How do we keep compliance with the GDPR?

Introduction

Port allows developers and DevOps to build a service/software catalog and enable developer self-service actions to our clients ("Clients").  Port takes data privacy seriously and is dedicated to complying with all relevant data protection laws, including the General Data Protection Regulation 2016/679 (known as the GDPR).

In this document, we have outlined the key aspects of our privacy policies and procedures, as well as answered frequently asked questions about GDPR compliance.

For any further questions, do not hesitate to contact your Port representative, or use the contact details provided below.

What is the GDPR?

Since 25 May 2018, the GDPR has been the main regulation governing the protection of personal data throughout the European Union, the European Economic Area (EEA - European Union plus Iceland, Liechtenstein and Norway) and Switzerland, and beyond due its extraterritorial scope.

Until January 2020, the United Kingdom was considered as part of the European Union. In January 2020 the UK had excluded itself from the EU and as such is no longer a part of the EU legal regimes. Therefore, companies such as Port must comply with the requirements of the GDPR and with the data protection requirements of the UK Data Protection Act of 2018, which are materially similar to the GDPR.

Under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”), which may include not only personally identifying data but also device identifiers such as IP addresses or other pseudonymous data.

The GDPR identifies two types of entities which process personal data – a Controller and a Processor. When you purchase or use any of Port's products, Port processes your data on your behalf, which makes you a Controller and Port a Processor.

We continually monitor developments of worldwide data protection regulations and will update our policies, contracts and processes, in order to remain aligned with applicable laws.

Technical and Organizational Information Security Measures

Port takes appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. We use industry- standard security measures, such as encryption and access controls, to safeguard personal data. We also conduct regular security assessments and audits to identify and mitigate potential security risks.

We are proud to hold SOC 2 ® Type II attestation report, which verifies that our platform adheres to the highest industry standards for security, availability, processing integrity, confidentiality, and privacy. Regular audits ensure that our controls are consistently maintained to protect our systems and your data.

Furthermore, as an ISO 27001 certified organization, we follow a systematic approach to managing sensitive company information. This certification demonstrates our commitment to information security, ensuring we continually assess and mitigate security risks through our Information Security Management System (ISMS), as well as –

  • Data Encryption: All data, both in transit and at rest, is encrypted using advanced encryption protocols.
  • Access Controls: Strict access control policies ensure that only authorized personnel have access to sensitive information.
  • Regular Security Audits: We conduct regular security audits and vulnerability assessments to proactively identify and resolve potential threats.
  • Incident Response: our incident response team is equipped to act swiftly and mitigate any impact of security breaches.

At Port, security and compliance are at the heart of everything we do. By partnering with us, you can trust that your data is protected and managed according to the highest standards in the industry.

What Personal Data is Port Processing?

As Port provides software solutions for engineers, DevOps and R&D teams, it does not knowingly collect personal data for the provision of its services or solutions.

However, in certain cases, the information our solution collects may include residual personal data. The sets of personal data that may be collected vary from Client to Client, as the systems we operate in each of our Clients' can be materially different. Regardless, Port does not use personal data for any reason collected from its solutions, and only uses aggregated and anonymized data for the provision and improvement of our services.

Port adheres to the principles of purpose limitation and data minimization. Therefore, Port processes personal data only as necessary to provide its services to Port Clients who authorize the processing of such data.

Third-Party Service Providers and Sub-Processors

Port may share data processed through its product with a limited number of third-party service providers as necessary for the operation of the services.

Before sharing any data with third-party providers, Port performs an assessment of the service providers to ensure that it provides appropriate safeguards to protect the privacy and security of the data in compliance with GDPR requirements.

Please view this link to see our Sub Processor's List.

Any transfers of personal information will be subject to a data processing agreement (DPA), detailing the parties’ obligations under the applicable privacy laws and implementing all safeguards necessary by law to ensure that personal data will always be treated in accordance with the requirements of privacy laws and industry best standards, wherever it may be transferred. These DPAs apply to any transfer outside Port.

Whenever required by law, Port also implements the GDPR’s Standard Contractual Clauses (SCCs), or their UK counterpart, providing further protection in privacy and security matters whenever Personal Information is transferred to certain jurisdictions.

Port DPAs also oblige the receiving party to assist Port and maintain various security mechanisms, all to ensure the security of personal information transferred. For example, data recipients must:

  • Implement and maintain appropriate technical and organizational methods to protect personal information against accidental or unlawful destruction.
  • Comply with a detailed list of measures ensuring the security of the information, including having a written security management system; maintaining a security policy that is regularly reviewed; applying encryption; maintaining a firewall configuration and limiting personal information storage to that which is necessary.
  • Conducting periodic reviews of network security and adequacy, measured against industry security standards.
  • Notify Port without undue delay after becoming aware of a security incident and to assist in investigations and resolution thereof.

How Does Port Ensure the Security of Personal Data?

We are fully committed to keep all of your personal data safe, and to make sure we follow all the requirements of the GDPR, including but not limited to:

  • Entering into data protection agreements (DPAs) with all our vendors;
  • Performing reviews, audits, gap analyses and data protection impact assessments to mitigate any risks that can result from processing personal data;
  • Updating all internal and external data protection policies;
  • Retaining solely necessary, minimum amounts of personal data which we are required to retain by law;
  • Training our employees to be aware of all the risks that could arise from processing personal data;
  • Storing, transferring and handling your personal data outside the EEA according to adequate transfer mechanisms;
  • Ongoing investing, updating and monitoring our security systems (including but not limited to our transport, storage, access control and physical security in all of Port's servers to prevent any unauthorized access to your personal data; and
  • Support from expert law firms and independent GDPR consultants.

International Data Transfers.

As an international company, Port processes personal data on secure servers in several locations, including within the European Economic Area (EEA) and outside the EEA. Port must transfer personal data outside the EEA to provide all the elements of its services and products.  

To make sure all international transfers are secure and are consistent with the requirement of the GDPR or any other applicable data protection law, Port has in place the following measures:

  • All of Port subsidiaries have entered into an intra-group data sharing agreement. This agreement incorporates all the relevant obligations of Port under data protection laws, and incorporated the EU Commission approved "Standard Contractual Clauses".
  • When transferring personal data to a third party, Port enters into a data sharing agreement with said third party. These agreements are adhering to the requirements of applicable data protection laws and the abovementioned Standard Contractual Clauses.
  • In addition, some of Port subsidiaries are located within countries that are deemed as providing adequate protection to personal data under local data protection laws (e.g., Israel and the United Kingdom).

Learn More

If you want to understand further our commitment to the GDPR when we act as a controller of personal data of our clients, website visitors and end-users, we invite you to review our Privacy Policy or contact us via GDPR-inquiries@getport.io