2020-08-11 01:47:54 +02:00
|
|
|
|
# GDPR compliance
|
2018-05-26 00:05:44 +02:00
|
|
|
|
|
|
|
|
|
This page covers how Zulip interacts with the EU's landmark GDPR
|
|
|
|
|
legislation; you can read the
|
2023-03-23 04:14:27 +01:00
|
|
|
|
[Zulip Cloud privacy policy](https://zulip.com/policies/privacy) for our
|
2018-05-26 00:05:44 +02:00
|
|
|
|
general privacy policies.
|
|
|
|
|
|
|
|
|
|
## What is GDPR?
|
|
|
|
|
|
|
|
|
|
The General Data Protection Regulation is a wide-ranging law designed
|
|
|
|
|
to protect the privacy of individuals in the European Union (EU) and
|
|
|
|
|
give them control over how their personal data is collected,
|
|
|
|
|
processed, and used. The law applies to any company that collects or
|
|
|
|
|
processes the data of European consumers.
|
|
|
|
|
|
2020-08-11 01:47:54 +02:00
|
|
|
|
## Controllers and processors
|
2018-05-26 00:05:44 +02:00
|
|
|
|
|
|
|
|
|
There are two key relationships that are defined in the GDPR. As a
|
|
|
|
|
customer of Zulip Cloud, you operate as the controller when using our
|
|
|
|
|
products and services. You have the responsibility for ensuring that
|
|
|
|
|
the personal data you are collecting is being processed in a lawful
|
|
|
|
|
manner as described above and that you are using processors, such as
|
|
|
|
|
Zulip Cloud, that are committed to handling the data in a compliant
|
|
|
|
|
manner.
|
|
|
|
|
|
|
|
|
|
Zulip Cloud is considered a **data processor**. We act on the
|
|
|
|
|
instructions of the controller (you). Similar to controllers,
|
|
|
|
|
processors are expected to enumerate how they handle personal data,
|
|
|
|
|
which we have outlined in this document and the legal documents listed
|
|
|
|
|
below. As a processor, we rely on our customers to ensure that there
|
|
|
|
|
is a lawful basis for processing.
|
|
|
|
|
|
|
|
|
|
Processors may leverage other third-parties in the processing of
|
|
|
|
|
personal data. These entities are commonly referred to as
|
|
|
|
|
sub-processors. For example, Kandra Labs leverages cloud service
|
|
|
|
|
providers like Amazon Web Services and Mailgun to host Zulip Cloud.
|
|
|
|
|
|
2020-08-11 01:47:54 +02:00
|
|
|
|
## How Zulip supports GDPR compliance
|
2018-05-26 00:05:44 +02:00
|
|
|
|
|
|
|
|
|
We’re committed to the compliance of all parties including you,
|
|
|
|
|
third-parties, and us.
|
|
|
|
|
|
2024-05-30 15:48:12 +02:00
|
|
|
|
- **Zulip Cloud:** To deliver the Zulip Cloud service, Kandra Labs, Inc. acts as
|
|
|
|
|
a compliant data processor, with each of our customers acting as the data
|
|
|
|
|
controller. Kandra Labs receives personal data from our customers in the
|
|
|
|
|
context of providing our Zulip Cloud team chat services to the customer.
|
|
|
|
|
|
|
|
|
|
- **Self-hosted deployments:** Kandra Labs also acts as a data processor to
|
|
|
|
|
deliver the [Mobile Push Notification Service][mobile-push], which uses the same
|
|
|
|
|
hosting infrastructure and terms of service as Zulip Cloud. The [on-premises
|
|
|
|
|
section](#gdpr-compliance-on-premises) of this page discusses how the Zulip
|
|
|
|
|
on-premises software works in relation to GDPR compliance.
|
|
|
|
|
|
|
|
|
|
A [Data Processing Addendum
|
|
|
|
|
(DPA)](https://zulip.com/static/images/policies/Zulip-Data-Processing-Addendum.pdf)
|
|
|
|
|
is incorporated into Zulip's [Terms of
|
|
|
|
|
Service](https://zulip.com/policies/terms).
|
2018-05-26 00:05:44 +02:00
|
|
|
|
|
2023-03-23 05:32:39 +01:00
|
|
|
|
[mobile-push]: https://zulip.readthedocs.io/en/stable/production/mobile-push-notifications.html
|
2018-05-26 00:05:44 +02:00
|
|
|
|
|
|
|
|
|
## Zulip Cloud's subprocessors
|
|
|
|
|
|
2021-10-16 01:53:29 +02:00
|
|
|
|
To support delivery of our Services, Kandra Labs, Inc. may engage and
|
2018-05-26 00:05:44 +02:00
|
|
|
|
use data processors with access to certain Customer Data (each, a
|
|
|
|
|
"Subprocessor"). This section provides important information about
|
|
|
|
|
the identity, location and role of each Subprocessor. Terms used on
|
|
|
|
|
this page but not defined have the meaning set forth in Zulip's Terms
|
|
|
|
|
of Service or superseding written agreement between Customer and
|
|
|
|
|
Kandra Labs (the "Agreement").
|
|
|
|
|
|
2020-08-11 01:47:54 +02:00
|
|
|
|
### Third parties
|
2018-05-26 00:05:44 +02:00
|
|
|
|
|
|
|
|
|
Zulip currently uses third party Subprocessors to provide
|
|
|
|
|
infrastructure services, and to help us provide customer support and
|
|
|
|
|
email notifications. Prior to engaging any third party Subprocessor,
|
|
|
|
|
we perform diligence to evaluate their privacy, security and
|
|
|
|
|
confidentiality practices.
|
|
|
|
|
|
|
|
|
|
**Subprocessors**
|
|
|
|
|
|
|
|
|
|
Zulip Cloud may use the following Subprocessors to host Customer Data
|
|
|
|
|
or provide infrastructure that helps with delivery and operation of
|
|
|
|
|
our Services:
|
|
|
|
|
|
|
|
|
|
* [Amazon Web Services, Inc.](https://aws.amazon.com/compliance/gdpr-center/)
|
|
|
|
|
for cloud infrastructure.
|
2021-10-16 01:53:29 +02:00
|
|
|
|
* [DigitalOcean, LLC](https://www.digitalocean.com/security/gdpr/)
|
2018-05-26 00:05:44 +02:00
|
|
|
|
for cloud infrastructure.
|
2021-10-16 01:53:29 +02:00
|
|
|
|
* [FrontApp, Inc.](https://community.frontapp.com/t/x1p4mw/is-front-compliant-with-gdpr)
|
2018-05-26 00:05:44 +02:00
|
|
|
|
for customer support.
|
2021-10-16 01:53:29 +02:00
|
|
|
|
* [Functional Software, Inc. d/b/a Sentry](https://blog.sentry.io/2018/03/14/gdpr-sentry-and-you)
|
|
|
|
|
for error tracking.
|
|
|
|
|
* [Google LLC](https://privacy.google.com/businesses/compliance/) for
|
2018-05-26 00:05:44 +02:00
|
|
|
|
cloud infrastructure and services.
|
2021-10-16 01:53:29 +02:00
|
|
|
|
* [Mailgun Technologies, Inc.](https://www.mailgun.com/gdpr) for email processing.
|
|
|
|
|
* [Rackspace US, Inc.](https://www.rackspace.com/en-us/gdpr) for cloud
|
2018-05-26 00:05:44 +02:00
|
|
|
|
infrastructure for our Zephyr mirroring service.
|
|
|
|
|
* [Stripe, Inc.](https://stripe.com/guides/general-data-protection-regulation) for payment processing.
|
2021-10-16 01:53:29 +02:00
|
|
|
|
* [The Rocket Science Group LLC d/b/a Mailchimp](https://kb.mailchimp.com/accounts/management/about-the-general-data-protection-regulation)
|
|
|
|
|
for email processing.
|
2018-05-26 00:05:44 +02:00
|
|
|
|
|
|
|
|
|
## GDPR compliance with Zulip Cloud
|
|
|
|
|
|
|
|
|
|
The following features of Zulip are useful to know about when
|
|
|
|
|
responding to a request from one of your users in relation to the
|
|
|
|
|
GDPR:
|
|
|
|
|
|
|
|
|
|
* A Zulip user can change their profile information, delete their
|
2021-05-14 00:16:30 +02:00
|
|
|
|
messages, uploaded files, etc., directly within the Zulip web app.
|
2018-05-26 00:05:44 +02:00
|
|
|
|
* You can use the [organization users](/#organization/user-list-admin)
|
|
|
|
|
panel to deactivate users, edit or delete their account details,
|
|
|
|
|
etc.
|
|
|
|
|
* For complying with access requests, you'll want to start with that
|
|
|
|
|
user's Zulip profile, which you can access from the right sidebar.
|
2018-07-26 00:09:58 +02:00
|
|
|
|
* The [Zulip Cloud export](/help/export-your-organization) supports exporting
|
2018-05-26 00:05:44 +02:00
|
|
|
|
all the data related to a Zulip user or organization.
|
2020-05-20 20:47:44 +02:00
|
|
|
|
* The [Zulip REST API](/api/rest) lets you
|
2018-05-26 00:05:44 +02:00
|
|
|
|
automate your processes for handling GDPR requests.
|
|
|
|
|
|
2020-05-28 02:00:13 +02:00
|
|
|
|
Contact [support@zulip.com](mailto:support@zulip.com) for
|
2018-05-26 00:05:44 +02:00
|
|
|
|
any assistance related to this topic.
|
|
|
|
|
|
2018-07-27 09:11:09 +02:00
|
|
|
|
## GDPR compliance on-premises
|
2018-05-26 00:05:44 +02:00
|
|
|
|
|
2018-07-27 09:11:09 +02:00
|
|
|
|
Compliance is often simpler when running software on-premises, since
|
2018-05-26 00:05:44 +02:00
|
|
|
|
you can have complete control over how your organization uses the data
|
|
|
|
|
you collect.
|
|
|
|
|
|
|
|
|
|
In addition to the features described above that are available in
|
2018-07-27 09:11:09 +02:00
|
|
|
|
Zulip Cloud (which are also available on-premises), the following tools
|
2018-05-26 00:05:44 +02:00
|
|
|
|
may be useful:
|
|
|
|
|
|
2023-01-06 15:46:02 +01:00
|
|
|
|
* The Zulip server comes with a [command-line tool][management-commands],
|
|
|
|
|
`manage.py export_single_user`, which is a variant of the main server
|
|
|
|
|
[export tool][export-and-import-tool], that exports a single Zulip
|
2024-05-06 09:20:58 +02:00
|
|
|
|
user's account details, preferences, channel subscriptions, and message
|
2023-01-06 15:46:02 +01:00
|
|
|
|
history in a structured JSON format.
|
2018-05-26 00:05:44 +02:00
|
|
|
|
* The Django management shell (`manage.py shell`) and database shell
|
|
|
|
|
(`manage.py dbshell`) allows you to query, access, edit, and delete
|
|
|
|
|
data directly.
|
|
|
|
|
|
|
|
|
|
There's a lot more that goes into GDPR compliance, including securing
|
|
|
|
|
your server infrastructure responsibly, internal policies around
|
|
|
|
|
access, logging, and backups, etc. If you need detailed guidance, we
|
2020-05-28 02:00:13 +02:00
|
|
|
|
recommend contacting support@zulip.com; our paid support contracts
|
2018-05-26 00:05:44 +02:00
|
|
|
|
include assistance with understanding GDPR compliance with Zulip.
|
2023-01-06 15:46:02 +01:00
|
|
|
|
|
2023-03-23 05:32:39 +01:00
|
|
|
|
[management-commands]: https://zulip.readthedocs.io/en/stable/production/management-commands.html
|
|
|
|
|
[export-and-import-tool]: https://zulip.readthedocs.io/en/stable/production/export-and-import.html
|