Fivetran prioritizes customer trust. We know that the safekeeping of customer data is critically important to our customers’ values and operations. That is why we keep it private and safe.
Fivetran helps customers maintain control of privacy and data security in multiple ways:
- Data Security: Fivetran provides our customers compliance with high security standards, such as encryption of data in transit and at rest, auditing standards (SOC 2) and a support team that is on-call 24/7.
- Disclosure of Customer Data: Fivetran only discloses customer data to third parties where disclosure is necessary to provide the services or as required to respond to lawful requests from public authorities.
- Trust: Fivetran has developed security protections and control processes to help our customers ensure a secure environment for their information. Independent third-party experts have confirmed Fivetran’s adherence to high industry standards.
- Access Management: Fivetran provides an advanced set of access and encryption features to help customers effectively protect their information. We do not access or use customer’s data for any purpose other than providing, maintaining and improving the Fivetran services and as otherwise required by law.
What is Customer Data?link
Customer Data is any information, including personal data, which is replicated via the Fivetran services, by, or on behalf of, our customers and their end-users.
Who owns control of the Customer Data?link
From a privacy perspective, the customer is the controller of Customer Data, and Fivetran is a processor. This means that throughout the time that a customer subscribes to services with Fivetran, the customer retains ownership of and control over Customer Data in its account.
Who are Fivetran’s sub-processors?link
Fivetran maintains an up-to-date list of the names and locations of all sub-processors (including members of the Fivetran subsidiaries and third parties) used for hosting or other processing of Customer Data, which can be found here. The list includes the ability for our customers to sign up for notifications of changes. The list also may be obtained by contacting firstname.lastname@example.org.
How does Fivetran process Customer Data?link
Fivetran replicates data from Customer databases and cloud sources, processes and loads it into the Customer’s destination.
To learn more about our data handling and retention periods, see Retention of customer data.
What steps does Fivetran take to secure Service Data?link
Fivetran prioritizes data security and combines enterprise-class security features with comprehensive audits of our applications, systems, and networks to ensure customer and business data is always protected.
Where will Customer Data be stored?link
Fivetran runs data connectors on servers in the United States (US), Canada, European Union (EU), United Kingdom (UK), Australia, and Singapore. When customers create a destination, they select the region to be used for the destination and connectors in this destination. If customers configure their connectors to use our EU servers, their data will not leave the EU during processing including connectors that sync webhooks and event data. See our Fivetran Data Residency documentation for details. Customer Data is cached on Fivetran servers while operations are running, and is purged from Fivetran’s system as soon as it is successfully written to the destination. See our Data Retention documentation for details.
How does Fivetran Respond to Information Requests?link
GDPR (General Data Protection Regulation)link
Fivetran has a strong commitment to privacy, security, compliance and transparency. This includes supporting our customers’ compliance with EU data protection requirements, including those set out in the General Data Protection Regulation (“GDPR”).
If a Fivetran customer collects, transmits, hosts or analyzes personal data of EU citizens, GDPR requires the company to comply with specific technical and organizational requirement. Fivetran does not persistently store Customer Data but we nevertheless assist customers to meet their obligations to:
- Respond to requests from data subjects to correct, amend or delete personal data;
- Report personal data breaches to relevant supervisory authorities and data subjects in accordance with GDPR timeframes;
- Demonstrate compliance with the GDPR as pertaining to Fivetran’s services.
How does the GDPR apply to customers?link
Fivetran customers that collect and store personal data are considered data controllers under the GDPR. Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant EU data protection law, including the GDPR.
What implications does GDPR have for organizations processing the personal data of EU citizens?link
One of the key aspects of the GDPR is that it creates consistency across EU member states on how personal data can be processed, used, and exchanged securely. Organizations need to demonstrate the security of the data they are processing and their compliance with GDPR on a continual basis, by implementing and regularly reviewing robust technical and organizational measures, as well as compliance policies.
How has Fivetran been preparing for the GDPR?link
Our privacy team has been working with customers around the world to answer their questions and to help them use Fivetran’s Services since the GDPR became effective. Additionally, our privacy team is continuing its review of Fivetran’s current product features and practices (including adding features such as column exclusion and column hashing) to ensure we support our customers with their GDPR compliance requirements.
Which Fivetran services and features can support customers compliance with the GDPR?link
All Fivetran services are GDPR compliant, so customers can use any available Fivetran service and remain GDPR compliant.
What is a Data Processing Agreement (“DPA”)?link
Fivetran offers customers a robust Data Processing Agreement (“DPA”), governing the relationship between the customer (acting as a data controller) and Fivetran (acting as a data processor). The DPA facilitates Fivetran’s customers’ compliance with their obligations under EU data protection law. Our DPA contains strong privacy commitments focused around data replication that has been updated to confirm our compliance with the GDPR. Our DPA contains data transfer frameworks to ensure that our customers can lawfully transfer personal data to warehouses outside of the European Union in accordance with GDPR requirements.
Is Fivetran certified under the Privacy Shield?link
Fivetran has certified its compliance with the EU-U.S. Privacy Shield frameworks to the U.S. Department of Commerce and has been added to the Department of Commerce’s list of self-certified Privacy Shield participants. Our certifications confirm that we comply with the Privacy Shield Principles for the transfer of European and Swiss personal data to the United States.
Nonetheless, in accordance with the decision by the Court of Justice of the European Union (C-311/18, also known as “Schrems II”), on July 16, 2020, we ceased relying on our EU-U.S. and Swiss-U.S. Privacy Shield certifications as a legal basis for international data transfers from the EEA or Switzerland to the U.S. We will continue to adhere to the EU-US and Swiss-US Privacy Shield principles for all personal information transferred to the US in reliance on such certifications prior to July 16, 2020