EU Data Protection

Updated: March 20, 2024

eco friendly, ecology, planet, earth, protection@2x.png

Summary

When you use our services, you entrust us with your valuable information. We have made it a priority to protect your data and to provide you with choices about controlling it. We understand that there are particular concerns from companies in the EU about how we use and protect your data, so we put this page together as a guide to answer some of the most common questions you may have.

  • The Security and Privacy section provides an overview of our data center and app security, as well as our data retention policy.
  • The GDPR section provides detailed information about how we have prepared our services for the GDPR.
  • The DPA section provides instructions on how to obtain a Data Processing Addendum with our customers.
  • The Sub-processors section provides a list of our sub-processors under GDPR, and a way for you to get notified if/when we add a new sub-processor.

Security and Privacy

For detailed information about our security and privacy practices, you can view our privacy policy and data processing addendum. Below are some highlights.

Data centers and security measures

Data centers

PagerTree’s primary data and servers are hosted at Fly.io (sea region). We currently don’t have plans to add servers in the EU (GDPR does not require physical servers in the EU).

Fly.io Details

The Fly.io infrastructure puts strong safeguards in place to help protect customer privacy. All data is stored in highly secure Fly.io data centers. For a detailed overview of all security and privacy measures, see the Fly.io Security page.

Additional security measures

  • Data center security: The data centers we use demonstrate ongoing compliance with rigorous international standards, such as SOC2 Type 1.
  • Access control: We restrict access to personal data only to our employees, contractors, and agents who need to know this information to operate, develop, or improve our service. Only a select few have access to the servers where data is stored. We go to great lengths to ensure the right balance between support and secure infrastructure. Employees can only access accounts if they have explicit permission from an account owner or the account is in review for compliance with the PagerTree Terms of Use.
  • Confidentiality agreements: Employees, contractors, and agents are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations.
  • App security: All access to the PagerTree interface is secured over SSL (HTTPS), ensuring the information is encrypted. Our SSL configurations are regularly and automatically scanned to ensure we can quickly remediate any vulnerabilities discovered, such as Heartbleed. Additionally, we provide both TLS and HTTPS connections to the PagerTree services, ensuring communications to the service are encrypted. Account passwords are encrypted in the PagerTree database, preventing even our own staff from viewing them. We offer a method to recycle API keys at any time in the PagerTree interface.
  • Fully redundant servers for the services.
  • Secure protocols (SSL / TLS) across the service endpoints.
  • Separately hosted documentation and marketing site.
  • 256-bit SSL encryption on the web app and payment processing.
  • All passwords are stored using one-way cryptographic hashing functions.
  • Hardened and patched OS with frequent security updates.
  • External monitoring and audits by highly respected security firms.
  • For even more detailed information about our security practices, you can review this help doc.

Data retention

As described on our pricing page, PagerTree collects and retains content and metadata for up to 1 year to allow customers to access their full alert and notification history. After 1 year, alert and notification data is removed from our system.

GDPR

EU General Data Protection Regulation (GDPR)

What is GDPR?

In 2016, the European Commission approved and adopted the new General Data Protection Regulation (GDPR). GDPR is a significant change in data protection regulation in the EU and replaces the existing legal framework (the Data Protection Directive and the various member state laws). It came into effect on May 25, 2018.

Why is GDPR important?

GDPR adds some new requirements regarding how companies should protect individuals’ data that they process. It also raises the stakes for compliance by increasing enforcement and imposing greater fines for breaches.

What has PagerTree done to comply with GDPR?

We have implemented changes, and our commitment to your privacy continues. Our compliance, data protection, and information security teams work hard to align our services with GDPR. As the Data Processor of your customer and end-user information, we have provided a Data Processing Agreement meeting the requirements of GDPR. You can find it here.

We have worked hard to meet our obligations as a processor under Article 28 of GDPR. To this end:

  • We continue to process your customer and end-user data per your instructions.
  • We have implemented appropriate technical and organizational measures to protect the data with which you entrust us. You can view a detailed description of our security controls in Exhibit B (Security Measures) of our DPA.
  • We have provided a list of our sub-processors and will give you the opportunity to object if we engage a new one. You can access this list here.
  • We have instituted a policy informing and obligating our employees to maintain the confidentiality of your information.
  • We have instituted a procedure to assist you in complying with requests for access, amendment, or deletion that you may get from your customers or end users. See the “How do you manage access to my information (DSR requests)?” on this page.
  • We can inform you without delay in case of a data breach.
  • We will delete your customer/end-user information at the end of our agreement with you if you ask us.
  • Pursuant to Article 27 of the General Data Protection Regulation (GDPR), PagerTree LLC is small enough and doesn’t process enough data to warrant a nominated EU representative.

We have also updated our terms of service and privacy policy to provide greater transparency about our practices and help you pass that forward to your customers and end-users.

As guidance about specific aspects of GDPR continues to be published, we will also continue our efforts to fine-tune and improve our compliance.

We have addressed cross-border data transfers

Like the Data Protection Directive that preceded it, GDPR includes provisions on international data transfer mechanisms. In order to comply with these provisions, we have worked with legal counsel to create a standard Data Processing Addendum (DPA), which meets GDPR requirements for agreements between Data Controllers (you) and Data Processors (us).

Our DPA includes the Standard Contractual Clauses (SCC) for cross-border transfers. It also outlines in detail our current security practices. To receive and sign a copy of our DPA, please visit the Data Processing Addendum section on this page.

Does GDPR require that my information be stored in the EU?

No. Under GDPR a company is allowed to transfer personal data outside of the EU provided that it puts in place a mechanism, approved under GDPR, to make sure that personal data is adequately protected even when it is transferred outside of the EU. We offer a Data Processing Addendum (DPA) with Standard Contractual Clauses (SCC) to all customers.

How do you manage access to my information (DSR requests)?

Currently, we intend to service DSR requests (such as delete and export) manually. If you have an account with us, you may access, correct, or request that we delete your personal data by contacting us at [email protected].

This request can include the personal data of other individuals, like your employees or customers, that you have provided to us and who have requested this of you. We will respond to these requests within 14 days or less, which is well within the GDPR requirement of 30 days.

We are here for you

We are happy to answer any questions and address any concerns regarding how we protect your personal data in general, as well as specifically under GDPR. If you have any questions, please don’t hesitate to contact us at [email protected].

DPA

We offer data processing addendums (DPAs) for our customers that operate in the EU. Our DPA offers contractual terms that meet GDPR requirements and reflect our data privacy and security commitments to our clients.

To ensure no inconsistent or additional terms are imposed on us beyond that reflected in our standard DPA and model clauses, we cannot agree to sign customers’ DPAs. As a small team, we also can’t make individual changes to our DPA since we don’t have a legal team on staff. Any changes to the standard DPA would require legal counsel and a lot of back-and-forth discussion that would be cost-prohibitive for our team.

To request a DPA, please send an email to [email protected] with the following information:

  • Legal Name of Your Company
  • Country your company operates in
  • Your full name
  • Your email address
  • Your role at the company
  • Are you authorized to sign on behalf of this company? [Yes/No]

Once completed, the addendum will be signed electronically by both parties, and become legally binding. A copy of the signed addendum will be emailed to you.

Sub-Processors

List of sub-processors

We share certain information with companies that may be considered our “sub-processors” under GDPR. We use the following sub-processors to provide our services. These companies host the data on physical and cloud servers that we pay for. Below is a full list of our sub-processors.

Company Purpose Location Data Shared
Cloudflare DNS and WAF USA HTTP request proxy. No direct data shared.
Amazon Web Services Cloud infrastructure hosting USA Email address and content.
Fly.io Cloud infrastructure hosting USA Server and database host. No direct data shared.
Twilio SMS and Voice Notifications USA Phone number and SMS/Voice content.
Plivo SMS and Voice Notifications USA Phone number and SMS/Voice content.
Mailgun Email Notifications USA Email address and notification content.
Postmark Email Notifications USA Email address and notification content.
OneSignal Push Notifications USA User ID and push notification content.
Slack Slack Notifications USA Slack ID and slack notification content.