Last Updated May 24, 2018
Deps Limited (“Deps”) operates several websites and services including deps.co and related subdomains. It is Deps’ policy to respect your privacy regarding any information we may collect while operating our services.
1. The GDPR and Deps
1.1. On privacy, the GDPR and why it is important
To offer greater privacy and control of data for individuals who use or are stored within our services, we will apply the GDPR to all individuals who are stored within or use our services, whether inside or outside of the EU.
We believe in the GDPR and in increased privacy for everyone.
1.2. General Data Protection Regulation (GDPR)
In 2016, the European Commission approved and adopted the new General Data Protection Regulation (GDPR). GDPR is a significant change in data protection regulation in the EU and replaces the existing legal framework (the Data Protection Directive and the various member state laws).
The GDPR is a comprehensive set of regulations that dictates what companies like Deps must do in order to properly protect our customers’ data. Even though we are not a European company, we have many customers in the EU and we fully comply with these regulations. This document explains in simple terms what we’re doing in order to ensure compliance.
It will come into effect on May 25, 2018.
Note: The full GDPR regulations are extremely long and complex. This isn’t meant to be a comprehensive list of every single thing we do to protect your data, but rather it’s a simple summary so that you can have a good idea of the protections we have in place. Please feel free to reach out to us if you have questions about specific items that aren’t addressed here.
1.3. How GDPR applies to Deps
GDPR defines three parties, which we will reference throughout this document:
- Data Subject - This is the person about whom data is being stored and used. You and the other members of your organisation with logins are data subjects, because you have an account with Deps (i.e. you’re our customer).
- Data Controller - This is the person or company that is using the data that’s being stored. We are a data controller, concerning your personal data, because you have an account with Deps.
- Data Processor - These are companies that create tools to actually store and take advantage of the data. We (Deps) are not a data processor.
The data Controller and Processor both have different responsibilities to ensure that we are acting legally and ethically. This document explains what we do to comply with GDPR as a Controller, and how we use the data we collect.
1.4. Technical security
As a company focused on storing customer code and artifacts, our customers entrust us with very important, security critical data for their businesses. Keeping your data secure and private is of the utmost importance, and so we are careful to follow industry best practices. A lot goes into online security, but here are some of the main things we do that might interest you:
- Our servers and data are hosted by Google Cloud Platform (GCP), Amazon Web Services (AWS) and Heroku. Google Cloud Platform is one of the largest and most sophisticated hosting companies in the world. Heroku uses Amazon Web Services (AWS) to host their servers. AWS is the largest hosting company in the world. GCP, AWS, and Heroku all have extensive physical and digital security in place.
- We use 256-bit encryption at all levels of our software. All connections to our website are encrypted (i.e. we encrypt “in transit”), our live database is encrypted (i.e. we encrypt “at rest”), binary artifacts are encrypted, and all of our data backups are encrypted.
- We never store passwords as plain text – they are always hashed and salted securely using
pbkdf2(older passwords) and
bcrypt(newer passwords). We also do the same with all access keys.
- Our main servers are in Iowa, USA at Google’s
us-central1data center. We also have encrypted replicas of data in other GCP and AWS locations within the USA in case anything happens to the Iowa data center. Even though GDPR is a European regulation, it does not require that data be hosted physically within the EU .
- We regularly perform external vulnerability scans and application penetration tests to monitor the status of our security efforts.
If you have questions or concerns, reach out to us at firstname.lastname@example.org.
1.5. Data Processing Officer
We have appointed a Data Protection Officer. They may be contacted at email@example.com.
1.6. Data Breach Notification Plan
We work hard to keep our software secure so that there are no data breaches, but in the event that there is a data breach, we have a plan in place that fully complies with the requirements laid out by GDPR. You can read our full plan below, but the basic idea is that if we become aware of a data breach, we will notify any of our customers who may have been impacted, and provide them with the appropriate information so that they can also comply with their responsibilities as a Data Controller.
The specifics of our response to a data breach would of course depend on the details of the breach itself (the method of the breach, what data was compromised, etc.) but here is an outline of how we will approach the situation:
1.6.1. Identifying a breach
The first step in responding to a data breach is knowing that one has happened in the first place. We monitor the status of our security with technology (running penetration tests and network scans) as well as policy (training employees on what to look out for, making sure issues are escalated appropriately).
If we ever identify a breach, or even notice something out of the ordinary that justifies investigation, we will take the following steps:
1.6.2. Assigning roles and responsibility
At any company, the best way to ensure that an issue is taken seriously is to make sure that it has the attention of top leadership. Deps has one individual who will personally handle all security concerns. Daniel Compton, the Founder and CEO, will be responsible for organizing the company-wide response, assigning roles, and ensuring that we do everything outlined in this document and more to handle the situation as thoroughly as possible.
Every member of the company knows that if there is ever a security concern, the issue should go directly to the CEO without any delay.
1.6.3. Investigate the type and scope of the breach
Breaches can happen in many different ways. They can be the result of a technical or social failing on our end. In many cases, the customer may have been tricked into giving their login information to the attacker, and it might not be the result of insecurity in the software at all.
In order to decide how to respond to a breach, we must first understand how the breach happened. We will seek to answer the following questions as quickly as possible:
- Was there some sort of failure of our technology or processes that enabled the breach?
- What data was accessed?
- What was (or might have been) done with the data? I.e. deleting data is different from exporting it outside our server.
- How many users were impacted?
1.6.4. Address immediate threats
If we find that the breach is caused by a customer’s login information being compromised (e.g. two business partners are fighting over ownership of the business and one steals the other’s account login information) we will shut down API access for the account in question until we are confident that the rightful owner is the only one with access. In some cases this can take several days or longer as there may be legal issues outside of our control that must be adjudicated first.
If we determine that the breach occurred due to an vulnerability on our end, we will work to fix whatever the vulnerability was as quickly as possible to prevent further damage. If a situation like this ever arises, every employee at Deps who can be helpful will treat this as their top priority and set aside any other responsibilities until the problem is resolved.
1.6.5. Notify the appropriate parties of the breach
This step will depend heavily on the details of the breach. For example, in a situation where a specific user is phished, they will likely already know about the breach, and it wouldn’t impact any of our other customers. But if our entire database is compromised by a hacker, that would potentially impact all of our users (our customers, as well as your customers).
Our general guideline is that if there’s a reasonable possibility that the breach will have a negative impact on a customer, we will notify them quickly. “Quickly” can mean different things depending on how long it takes us to conclude our investigation, but when possible, our goal would be to send notifications no more than 72 hours after we become aware of the issue.
1.7. Trusted third-party services we use
We may share data with the following third-parties, also known as Subprocessors under GDPR, so that we can offer our services to you, and so that we know how to continue improving our services to remain valuable to you.
- Google Cloud, [Heroku](https://www.heroku.com, and Amazon Web Services for hosting our infrastructure, including log monitoring
- Stripe for payment processing
- Google Analytics for marketing website analytics
- Google AdWords for tracking success of advertisements we buy
- Google Fonts for the Karla CSS font family (and others)
- Intercom for sales, customer support, and onboarding
- Postmark for sending transactional email
- Sentry for error and crash reporting
- Mailchimp for our mailing list (this has a separate opt-in)
- Zapier for workflows related to user lifecycle events (e.g. signing up for a trial)
- Slack for notifications about user events
- Profitwell for company financial reporting
We have Data Processing Addendums with all of our Subprocessors.
1.8. Information we collect about you
If you have a Deps account, we are the Controller of your personal information (PI). The data below is stored locally within our systems (unless noted otherwise), and may also be stored in a third-party service listed above. All logs are scrubbed of sensitive info (passwords, tokens, etc.) locally before being sent over the wire.
1.8.1. Personal information and unique identifiers
We collect and store this information:
- Unique user and account IDs
- Unique Stripe customer and subscription IDs
- Unique Intercom user identity hash
- First name
- Last name
- The names of any deployed artifacts that are deployed
- Hashed password (hashed using bcrypt)
- Company name
- Company website (through Intercom and Profitwell)
- Company size (through Intercom and Profitwell)
- Credit/debit card information (locally, we store the last 4 digits of your payment method, the brand, and the expiry – all other data is stored securely within Stripe)
- Geographic location (through Intercom, Profitwell, and Google Analytics)
- Pages visited (through Intercom and Google Analytics)
- IP address for API rate limiting (stored for up to 30 days, but likely purged within 24 hours)
- IP address via API request logs
- Date/time of resources being accessed via API request logs
1.9. Data retention
All of the above data for our customers could be included within our logs (e.g. within database query logs, request logs, etc.), backups, and within temporary storage (e.g. caching systems, our Redis datastores, etc.), which we keep for up to 30 days. The exception for this is that our repository upload and download logs are kept for 90 days, for security and auditing purposes, (e.g. a customer suffers a breach and wants to know if any artifacts were uploaded or downloaded).
Before the maximum 30 day retention period, all archived logs, backups, and temporary storage are permanently deleted – this means that after a user has been “forgotten” i.e. erased upon request, the user will be completely erased from our systems within 30 days.
1.10. Data subject rights
Our customers, the Data Subjects, are entitled through their Data Subject Rights (DSR) to access (“Right To Access”), export (“Right to Data Portability”), change, and permanently delete (“Right To Be Forgotten”) all their data from our systems.
DSR requests can include personal data of other individuals, like your employees. We will respond to these requests within 14 days or less, which is well within the GDPR requirement of 30 days.
DSR requests may be sent to firstname.lastname@example.org.
1.11. Lawful basis for processing
GDPR requires that we establish that our data processing is legally justified. They give a variety of reasons it might be valid, and the following is the one that applies to us:
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
We only collect data that is necessary for the purposes of making our services valuable to you.
1.12. Revisiting GDPR compliance regularly
As part of our commitment to remaining GDPR compliant and respecting the privacy of our users, we will revisit this document at least once per year to ensure that all of the information is accurate and up-to-date. If you have questions or concerns, contact us at email@example.com.
2.1. Website visitors
Like most website operators, Deps collects non-personally-identifying information of the sort that web browsers and servers typically make available, such as the browser type, language preference, referring site, and the date and time of each visitor request.
Our purpose in collecting non-personally identifying information is to better understand how Deps’ visitors use its website and to better provide related content to its visitors. From time to time, Deps may release non-personally-identifying information in the aggregate, e.g., by publishing a report on trends in the usage of its website.
We also collect potentially personally-identifying information like Internet Protocol (IP) addresses for all API users, as well as for Dashboard users (what information is collected is detailed in 1.10. and 1.11.). These logs are retained for up to 30 days (our data retention policy is detailed in 1.12.).
We do not keep logs for requests to our Marketing or Documentation sites, but IP address and other personally identifiable information may be collected from website visitors for one of our Subprocessors (all of which are listed in 1.9.).
2.2. Aggregated statistics
Deps may collect statistics about the behavior of visitors to its websites. Deps may display this information publicly or provide it to others. However, Deps does not disclose personally-identifying information other than as described below.
For example, you may not be able to log into your Deps account’s Dashboard without cookies enabled, for technical reasons.
2.3.1. Cookies we set
- We set
deps-cookie-consent-*cookies to keep track of your privacy and tracking preferences. You can adjust your consent for these cookies at any time by clicking here.
- We set
deps-session-store-*cookies so you don’t need to login every time you use the Dashboard, which includes related cookies which determine how long the previously mentioned session cookie is valid for.
- We use your browser’s
localStorageAPI on our site to keep a history of your preferences for displaying documentation, e.g. we’ll display docs in the programming language and tool you prefer using.
Other cookies may be set by our trusted third-parties listed above (our Subprocessors). If you’re inside of the EU, we employ an opt-in system for all third-party cookies. If you’re outside of the EU, we employ an opt-out system. Regardless, you can adjust your preferences at any time by clicking here.
2.4. Information disclosure to third-parties
We do not sell, trade, or otherwise transfer your information to third-parties. This does not include sharing a limited subset of your information with trusted third-parties (our Subprocessors, which are outlined in 1.9.), who assist us in operating our website, conducting our business, or servicing you, so long as those parties agree to process this information in accordance with their DPA.
We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect ours or others rights, property, or safety.
2.5. Third-party content
2.6. COPPA compliance
We are in compliance with the requirements of COPPA (Children’s Online Privacy Protection Act), we do not collect any information from anyone under 13 years of age. The Act was passed by the U.S. Congress in 1998 and took effect in April 2000. COPPA is managed by the Federal Trade Commission (FTC). Our website, products and services are all directed to people who are at least 13 years old or older. If you are under 13 years old, you cannot use our services.
2.7. Business transfers
If Deps, or substantially all of its assets were acquired, or in the unlikely event that Deps goes out of business or enters bankruptcy, user information would be one of the assets that is transferred or acquired by a third party. You acknowledge that such transfers may occur, and that any acquirer of Deps may continue to use your personal information as set forth in this policy.
2.9. Terms of Service
Please also visit our Terms of Service section establishing the use, disclaimers, and limitations of liability governing the use of our services.
If there are any questions regarding this document, you may contact us at firstname.lastname@example.org.