PIPEDA FAQ

What services does DigitalOcean offer?

DigitalOcean is a cloud computing platform that provides a cloud platform to deploy, manage, and scale applications of any size. Its infrastructure and platform-as-a-service solutions provide a no DevOps required experience, allowing developers to focus their energy on creating innovative software. By combining the power of simplicity, love for the developer community, an obsession for customer service, and the advantages of open source, DigitalOcean brings software development within the technical and economic reach of anyone around the world.

How does DigitalOcean deliver its services?

DigitalOcean delivers its services via the Internet. Customers log into DigitalOcean’s services through a website using unique usernames and passwords. DigitalOcean’s services allow for various additional authentication methods that may be activated by customers, as appropriate to their needs, such as two-factor authentication. We also serve our customers through what is known in the industry as cloud-based services architecture, which is designed for security, efficiency, availability, scalability, and rapid innovation.

Where does DigitalOcean host Customer Data?

DigitalOcean’s services are hosted in various locations depending on customer instructions and each specific service provided. Please refer to DigitalOcean’s Trust Platform available at https://www.digitalocean.com/trust/ for more information on our data center locations and our use of public cloud infrastructure. If you have questions, please contact privacy@digitalocean.com

Does DigitalOcean comply with PIPEDA?

Yes. DigitalOcean complies with Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) as it applies to DigitalOcean in provisioning and operating our services.

Does PIPEDA permit the cross-border transfer of personal information?

Yes. The Office of the Privacy Commissioner of Canada’s Processing Personal Data Across Borders Guidelines (the “Guidelines”), available at https://www.priv.gc.ca/en/privacy-topics/airports-and-borders/gl_dab_090127/, state that “PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing. However under PIPEDA, organizations are held accountable for the protection of personal information transfers under each individual outsourcing arrangement.” The Guidelines further clarify that organizations responsible for personal information must use contractual or other means to ensure a comparable level of protection for personal information after it is transferred. 

The Guidelines state that a “transfer” of personal information to another organization for processing purposes is a “use” rather than a “disclosure” of the information assuming that the transferred information is processed only for purposes consistent with the purposes for which it was originally collected. The distinction between “uses” and “disclosures” of personal information is important because disclosures of personal information require additional consent from the individual to whom the personal information relates. 

Uses of personal information by DigitalOcean are referred to throughout this FAQ as “processing.”

Does submission of personal information to DigitalOcean’s services require the consent of the individual to whom personal information relates?

No. Submission of Canadian personal information to DigitalOcean’s services is a use, rather than a disclosure, of such information under PIPEDA. DigitalOcean’s customers solely determine what personal information is submitted to and processed by our services. In providing our services, we process personal information only in accordance with the instructions of our customers and as otherwise consistent with our Terms of Service (https://www.digitalocean.com/legal/terms-of-service-agreement/).

How does DigitalOcean help customers ensure compliance with PIPEDA in their use of DigitalOcean’s services?

DigitalOcean educates and empowers individuals and customers to take a proactive role in the management of their data. The DigitalOcean privacy landing page at https://www.digitalocean.com/legal/privacy-policy/ includes links to a variety of resources describing how we protect personal data, such as our customer data processing addendum (https://www.digitalocean.com/legal/data-processing-agreement/), which contains (i) an obligation for DigitalOcean to use and disclose personal information in accordance with agreed processing terms; (ii) a commitment to assist customers in responding to the exercise of rights by individuals whose personal information is processed by customers on DigitalOcean services; (iii) measures related to confidentiality obligations of DigitalOcean’s personnel; (iv) obligations regarding DigitalOcean’s use of subcontractors engaged in the processing of personal data; (v) information about DigitalOcean’s security controls; (vi) security breach notification commitments; (vii) provisions governing the cross-border transfer of personal data; and (viii) details regarding DigitalOcean’s compliance with customer data deletion requests.

We incorporate privacy and data protection concepts into our product lifecycle from the design phase to the marketing of new services and features. Additionally, when a service or feature is released, it is described in product documentation and release notes so that customers can perform their own evaluations.

How does DigitalOcean help protect Customer Data?

DigitalOcean has a robust and comprehensive privacy and security program addressing the use, disclosure, and protection of Customer Data. DigitalOcean has implemented an array of technical measures to help secure its services. A third party regularly certifies, validates, and audits DigitalOcean’s information technology and controls. For further details on DigitalOcean’s privacy and security program, please see the Trust Platform, available at https://www.digitalocean.com/trust/.