Privacy FAQ

General:

Privacy Shield, Schrems II and the New June 2021 Standard Contractual Clauses:

  • How is PagerDuty responding to the Schrems II ruling and the invalidation of Privacy Shield?

    PagerDuty uses Standard Contractual Clauses as its mechanism to transfer personal data subject to EU law from and to its customers and Sub-processors. Consistent with the ruling in Schrems II and related guidance from EU supervisory authorities, PagerDuty couples its use of Standard Contractual Clauses with various technical and organizational safeguards as appropriate to particular transfers.

    PagerDuty closely monitors the privacy landscape and the ongoing updates from various EU supervisory authorities, including the release of new Standard Contractual Clauses from the European Commission in June 2021. Please see below for additional answers to how PagerDuty remains compliant with the EU General Data Protection Regulation (GDPR) considering new recommendations stemming from Schrems II.

  • What is the valid transfer mechanism implemented by PagerDuty for transfers of Personal Data from the European Economic Area (EEA) to third countries?

    PagerDuty includes the Standard Contractual Clauses as part of its customer Data Processing Addendum. PagerDuty also requires that all of its subprocessors enter into a DPA which includes Standard Contractual Clauses.

  • Will PagerDuty sign the new Standard Contractual Clauses that the European Commission adopted in June 2021?

    Yes, our DPA has been updated to include the new Standard Contractual Clauses effective September 27, 2021. New and current customers will be on these terms going forward.

  • Which terms apply if my personal data is subject to UK and/or Swiss data protection laws?

    For processing of Personal Data that's subject to UK data protection laws, the 2010 Standard Contractual Clauses will still apply, and they are incorporated into the DPA as well. If the UK Data Protection Law changes to require either the 2021 Standard Contractual Clauses, the use of a different form of Standard Contractual Clauses, or other equivalent agreement then PagerDuty will update the DPA to incorporate the required terms.

    For processing of Personal Data that's subject to Swiss data protection laws, we’ve incorporated terms to include the FADP and Swiss Supervisory Authority into the DPA and new Standard Contractual Clauses.

  • What adequate level of protection does PagerDuty offer?

    PagerDuty maintains administrative, technical, and organizational security measures to protect Personal Data outlined in the PagerDuty Data Security Policy located here: https://www.pagerduty.com/data-security-policy/.

    Included in PagerDuty's Data Security Policy are a range of technical and organizational measures, such as encryption at rest and in transit over public networks, that address the core deficiencies cited in the Schrems II decision—bulk Interceptions under EO 12333 and bulk surveillance under FISA § 702.

  • Is PagerDuty eligible to receive a FISA § 702 directive in connection with the Services?

    PagerDuty has not been found by any court to be the type of entity eligible to receive process issued under FISA Section 702 (i.e., an "electronic communication service provider" within the meaning of 50 U.S.C § 1881(b)(4) or a member of any of the categories of entities described within that definition).

  • What about "upstream" or bulk surveillance orders under FISA § 702?

    Even if PagerDuty were deemed an electronic communication service provider as to some of its services, as the U.S. government has interpreted and applied FISA § 702, PagerDuty is not eligible to receive the type of order that was of principal concern to the CJEU in the Schrems II decision—a 702 order for "upstream" surveillance. As the U.S. Government has applied FISA § 702, it uses upstream orders only to target traffic flowing through internet backbone providers that carry traffic for third parties (i.e., telecommunications carriers). PagerDuty does not provide such backbone services, as it only carries traffic involving its own customers. As a result, it is not eligible to receive the type of order principally addressed in, and deemed problematic by, the Schrems II decision.