Since the EU first announced its General Data Protection Regulation (GDPR) in April 2016, there has been widespread discussion about the law’s regulatory implications. By the May 25, 2018 deadline, companies had to make significant changes to the ways they processed, used and exchanged personal data, or risk major fines and reputational damage.
Let’s start by making this clear: All Fivetran services are GDPR-compliant.
Fivetran is registered with the Privacy Shield program, and our registration details can be verified directly on the Privacy Shield website.
At Fivetran, we prioritise our customers’ trust by keeping data private and safe. We combine enterprise-class security features with comprehensive audits of our applications, systems and networks to facilitate compliance with EU data protection requirements. After all, we know the safekeeping of your data is critical to your values and operations.
We help you maintain data privacy and security in a number of ways:
Fivetran does not retain data. We replicate data from your databases and cloud sources, process it, and load it into your data warehouse, after which we remove it from our servers. Data is never stored longer than 24 hours on Fivetran servers. As a Fivetran customer, you retain ownership of and control over customer data.
EU servers. This year we added EU servers in Frankfurt and Belgium. While we maintain GDPR compliance on our US servers, we’re aware that customers might need the personally identifiable information (PII) data of EU citizens to remain within the legal jurisdiction of the EU.
A robust DPA. We offer customers a robust data processing agreement (DPA), which governs the relationship between the customer (acting as data controller) and Fivetran (acting as data processor). The DPA facilitates customers’ compliance with their obligations under EU data protection law. Our DPA contains strong privacy commitments focused on data replication, and we’ve updated them to ensure compliance with GDPR. Our DPA contains data transfer frameworks to ensure that our customers can lawfully transfer personal data to warehouses outside of the European Union in accordance with GDPR requirements.
Data encryption. Using a key unique to each process, we encrypt data both in transit and at rest as it passes through Fivetran.
Auditing standards. We’re compliant with SOC 2. We conduct an independent AT101/SOC 2 audit annually and make the report available under a non-disclosure agreement to all existing and prospective customers upon request.
Compliance with HIPAA requirements for protected health information (PHI). Fivetran will sign a business associate agreement (BAA) with customers subject to HIPAA mandates. Note that Fivetran does not persist ePHI in its systems beyond the 24 hours needed for processing.
Column blocking and column hashing. Column blocking, currently available for eight of our most popular connectors (with more planned for the future), allows you to block specific columns from replicating to your warehouse, allowing you to avoid sending PII to your data warehouse. Column hashing allows you to hash sensitive data while still performing joins across tables in your warehouse.
Disclosure of customer data. Fivetran only discloses customer data to third parties where disclosure is necessary to provide services or comply with lawful requests from public authorities.
Access management. Fivetran provides an advanced set of access and encryption features to help customers effectively protect their information. We do not access or use customer data for any purpose other than providing, maintaining and improving Fivetran services and as otherwise required by law.
Our documentation contains further details about our commitment to security and EU data protection. If you want to learn more, feel free to reach out to our support team, which is on call 24/7.