Pivotal Web Services GDPR And Data Security FAQs

Pivotal Web Services And GDPR Compliance

1. Our Commitment To You And The Protection Of Your Data

Pivotal is committed to the security and privacy of our customers. The General Data Protection Regulation (“GDPR”) comes into effect on May 25, 2018 and will impact any company processing the data of EU citizens or residents, even if the company is not EU-based. The GDPR sets forth how companies should handle privacy issues, securely store data, and respond to security breaches. GDPR places obligations on both service providers (the controller) but also to third parties subcontracted by service providers (subprocessors).

Ultimately, the law makes it easier for customers to understand how we use and protect their personal information.

As a result, Pivotal has been working diligently to ensure that Pivotal Web Services (“PWS”) is in compliance with the GDPR when GDPR comes into effect, without sacrificing the performance and quality that our customers have come to expect from PWS.

On this page, we’ll explain our methods and plans to achieve GDPR compliance both for PWS users and ourselves.

2. What Is Pivotal, The Company Behind Pivotal Web Services

Pivotal Web Services is part of Pivotal, a fast-growing cloud software company, backed by Dell, Ford, General Electric, Microsoft, and VMware. Founded in 2013, Pivotal combines a leading cloud-native platform, tools, and methodology to empower the world’s largest organizations to adapt to change and build great software.

More can be found on the Pivotal website

3. What Is Pivotal Web Services?

Pivotal Web Services is a cloud based application hosting platform, managed and operated by Pivotal and hosted on Amazon Web Services (“AWS”) in the United States . PWS is a hosted version of the open source Cloud Foundry platform-as-a-service software. Pivotal leverages a combination of internal and operational controls, along with controls provided by AWS to protect the security of the platform.

4. Preparing For The GDPR

The GDPR contains significant obligations for companies who may have access to the personal data of EU citizens and residents. We appreciate that PWS users have their own requirements under GDPR that are impacted by how they use PWS, and our global team is working diligently to take steps to comply with GDPR and ensure our customers can comply with GDPR with use of our service. We will continue to monitor GDPR developments and adjust our plans as necessary to stay current.

Some examples of steps that the PWS team are taking in order to satisfy GDPR requirements that are applicable to both Pivotal and our customers include:

  1. Reviewing and documenting data flows that involve customer information, including what personal data is stored and for what period of time
  2. Reviewing and removing any unnecessary handling and storage of data
  3. Defining, documenting, and implementing a process to regularly review and audit the data we hold
  4. Updating our privacy policy (see below)
  5. Listing all GDPR compliant sub processors of personal data (see below)
  6. Enabling the right to data portability
  7. Defining, documenting, and implementing a process for handling “right to be forgotten” deletion requests
  8. Executing Standard Contractual Clauses through our updated Data Processing Addendum in order to hold sub processors to the same practices and standards to which we hold ourselves
  9. Reviewing and documenting our data retention policy
  10. Reviewing and documenting our process for handling security incidents
  11. Providing data privacy education for the Pivotal Web Services Engineering teams
  12. Carrying out data impact assessments and, if appropriate, consulting with EU regulators
  13. Informing our users that we use cookies, stating what their purpose is, also obtaining and recording consent to use them
  14. Ensuring explicit opt-in for marketing emails
  15. Making it clear how to remove consent for cookies or Pivotal marketing emails

5. Changes To Pivotal’s Privacy Policy

Pivotal’s current Privacy Policy is available here, and the updates are effective as of May 25, 2018. The changes include:

  1. Broadening to apply to mobile actions and other interactions (e.g., customer service inquiries, user conferences, etc.)
  2. For European Economic Area (EEA)-based customers, requiring explicit consent to the new terms.
  3. Offering European Union Model Clauses, also known as Standard Contractual Clauses, to meet security requirements of EEA-based customers.
  4. More detailed instructions for requests for access, correction, deletion or transfer of personal information, or withdrawal of consent to processing
  5. Instructions for EEA residents to contact their local EU Data Protection Authorities.

6. What Specific Information Does Pivotal Web Services Collect About Your and How Is It Used

Given the automated nature of our services, PWS does not know if the content that a customer chooses to upload onto PWS is “personal data” as defined by the GDPR. For a further description of customer application data, see the Data Security FAQs below.

Pivotal identifies personal information we collect about you and why in its Privacy Policy available here. Specifically, Pivotal will have access to the following account and billing information for PWS users:

  1. First Name
  2. Last Name
  3. Street address
  4. City
  5. State
  6. Country
  7. Zip
  8. Phone
  9. Masked Credit Card Number
  10. Credit Card Expiration Date
  11. IP Address

Pivotal may share the information above with certain third parties, in each case in compliance with applicable privacy laws. Pivotal uses this information in order to enable users to sign up and use Pivotal Web Services, enable users to purchase Pivotal Web Services, to protect our users and provide security monitoring, to communicate important account updates to our users, so our business can ensure legal compliance, to make Pivotal Web Services enhancements that meet our user needs, to promote Pivotal events and content, and to ensure we’re communicating information our customers care about.

7. International Data Transfers

In addition to our compliance efforts regarding the GDPR, Pivotal Web Services offers European Union Model Clauses, also known as Standard Contractual Clauses, to meet the adequacy and security requirements for our customers that operate in the European Union, and other international transfers of customer data, in order to ensure that Pivotal is compliant with applicable data protection requirements if users transfer personal data using PWS from the EU to the United States.

8. What Third Parties Do We Share Information With

To support delivery of our Service Offering, Pivotal Web Services may engage and use data processors with access to certain customer data (each, a “Subprocessor”). PWS Subprocessors include:

Entity Name Subprocessing Activities Entity Country
Amazon Web Services Provides compute for both platform and customer workloads, object storage for platform and customer assets, object storage for platform logs, data services for platform components. United States
Cybersource Processes credit card transactions, provides fraud and trade compliance screens.United States  
Google Analytics Website analytics. United States
Logit.io Platform log aggregation. France
Marketo Email marketing. United States
Mixpanel Website event tracking. United States
Papertrail Platform log aggregation. United States
SendGrid E-mail transactional account updates. United States
Twilio Provides SMS/phone verification upon account creation. United States

Our Subprocessors may change as our product evolves. We will endeavor to provide customers with notices of any new Subprocessors, and post such updates here.

9. Data Portability Solutions And Data Management Tools

To assist our customers in their own efforts to comply with the GDPR, Pivotal Web Services provides the following compliance-related tools:

  1. Pivotal Web Services user accounts can be removed by contacting privacy@pivotal.io.

  2. Pivotal Web Services resources associated with an account / organization (spaces, apps, services, routes, etc) can all be deleted (by users with the correct permissions). Additional data deletion requests can be made by contacting privacy@pivotal.io.

10. Go-Forward Efforts

Remaining compliant with the GDPR and applicable privacy laws requires ongoing review and iteration, and is of the utmost importance to Pivotal. The content of this document will be updated by Pivotal from time to time as more GDPR-related information becomes available. Should you have any questions, please do not hesitate to email us at privacy@pivotal.io.

Pivotal Web Services And Data Security And Reliability

Does Pivotal Process Personal Data Of Its Customers?

Yes. In order to provide the PWS offering, Pivotal processes customer personal data for the limited purposes set forth in our Privacy Policy.

Customer Application Data And Account Information On PWS

Customer Application Data And Account Information On PWS

PWS stores the following customer application data and account information:

  • Account information
  • Application code and running apps
  • Task code and running tasks
  • Application and task short-term logging and metadata
  • Platform logs, which includes usage metadata

Customer Application Data Through Third-Party Services

PWS applications sometimes use third-party services and/or customer-provided storage for data persistence and other application services. PWS may make available such services through its Marketplace. Customer use of such third-party services are subject to the terms of use of such third-party services, including any applicable data privacy and security policies. Customers are responsible for checking with applicable third parties for any terms or restrictions available from those service providers.

Where Is Pivotal Web Services Hosted, And Where Is My Data Located?

The Pivotal Web Services production environment runs in a multi-zone cluster within a Virtual Private Cloud (VPC) on Amazon Web Services (AWS), in the US East (Virginia) Region.

Platform logs are securely transmitted to a subprocessor, Logit.io, whose SaaS offering resides in France. These logs are retained for 7-days, after which indexes and underlying logs are permanently removed from disk.

PWS passes customer-entered credit card information to Cybersource so our customers can purchase Pivotal Web Services. It is stored in a secure manner by Cybersource, our PCI-compliant payment processor and gateway. For billing transparency, PWS also stores masked credit card information and the credit card expiration date.

Multitenancy

Cloud Foundry provides isolation through its governance framework features, which defines groupings of apps and services into entities known as Organizations and Spaces. PWS users are assigned to organizations and spaces by the Organization Manager role designated at account creation and through system user interfaces. Access scope is governed by the roles users possess in those entities. It is through these roles and scopes that multi-tenancy is achieved. Users’ administrative access is limited to their assigned organizations and spaces. An application’s access is governed by the application access rules defined within the application. Apps are internet routable entities, which are generally accessible from the public internet.

Application Isolation

Applications on PWS are deployed into “containers” and isolated from other applications. Because applications are deployed onto shared infrastructure, these containers may be co-resident with other containers on AWS EC2 Instances provisioned by PWS. These AWS EC2 instances may be co-resident with other AWS EC2 instances on shared physical machines.

Cloud Foundry and AWS provide isolation that enhances security and relative performance separation. The container runtime is designed to ensure that adjacent containers are unable to access data or connectivity between containers unless explicitly permitted by defined policies.

What Controls Are In Place To Protect Pivotal Web Services Servers And Data?

Access to the production environment (on AWS) is restricted to a small subset of the Pivotal Web Services development and operations team, who are all highly trusted, permanent Pivotal employees, located in the United States, Ireland, Canada, and the United Kingdom. Access is managed by AWS IAM system, with mandatory two-factor authentication (2FA), and is removed when no longer required Pivotal performs pre-employment screening and background checks, where permitted by law.

All requests to the Pivotal Web Services platform are logged and indexed, and include originating IP information.

All connections to the Pivotal Web Services platform default to using TLS. Certificates use RSA keys with a 2048-bit modulus and SHA-256.

How Is Customer Data Backed Up?

Pivotal Web Services utilizes the AWS RDS Multi AZ instances, with daily backup capability provided by AWS RDS Snapshots.

Customer data stored in AWS S3 is not backed up as we consider it durable storage. Information about AWS S3 durability can be found here.

Business Continuity

PWS relies on the availability model of the underlying AWS infrastructure and supports multiple AWS availability zones (AZs) within the AWS US-East Region (Virginia). PWS can distribute instances of an application across the AWS AZs to ensure availability of applications in the event of an AWS data center failure. This availability requires that multiple instances of applications be deployed. Failure of the US East AWS region may impact availability of hosted applications.

For purposes of data locality, operational data that is at rest resides solely in the environment where applications are deployed. For PWS, application and operation data resides in AWS in the United States. Customers are responsible for monitoring the availability and performance of their applications.

Penetration Testing And Vulnerability Assessments

Pivotal periodically uses third-party firms to perform security assessments of PWS environments. These assessments are performed at a minimum of once a year. Any resulting findings are prioritized and addressed according to Pivotal’s policies and industry best practices. Although specific results from these assessments cannot be provided to customers, upon request Pivotal may share information with customers about its testing methodology and scope of its security assessments.

Customers may test their own applications hosted on PWS with prior written approval from Pivotal, but due to the multi-tenant nature of the environment, customer security assessments of PWS itself are not permitted.

If you have any questions about the PWS security program, or would like to obtain approval for testing your own applications hosted on PWS, contact us at security@pivotal.io.

Is Pivotal Web Services Certified To Any Documented Standards (e.g., ISO 27001, SSAE16 SOC-1, SOC-2, GSA, PCI, OR HIPAA)?

Pivotal Web Services relies on a number of high-availability, scalable AWS services, including EC2 for computing resources, S3, and RDS for data storage. As an infrastructure-as-a-service (“IaaS”) provider invested in the security of their environments, AWS makes use of a wide range of industry certifications and independent third-party attestations. Detailed IaaS-specific security information can be obtained from AWS Cloud Compliance. The following are some examples of security certifications held by AWS:

  • SOC 1, SOC 2, and SOC 3 reports
  • PCI DSS Level 1 certification
  • ISO 27001 certification
  • ISO 27017 certification

How Can I Get More Information?

For any questions or additional information, please email support@run.pivotal.io.


Disclaimer: This document is provided for informational purposes only and represents Pivotal’s current offerings as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of Pivotal’s products or services, each of which is provided “as is” without warranty of any kind, whether express or implied. This document does not create any warranties, representations, contractual commitments, conditions or assurances from Pivotal, its affiliates, suppliers or licensors. The responsibilities and liabilities of Pivotal to its customers are controlled by Pivotal agreements, and this document is not part of, nor does it modify, any agreement between Pivotal and its customers.

This document was last updated on May 23, 2018.