General Data Protection Regulation (GDPR)

Last updated: Mar 24, 2022

As a service provider to European companies and individuals, we comply with the principles of the GDPR and apply them to all customers, no matter where they are located. The provisions set out in the GDPR are sensible practice and should be followed like any other good development- or business practice. The list below describes how we comply with each individual or principle:

Data Protection Goals

  • Process data in a transparent manner: You can find a list of the data we collect and process in the Privacy Policy. Before signing up you are asked to actively agree to the Privacy Policy.
  • Only collect data for specific and legitimate purposes: On signup you only need to provide a name, email and password. For paid packages, we will also ask for a billing address to calculate applicable taxes.
  • Limit the amount of collected data: We don't collect additional data, like usage analytics or visitor logs.
  • Avoid outdated data: You can edit most of your account data after logging in. This includes deleting your backup data, access keys, personal details and billing details.
  • Ensure adequate protection: We keep our systems updated, secured and follow accepted security standards. See section Implement Technical Security for more.

Point of Contact for Data Protection

Send any privacy- and security-related concerns to [email protected].

Privacy Policy

You can find our latest Privacy Policy here. It includes the data we collect, how we process it, how you can access and delete it and how to reach the data protection officer.

Cookie Policy

We don't use external tracking scripts or third party content delivery networks (CDN), like Google Analytics or Google Fonts. After you log in, a http-only cookie will be set to validate your session. This session times out after 30 minutes of inactivity.

Documentation of Processing Activities

The data processing we do is described in the Privacy Policy document.

List of Data Processors

We currently use the following sub-processors to provide our service:

  • Amazon Web Services, Inc.
  • Hetzner Online GmbH
  • EndOffice, LLC
  • Functional Software, Inc.
  • Signetique IT Pte Ltd.
  • Wildbit LLC
  • Stripe, Inc.
  • PayPal Holdings, Inc.

Storage Location and Data Transfer

Your account data is always stored within the EU.

Your data will be stored in the region you choose when first creating the pod. If you chose your pod to be EU-based, it will always stay within the EU (a country of the European Union). Same for US-based pods, which will stay within the US region (United States of America).

Technical Security

We follow established security guidelines. If you should notice any security vulnerability, please report it to [email protected]. Overview of security measures:

Authentication

  • You are required to set a strong password of 8+ characters.
  • Access to private endpoints of the API backend needs authentication.
  • Your login session will expire after 30 minutes.
  • You can enable two-factor authentication to protect your account with more than just a password.

Access control

  • Logged-in users can only access their own data.
  • Pods within an account are isolated from each other.
  • Sessions for logged-in users are validated during every API-request.

Command Injection

  • No user-provided data is displayed publicly or to other users.
  • Your session cookie is http-only and not accessible by Java Script.
  • It's not possible to upload files, except your backups.
  • User input is validated on submission. E.g. your public SSH key.
  • No parameterized SQL queries are used.

Session Management

  • Using safe cookie elements (Secure flags and HttpOnly).
  • Automatic session expiration after 30 min of inactivity.
  • The session is revoked on user logout.

Data protection and Transmission

  • Modern SSL settings are used to protect your data during transmission to and from the web interface.
  • Your password is stored as strong Argon2 hash.
  • Automatic session expiration after 30 min of inactivity.
  • Your pod can only be access using an encrypted HTTPS connection. There is no support for unencrypted HTTP connections.

Access to Account Data

To request access or deletion of the personal data stored in your account, please contact [email protected]. You will receive a copy of the data stored with us. You can access and delete your backup data independently in the web interface.

Supervisory Authority

We will notify the Information and Data Protection Commissioner in Malta of any data breaches that may get discovered in the future.

Data Processing Agreement

If you would like to sign a full data processing agreement to demonstrate your own compliance, please get in touch and provide your organisational details.