Engine Yard Privacy Shield Policy Statement

Engine Yard Enterprises, Inc. (“Engine Yard”) complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland (“Personal Data”).

Engine Yard has certified that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Data Integrity and Purpose Limitation, Data Security, Access and Recourse, Enforcement and Liability. If there is any conflict between the policies in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/. If there is any conflict between the policies in this Privacy Statement and the Privacy Shield Principles, the Privacy Shield Principles will govern. This Privacy Statement outlines our general policy and practices for implementing the Privacy Shield Principles, including the types of information we gather, how we use it, and the notice and choice affected individuals have regarding our use of and their ability to correct that information.

This Privacy Shield Privacy Policy applies to Engine Yard’s processing of Personal Data that (a) is stored on Engine Yard’s servers at the direction of Engine Yard’s customers and their end users and (b) human resources data in the context of an employment relationship with Engine Yard; both (a) and (b) from data subjects located in European Union member countries and Switzerland. Engine Yard does not collect Personal Data directly from its customers.

Data Processor

Engine Yard provides hosting services for customers who develop and deploy applications using the Ruby programming language. As a hosting company, Engine Yard provides the technology platform from which its customers (“Customers”) make their applications (“Customer Applications”) available. Engine Yard does not own, control or direct the use any of the information stored or processed by any Customer via its Customer Application. Only the Customer or the end users of the Customer Application (“End Users”) are entitled to access, retrieve and direct the use of such information. Engine Yard is largely unaware of what information is actually being stored or made available by Customers on their Customer Applications and does not directly access such information or data except as authorized by the Customer or as necessary to provide services to the Customer. Except as provided in this Privacy Shield Privacy Policy, Engine Yard does not independently cause data stored in connection with the Customer Application to be transferred or otherwise made available to third parties (except to third party subcontractors who may process such data on behalf of Engine Yard in connection with Engine Yard’s provision of services to Customers). Instead, such actions are performed or authorized only by the applicable Customer or the end user. Engine Yard should be considered only as a processor on behalf of its Customers as to any Personal Data transferred from European Union member countries or Switzerland to the United States that is subject to the requirements of the applicable EU privacy laws (“EU Directive”) or the Swiss Federal Act on Data Protection (“Swiss Act”). The EU Directive and the Swiss Act will sometimes be referred to hereinafter collectively as the “Privacy Rules”. The Customer or the end user is the “Data Controller” under the Privacy Rules, meaning that such party controls the manner Personal Data is collected and used as well as the determination of the purposes and means of the processing of such Personal Data. Engine Yard is not responsible for the content of the Personal Data or other information stored on its servers at the direction of the Customer or the end users. Nor is Engine Yard responsible for the manner in which the Customer or the end users collect, handle, disclose and distribute such information.

Data Controller

The Privacy Shield Principles require that those who collect and determine the purposes and the means of the processing of Personal Data adhere to certain requirements to comply with the Privacy Rules. The specific functions of a Data Controller depend on the laws of each EU member state, and of Switzerland. However, because Engine Yard does not collect or determine the use of any Personal Data stored on its servers in connection with the Customer Applications, and because it does not determine the purposes for which such Personal Data is collected, the means of collecting such Personal Data, or the uses of such data, Engine Yard is not acting in the capacity of a Data Controller and (a) does not have the associated responsibilities under the EU Directive or the US-EU Privacy Shield Framework, and (b) has those associated responsibilities only to the limited extent they have been imposed on data processors under the Swiss Act or the U.S. – Swiss Privacy Shield Framework.

Customer Agreement and Security

Engine Yard and each Customer located in European Union member countries or Switzerland will enter into an agreement that specifies each party’s role in complying with the EU Directive, the Swiss Act, and the Privacy Shield Principles, as applicable. The contract with such a Customer will also specify that the Customer is responsible for security measures with respect to the Customer Application and Personal Data accessible via the Customer Application. Although Engine Yard has implemented commercially reasonable security measures to protect data stored on its servers, Customer and its end users are ultimately in control of whether the Personal Data associated with a Customer Application is made available to third parties through such Customer Application. Engine Yard will comply with Customer’s instructions with respect to the return or destruction of Personal Data stored on Engine Yard’s servers.

In its role as a processor of Personal Data on behalf of its Customers, Engine Yard is not able to or required to apply all of the Privacy Shield Principles to Personal Data subject to the EU Directive or the Swiss Act that is received for processing from Customers or end users, except to the limited extent the Privacy Shield Frameworks have been imposed on data processors. Subject to that qualification, Engine Yard’s role as a data processor is to assist the Customer, at the Customer’s request, in complying with its obligations under the EU Directive and the Swiss Act.

Notice

Engine Yard requires that its Customers located in European Union member countries or Switzerland comply with their obligations under the Privacy Rules prior to the transfer of any such Personal Data from the European Union or Switzerland to the United States in connection with a Customer Application, including compliance with the obligations to provide the notices and obtain the consents required under the EU Directive and the Swiss Act with respect to Personal Data. Engine Yard may be required to disclose Personal Data in response to lawful request by public authorities, including to meet national security or law enforcement requirements.

Choice

Engine Yard requires that its Customers located in European Union member countries or Switzerland comply with their obligations under the Privacy Rules prior to the transfer of any such Personal Data from the European Union or Switzerland to the United States in connection with a Customer Application, including compliance with the obligations to provide individuals the opportunity to choose (opt out) whether their Personal Data is (1) to be disclosed to a third party or (2) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual as required under the EU Directive and the Swiss Act with respect to Personal Data.

Agents, technology vendors and/or contractors of Engine Yard or Engine Yard affiliates may have access to an individual’s Personal Data on a need to know basis for the purpose of performing services on behalf of Engine Yard or providing or enabling elements of the services. All such agents, technology vendors and contractors who have access to such information are required to keep the information confidential and not use it for any other purpose than to carry out the services they are performing for Engine Yard or as otherwise required by law.

Accountability for Onward Transfer

Prior to disclosing Personal Data to a non-agent third party, we shall notify the individual of such disclosure and allow the individual the choice (to opt out) of such disclosure. Engine Yard shall ensure that any third party to which Personal Data may be disclosed subscribes to the Privacy Shield Principles or is subject to laws providing the same level of privacy protection as is required by the Privacy Shield Principles and agrees in writing to provide an adequate level of privacy protection. Engine Yard may be held responsible in cases of onward transfers to third parties.

Data Integrity and Purpose Limitation

Engine Yard is not authorized to access or manipulate Personal Data located on its servers other than as necessary to provide services to a Customer or as otherwise permitted or directed by such Customer. Engine Yard takes reasonable steps to assure that Personal Data transferred from the European Union or Switzerland to the United States and stored on Engine Yard’s servers in connection with a Customer Application is maintained in a reliable, accurate and complete state, subject to any deficiencies in the state in which such Personal Data was received.

Data Security

The control, access, and security of the Personal Data stored on the Engine Yard servers in connection with a Customer Application is in the direct and primary control of, and subject to the security measures undertaken by, the Customer with respect to such Customer Application. Subject to the foregoing, Engine Yard has in place information security procedures and commercially reasonable security measures designed to protect Personal Data stored on its servers from loss, misuse, unauthorized access, disclosure, alteration and destruction. Customers will be notified of any breach with respect to Personal Data of security measures implemented by Engine Yard of which Engine Yard becomes aware. Any compromise of security or potential compromise of security of which a Customer becomes aware and any inquiries concerning security should be reported promptly by such Customer to Engine Yard. Contact information is provided below.

Access and Recourse

Engine Yard requires that its Customers located in European Union member countries or Switzerland comply with their obligations under the Privacy Rules prior to the transfer of any such Personal Data from the European Union or Switzerland to the United States in connection with a Customer Application, including compliance with the obligations to provide the individual’s right to access their Personal Data required under the EU Directive and the Swiss Act.

Engine Yard Customers shall allow an individual access to their Personal Data and allow the individual to correct, amend or delete inaccurate information, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated.

Enforcement and Liability

The Federal Trade Commission has jurisdiction with enforcement authority over Engine Yard’s compliance with the Privacy Shield. In compliance with the Privacy Shield Principles, Engine Yard commits to resolve complaints about privacy and our collection or use of Personal Data. European Union or Swiss individuals with inquiries or complaints regarding this privacy policy should first contact Engine Yard at:

Engine Yard Enterprises, Inc.
Privacy Officer
401 Congress Avenue, Suite 2650
Austin, Texas 78701 USA
E-mail: privacy@engineyard.com

Engine Yard has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by Engine Yard, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.

Please note that if your complaint is not resolved through any of the above channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.

Engine Yard has further committed to cooperate with EU data protection authorities and the Swiss Federal Data Protection and Information Commissioner and comply with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship. If your complaint is not satisfactorily addressed, and your inquiry or complaint involves human resource data, you may have your complaint considered by an independent recourse mechanism: for EU/EEA Data Subjects, a panel established by the EU data protection authorities (“DPA Panel”), and for Swiss Data Subjects, the Swiss Federal Data Protection and Information Commissioner (“FDPIC”). To do so, you should contact the state or national data protection or labor authority in the jurisdiction where you work. Engine Yard agrees to cooperate with the relevant national DPAs and to comply with the decisions of the DPA Panel and the FDPIC. The services of EU DPAs are provided at no cost to you.

Updates to Privacy Shield Privacy Policy

Engine Yard may update this Privacy Shield Privacy Policy from time to time to reflect changes in its services and Customer feedback, and such changes shall become effective promptly after they are posted. Engine Yard encourages Customers to periodically review this Privacy Shield Privacy Policy to be informed of any changes.

This Privacy Shield Privacy Policy was last updated on May 25, 2017.