eu safe harbor policy

Engine Yard EU / Swiss Safe Harbor Policy

Safe Harbor Privacy Policy

Engine Yard is committed to conducting its business in a manner that complies with the U.S. - EU Safe Harbor Framework and the U.S. – Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce (collectively, the “Safe Harbor Principles”). The Safe Harbor Principles provide a framework for U.S. businesses with respect to their privacy practices as they relate to information regarding an identified or identifiable natural person (“Personal Data”). For more information regarding the Safe Harbor Principles, please visit http://www.export.gov/safeharbor/.

This Safe Harbor Privacy Policy applies to Engine Yard’s processing of Personal Data that is stored on Engine Yard’s servers at the direction of Engine Yard’s customers and their end users located in European Union member countries and Switzerland. It does not apply to Personal Data collected by Engine Yard directly from its customers. For information regarding Engine Yard’s use, disclosure and handling of information collected by Engine Yard directly from its customers located in European Union member countries or Switzerland, please see the Engine Yard Privacy Statement located at http://www.engineyard.com/policies/privacy.

Data Processor

Engine Yard provides hosting services for customers who develop and deploy applications using the Ruby programming language. As a hosting company, Engine Yard provides the technology platform from which its customers (“Customers”) make their applications (“Customer Applications”) available. Engine Yard does not own, control or direct the use any of the information stored or processed by any Customer via its Customer Application. Only the Customer or the end users of the Customer Application (“End Users”) are entitled to access, retrieve and direct the use of such information. Engine Yard is largely unaware of what information is actually being stored or made available by Customers on their Customer Applications and does not directly access such information or data except as authorized by the Customer or as necessary to provide services to the Customer. Except as provided in this Safe Harbor Privacy Policy, Engine Yard does not independently cause data stored in connection with the Customer Application to be transferred or otherwise made available to third parties (except to third party subcontractors who may process such data on behalf of Engine Yard in connection with Engine Yard’s provision of services to Customers). Instead, such actions are performed or authorized only by the applicable Customer or the End User. Engine Yard should be considered only as a processor on behalf of its Customers as to any Personal Data transferred from European Union member countries or Switzerland to the United States that is subject to the requirements of the EU Data Protection Directive 95/46/EC (“ EU Directive”) or the Swiss Federal Act on Data Protection (“Swiss Act”). The EU Directive and the Swiss Act will sometimes be referred to hereinafter collectively as the “Privacy Rules”. The Customer or the End User is the “Data Controller” under the Privacy Rules, meaning that such party controls the manner Personal Data is collected and used as well as the determination of the purposes and means of the processing of such Personal Data. Engine Yard is not responsible for the content of the Personal Data or other information stored on its servers at the direction of the Customer or the End Users. Nor is Engine Yard responsible for the manner in which the Customer or the End Users collect, handle, disclose and distribute such information.

Data Controller

The Safe Harbor Principles require that those who collect and determine the purposes and the means of the processing of Personal Data adhere to certain requirements to comply with the Privacy Rules. The specific functions of a Data Controller depend on the laws of each EU member state, and of Switzerland. However, because Engine Yard does not collect or determine the use of any Personal Data stored on its servers in connection with the Customer Applications, and because it does not determine the purposes for which such Personal Data is collected, the means of collecting such Personal Data, or the uses of such data, Engine Yard is not acting in the capacity of Data Controller and (a) does not have the associated responsibilities under the EU Directive or the U.S. - EU Safe Harbor Framework, and (b) has those associated responsibilities only to the limited extent they have been imposed on data processors under the Swiss Act or the U.S. – Swiss Safe Harbor Framework.

Customer Agreement and Security

Engine Yard and each Customer located in European Union member countries or Switzerland will enter into an agreement that specifies each party’s role in complying with the EU Directive, the Swiss Act, and the Safe Harbor Principles, as applicable. The contract with such a Customer will also specify that the Customer is responsible for security measures with respect to the Customer Application and Personal Data accessible via the Customer Application. Although Engine Yard has implemented commercially reasonable security measures to protect data stored on its servers, Customer and its End Users are ultimately in control of whether the Personal Data associated with a Customer Application is made available to third parties through such Customer Application. Engine Yard will comply with Customer’s instructions with respect to the return or destruction of Personal Data stored on Engine Yard’s servers.

In its role as a processor of Personal Data on behalf of its Customers, Engine Yard is not able to or required to apply all of the Safe Harbor Principles to Personal Data subject to the EU Directive or the Swiss Act that is received for processing from Customers or End Users, except to the limited extent the U.S. – Swiss Safe Harbor Framework has been imposed on data processors under the Swiss Act. Subject to that qualification, Engine Yard’s role as a data processor is to assist the Customer, at the Customer’s request, in complying with its obligations under the EU Directive and the Swiss Act.

Notice

Engine Yard requires that its Customers located in European Union member countries or Switzerland comply with their obligations under the Privacy Rules prior to the transfer of any such Personal Data from the European Union or Switzerland to the United States in connection with a Customer Application, including compliance with the obligations to provide the notices and obtain the consents required under the EU Directive and the Swiss Act with respect to Personal Data.

Data Integrity

Engine Yard is not authorized to access or manipulate Personal Data located on its servers other than as necessary to provide services to a Customer or as otherwise permitted or directed by such Customer. Engine Yard takes reasonable steps to assure that Personal Data transferred from the European Union or Switzerland to the United States and stored on Engine Yard’s servers in connection with a Customer Application is maintained in a reliable, accurate and complete state, subject to any deficiencies in the state in which such Personal Data was received.

Security

The control, access, and security of the Personal Data stored on the Engine Yard servers in connection with a Customer Application is in the direct and primary control of, and subject to the security measures undertaken by, the Customer with respect to such Customer Application. Subject to the foregoing, Engine Yard has in place information security procedures and commercially reasonable security measures designed to protect Personal Data stored on its servers from loss, misuse, unauthorized access, disclosure, alteration and destruction. Customers will be notified of any breach with respect to Personal Data of security measures implemented by Engine Yard of which Engine Yard becomes aware.

Any compromise of security or potential compromise of security of which a Customer becomes aware and any inquiries concerning security should be reported promptly by such Customer to Engine Yard. Contact information is provided below.

Director of Information Security & Compliance

Engine Yard, Inc.

PO Box 77130

San Francisco, CA 94107

And to:

security@engineyard.com

Enforcement

Individuals who wish to file a complaint or who take issue with Engine Yard’s Safe Harbor Privacy Policy should direct such communication to the Engine Yard contact set forth immediately above (“Privacy Administrator”) who can explain the process to be followed when filing a complaint. Should an individual be unable to resolve a complaint after having contacted the Privacy Administrator, that individual can contact the International Centre for Dispute Resolution of the American Arbitration Association at www.adr.org. This organization will provide independent dispute resolution in which Engine Yard will participate. Engine Yard is subject to the jurisdiction of the U.S. Federal Trade Commission, which may be contacted at the following address:

Federal Trade Commission
Attn: Consumer Response text-center

600 Pennsylvania Avenue NW

Washington, D.C. 20580

consumerline@ftc.gov
www.ftc.gov

Limitations

Engine Yard’s adherence to the Safe Harbor Principles is limited to the extent permitted or required by applicable United States laws, rules or regulations.

Updates to Safe Harbor Privacy Policy

Engine Yard may update this Safe Harbor Privacy Policy from time to time to reflect changes in its services and Customer feedback, and such changes shall become effective promptly after they are posted. Engine Yard encourages Customers to periodically review this Safe Harbor Privacy Policy to be informed of any changes. This Safe Harbor Privacy Policy was last updated on August 28, 2012.