EU Data Protection
Fivetran prioritizes customer trust. We know that the safekeeping of customer data is critically important to our customers’ values and operations. That is why we keep it private and safe.
Fivetran helps customers maintain control of privacy and data security in multiple ways:
- Data Security: Fivetran provides our customers compliance with high security standards, such as encryption of data in transit and at rest, auditing standards (SOC 2) and a support team that is on-call 24/7.
- Disclosure of Customer Data: Fivetran only discloses customer data to third parties where disclosure is necessary to provide the services or as required to respond to lawful requests from public authorities.
- Trust: Fivetran has developed security protections and control processes to help our customers ensure a secure environment for their information. Independent third-party experts have confirmed Fivetran’s adherence to high industry standards.
- Access Management: Fivetran provides an advanced set of access and encryption features to help customers effectively protect their information. We do not access or use customer's data for any purpose other than providing, maintaining and improving the Fivetran services and as otherwise required by law.
What is Customer Data?
Customer Data is any information, including personal data, which is replicated via the Fivetran services, by, or on behalf of, our customers and their end-users.
Who owns control of the Customer Data?
From a privacy perspective, the customer is the controller of Customer Data, and Fivetran is a processor. This means that throughout the time that a customer subscribes to services with Fivetran, the customer retains ownership of and control over Customer Data in its account.
Who are Fivetran’s sub-processors?
Fivetran maintains an up-to-date list of the names and locations of all sub-processors (including members of the Fivetran subsidiaries and third parties) used for hosting or other processing of Customer Data, which can be found here. The list includes the ability for our customers to sign up for notifications of changes. The list also may be obtained by contacting email@example.com.
How does Fivetran process Customer Data?
Fivetran replicates data from Customer databases and cloud sources, processes and loads it into the Customer’s destination. Data is not stored longer than 24 hours on Fivetran servers.
What steps does Fivetran take to secure Service Data?
Fivetran prioritizes data security and combines enterprise-class security features with comprehensive audits of our applications, systems, and networks to ensure customer and business data is always protected.
Where will Customer Data be stored?
Fivetran runs data connectors on servers in the US and EU regions. Customers can configure which of their connectors run in which regions using the dashboard. If customers configure their connectors to use our EU servers, their data will not leave the EU during processing. Customer Data is cached on Fivetran servers while operations are running, and is expunged within 24 hours after completion.
How does Fivetran Respond to Information Requests?
GDPR (General Data Protection Regulation)
Fivetran has a strong commitment to privacy, security, compliance and transparency. This includes supporting our customers’ compliance with EU data protection requirements, including those set out in the General Data Protection Regulation (“GDPR”).
If a Fivetran customer collects, transmits, hosts or analyzes personal data of EU citizens, GDPR requires the company to comply with specific technical and organizational requirement. Fivetran does not persistently store Customer Data but we nevertheless assist customers to meet their obligations to:
- Respond to requests from data subjects to correct, amend or delete personal data;
- Report personal data breaches to relevant supervisory authorities and data subjects in accordance with GDPR timeframes;
- Demonstrate compliance with the GDPR as pertaining to Fivetran’s services.
How does the GDPR apply to customers?
Fivetran customers that collect and store personal data are considered data controllers under the GDPR. Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant EU data protection law, including the GDPR.
What implications does GDPR have for organizations processing the personal data of EU citizens?
One of the key aspects of the GDPR is that it creates consistency across EU member states on how personal data can be processed, used, and exchanged securely. Organizations need to demonstrate the security of the data they are processing and their compliance with GDPR on a continual basis, by implementing and regularly reviewing robust technical and organizational measures, as well as compliance policies.
How has Fivetran been preparing for the GDPR?
Our privacy team has been working with customers around the world to answer their questions and to help them use Fivetran’s Services since the GDPR became effective. Additionally, our privacy team is continuing its review of Fivetran’s current product features and practices (including adding features such as column exclusion and column hashing) to ensure we support our customers with their GDPR compliance requirements.
Which Fivetran services and features can support customers compliance with the GDPR?
All Fivetran services are GDPR compliant, so customers can use any available Fivetran service and remain GDPR compliant.
What is a Data Processing Agreement (“DPA”)?
Fivetran offers customers a robust Data Processing Agreement (“DPA”), governing the relationship between the customer (acting as a data controller) and Fivetran (acting as a data processor). The DPA facilitates Fivetran’s customers’ compliance with their obligations under EU data protection law. Our DPA contains strong privacy commitments focused around data replication that has been updated to confirm our compliance with the GDPR. Our DPA contains data transfer frameworks to ensure that our customers can lawfully transfer personal data to warehouses outside of the European Union in accordance with GDPR requirements.
Is Fivetran certified under the Privacy Shield?
Fivetran has certified its compliance with the EU-U.S. Privacy Shield frameworks to the U.S. Department of Commerce and has been added to the Department of Commerce’s list of self-certified Privacy Shield participants. Our certifications confirm that we comply with the Privacy Shield Principles for the transfer of European and Swiss personal data to the United States.