Last Updated: August 12, 2020
Our commitment to you and the protection of your data
Complying with the GDPR
What specific information does Pivotal Tracker collect about you and how is it used?
International data transfers
What third parties do we share information with?
Data portability solutions and data management tools
Does VMware process personal data of its customers?
Where is Tracker hosted, and where is my data located?
Is any customer data stored outside of the United states?
How is access to project data managed?
Apart from project owners and members, who else can access my project data?
What controls are in place to protect Pivotal Tracker servers and data?
Is data encrypted at rest?
How is customer data backed up?
Does Pivotal Tracker have a disaster recovery plan?
How reliable is Pivotal Tracker, and how can i monitor system status?
How do you respond to known security vulnerabilities?
How is Pivotal Tracker tested for potential security vulnerabilities?
What development process does the Pivotal Tracker team follow?
Is Pivotal Tracker certified to any documented standards (e.g., ISO 27001, SSAE16 SOC-1, SOC-2, GSA, PCI, or HIPAA))?
How can I get more information?
PIVOTAL TRACKER AND GDPR COMPLIANCE
OUR COMMITMENT TO YOU AND THE PROTECTION OF YOUR DATA
VMware is committed to the security and privacy of our customers. The General Data Protection Regulation (“GDPR”) came into effect on May 25, 2018, and impacts any company processing the data of EU citizens or residents, even if the company is not EU-based. The GDPR sets forth how companies should handle privacy issues, securely store data, and respond to security breaches. GDPR places obligations on both service providers (the controller) but also to third parties subcontracted by service providers (subprocessors).
Ultimately, the law makes it easier for customers to understand how we use and protect their personal information.
As a result Pivotal, a wholly owned subsidiary of VMware, worked diligently to ensure that Pivotal Tracker is in compliance with the GDPR, without sacrificing the performance and quality that our customers have come to expect from Pivotal Tracker. This effort continues through constant attention to the privacy and security of data handled by Tracker and its subprocessors.
On this page, we’ll explain how we have achieved GDPR compliance both for Pivotal Tracker users and ourselves.
COMPLYING WITH THE GDPR
The GDPR contains significant obligations for companies who may have access to the personal data of EU citizens and residents. We appreciate that Pivotal Tracker’s users have their own requirements under GDPR that are impacted by how they use Pivotal Tracker, and our global team continues to work diligently to take steps to comply with GDPR and ensure our customers can comply with GDPR with use of our service. We will continue to monitor GDPR developments and adjust as necessary to stay current.
Some examples of steps that the Pivotal Tracker team takes in order to satisfy GDPR requirements that are applicable to both VMware and our customers include:
- Reviewing and documenting data flows that involve customer information, including what personal data is stored and for what period of time
- Reviewing and removing any unnecessary handling and storage of data
- Defining, documenting, and implementing a process to regularly review and audit the data we hold
- Listing all GDPR compliant subprocessors of personal data (see below)
- Enabling the right to data portability
- Defining, documenting, and implementing a process for handling “right to be forgotten” deletion requests
- Executing Standard Contractual Clauses through our updated Data Processing Addendum in order to hold subprocessors to the same practices and standards to which we hold ourselves
- Reviewing and documenting our data retention policy
- Reviewing and documenting our process for handling security incidents
- Providing data privacy education for the Tracker team
- Carrying out data impact assessments and, if appropriate, consulting with EU regulators
- Ensuring explicit opt-in for marketing emails
- Making it clear how to remove consent for cookies or marketing emails
WHAT SPECIFIC INFORMATION DOES PIVOTAL TRACKER COLLECT ABOUT YOU AND HOW IS IT USED?
Given the nature of our service, Pivotal Tracker does not know if the content that a customer chooses to enter or upload into Pivotal Tracker is “personal data” as defined by the GDPR. For a further description of customer application data, see the Data Security information below.
- Openid_email (if supplied by data subject)
- IP address
- Geographic location
- Avatar photo (if supplied by data subject)
VMware may share the information above with certain third parties, in each case in compliance with applicable privacy laws. VMware uses this information in order to enable users to sign up and use Pivotal Tracker, to be uniquely identified so that their activity in Pivotal Tracker is visible to their teammates, logged for troubleshooting and auditing purposes, so that their work in Pivotal Tracker can be searched for, for analysing usage so that the impact of changes to Pivotal Tracker can be measured and monitored, so Pivotal Tracker can be better enhanced to meet user needs, and so that we may send email such as payment receipts, notifications of Pivotal Tracker activity, also the onboarding information and newsletters customers have consented to.
INTERNATIONAL DATA TRANSFERS
In addition to our compliance efforts regarding the GDPR, Pivotal Tracker offers European Union Model Clauses, also known as Standard Contractual Clauses, to meet the adequacy and security requirements for our customers that operate in the European Union, and other international transfers of customer data, in order to ensure that Pivotal is compliant with applicable data protection requirements if users transfer personal data using Pivotal Tracker from the EU to the United States.
WHAT THIRD PARTIES DO WE SHARE INFORMATION WITH?
To support delivery of our Service Offering, Pivotal Tracker may engage and use data processors with access to certain customer data (each, a “Subprocessor”). Pivotal Tracker’s Subprocessors include:
|Entity Name||Subprocessing Activities||Entity Country|
|Amazon Web Services (S3)||Cloud file attachment storage services||United States|
|Freshworks||Freshdesk customer support ticketing||United States|
|Google Cloud Platform||Cloud service provider||United States|
|Google Analytics||User analytics service provider||United States|
|Google Stackdriver/BigQuery||Cloud-based log management services||United States|
|Hubspot, Inc.||Customer relationship management service provider||United States|
|Marketo||Email service and marketing automation provider||United States|
|Mixpanel, Inc.||User analytics service provider||United States|
|New Relic, Inc.||Application performance monitoring service||United States|
|Salesforce||Sales productivity platform provider||United States|
|SendGrid, Inc.||Cloud-based email notification services||United States|
|Stripe||Payment processing services||United States|
Our Subprocessors may change as our product evolves. We will endeavor to provide customers with notices of any new Subprocessors, and post such updates here.
DATA PORTABILITY SOLUTIONS AND DATA MANAGEMENT TOOLS
To assist our customers in their own efforts to comply with the GDPR, Pivotal Tracker provides the following tools:
- Pivotal Tracker project data can be exported to CSV file or accessed via the API (by users with the correct permissions) in order to store or move it outside of Pivotal Tracker.
- Tracker user login profile data can be updated by the owner of the login profile. This includes, name, initials, email address and optional avatar photo. An open_id email address associated with a login can also be removed.
- Tracker user logins can be removed by contacting firstname.lastname@example.org. We retain the name and initials in order to keep the history of project and story activity intact in Tracker. This is to avoid confusion about who worked on stories in Tracker and allows an organization to audit activity accurately. However a user can change their name and initials in their Tracker Profile before making the removal request.
- Pivotal Tracker accounts, projects, individual stories and attachments to those stories can all be deleted (by users with the correct permissions). Additional data deletion requests can be made by contacting email@example.com.
- Data in Pivotal Tracker projects, stories and attachments to those stories can be corrected directly (by users with the correct permissions).
Remaining compliant with the GDPR and applicable privacy laws requires ongoing review and iteration, and is of the utmost importance to VMware. The content of this document will be updated by VMware from time to time as more GDPR-related information becomes available. Should you have any questions, please do not hesitate to email us at firstname.lastname@example.org.
PIVOTAL TRACKER AND DATA SECURITY AND RELIABILITY
The security and privacy of your personal, payment, and project information is very important to us. Tracker runs in an an enterprise-grade hosting environment, we employ industry-standard means to protect your data, and all plans include SSL encryption. Credit card information is stored by Stripe, a trusted, Level 1 PCI DSS-compliant payment gateway and payment-processing provider.
DOES VMWARE PROCESS PERSONAL DATA OF ITS CUSTOMERS?
WHERE IS TRACKER HOSTED, AND WHERE IS MY DATA LOCATED?
The Pivotal Tracker production environment runs in a multi-zone cluster within a Virtual Private Cloud (VPC) on Google Cloud Platform (GCP), in the US Central (Iowa) Region.
Pivotal Tracker relies on a number of high-availability, scalable GCP services, including Google Compute Engine for computing resources, Google Cloud Storage (GCS), Google Cloud CDN and Google Cloud SQL for data storage.
Pivotal Tracker utilizes Amazon Web Services (AWS) Scalable Storage System (S3) for file attachments.
Google Cloud Platform compliance and security documentation can be found on the Google Cloud Platform Security and Compliance site.
Amazon Web Services compliance and security documentation can be found on the AWS Compliance site.
Pivotal Tracker does not store any customer credit card information. Credit cards are stored in a secure manner by Stripe, our PCI-compliant payment processor and gateway, and are referenced by token only.
IS ANY CUSTOMER DATA STORED OUTSIDE OF THE UNITED STATES?
All Pivotal Tracker services run within GCP and AWS regions in the United States. No data is stored outside of the United States.
HOW IS ACCESS TO PROJECT DATA MANAGED?
Registered Pivotal Tracker users can create “projects” and invite other users to these projects (subject to free or paid plan limits). Users can only access projects that they were explicitly invited to by the project’s owners, or projects that were explicitly designated as “public” by their owner(s). More information on project member roles can be found here.
In order to access data in private projects that they have been granted membership in, users must either sign in to the Pivotal Tracker website with a username and password (or their Google identity), access the API programmatically with a unique token, or via “webhook” activity feeds. API and webhook access to projects can be explicitly disabled by project owners.
Pivotal Tracker offers SAML-based Single Sign-on (SSO) as an option for enterprise customers.
APART FROM PROJECT OWNERS AND MEMBERS, WHO ELSE CAN ACCESS MY PROJECT DATA?
In addition to those explicitly invited to a project, the owner and administrators on the account that the project is part of can view project data and/or make changes to project memberships.
Public projects (i.e., projects that have the “public” access setting enabled by a project owner) can be seen (in read-only mode) by anyone on the Internet.
In enterprise accounts, project owners can designate their projects as “account visible.” Account-visible projects can be discovered and viewed by any member of that enterprise account.
Certain members of the dedicated Pivotal Tracker development and support team have access to data in the production environment, strictly for support and operations purposes. This level of access is granted to a subset of the dedicated Pivotal Tracker development and operations team, on a strict as-needed basis.
WHAT CONTROLS ARE IN PLACE TO PROTECT PIVOTAL TRACKER SERVERS AND DATA?
Access to the production environment (on GCP and AWS) is restricted to a small subset of the Pivotal Tracker development and operations team, also VMware’s Global Privacy team, who are all highly trusted, permanent VMware employees. Access is managed by VMware’s SSO system, with mandatory two-factor authentication (2FA).
All web and API requests to the Tracker application are logged and indexed, and include originating IP information.
All web and API access to Pivotal Tracker projects is exclusively via HTTP over TLS, with 2048-bit RSA public keys. Project data can be accessed via the API, using token authentication. API access is enabled for all projects by default, but may be disabled by project owners, account admins, and the account owner in Project Settings.
IS DATA ENCRYPTED AT REST?
Tracker project data is stored using GCP database services (CloudSQL), for which at-rest encryption is automatically provided.
In addition to at-rest encryption provided by GCP, we adhere to industry-best practices with respect to secure password storage at the database level, currently via a bcrypt adaptive hash algorithm that incorporates “salting” to make brute-force attacks extremely difficult. Other credentials (e.g., those used for external integrations) are stored using two-way AES encryption.
File attachments are stored on an encrypted AWS S3 bucket.
HOW IS CUSTOMER DATA BACKED UP?
Pivotal Tracker utilizes the Google Cloud SQL High Availability configuration option, with daily backup capability provided by Google Cloud SQL for point-in-time recovery.
In addition, every 6 hours a backup is restored to a disaster recovery database in a separate GCP region (US West), which would allow us to rebuild the production environment from scratch in the case of a catastrophic region failure.
File attachments are stored on a single S3 bucket. Information about AWS S3 data reliability can be found here.
DOES PIVOTAL TRACKER HAVE A DISASTER RECOVERY PLAN?
The Pivotal Tracker dev-ops team maintains a documented disaster recovery process that involves internal contact and escalation procedures, user communication, hosting provider contact and escalation, as well as system recovery instructions.
Should the availability zone where our database services are go down, the primary instance fail, or any other event resulting in the primary database instance becoming unavailable, automatic failover will take place. During an event triggering automatic failover, the database would be unavailable for between one and two minutes while the secondary database is promoted to the primary.
HOW RELIABLE IS PIVOTAL TRACKER, AND HOW CAN I MONITOR SYSTEM STATUS?
Pivotal Tracker is a mission-critical application for VMware, as well as for thousands of companies around the entire world. We invest heavily in making Tracker as reliable as possible, and a result, outages (planned or unplanned) of Pivotal Tracker are extremely rare. Uptime is typically 99.9% or above. You can check Pivotal Tracker’s current system, as well as historical uptime, on our system status monitoring page here.
In the rare case that a planned downtime is necessary for maintenance that cannot be performed on a rolling basis, customers are notified via in-application messaging multiple days in advance, and the maintenance is scheduled at a time with least possible impact on high-usage periods across all time zones.
HOW DO YOU RESPOND TO KNOWN SECURITY VULNERABILITIES?
From time to time, vulnerabilities in widely used software tools and libraries are identified that could lead to undesirable exploits. The Pivotal Tracker team monitors various sources, including internal VMware IT security announcements, for new discoveries of such vulnerabilities, and takes immediate action to address any that affect Tracker.
Security patches and updates are applied continuously, and we have enabled automatic maintenance updates for our GCP resources.
HOW IS PIVOTAL TRACKER TESTED FOR POTENTIAL SECURITY VULNERABILITIES?
VMware periodically uses third-party security firms to perform security assessments of Tracker. These assessments are performed at a minimum of once a year. Any resulting findings are prioritized and addressed according to VMware’s policies and industry best practices. Although specific results from these assessments cannot be provided to customers, upon request VMware may share information with customers about its testing methodology and scope of its security assessments.
Due to the multi-tenant nature of the environment, customer security assessment of Tracker is not permitted.
If you have any questions about the security program for Tracker, contact us at email@example.com.
WHAT DEVELOPMENT PROCESS DOES THE PIVOTAL TRACKER TEAM FOLLOW?
The Pivotal Tracker development team follows Pivotal Labs agile development practices, based on the Extreme Programming methodology. All code is test driven, leading to very high test coverage, and all developers work in pairs (two developers, one computer) as the default. We run tests and builds continuously, using Continuous Integration and Continuous Delivery (CI/CD) tools and practices. Pivotal Tracker and GitHub are used for all software development, providing a fine-grained, living audit trail of all product decisions, resulting code changes, and releases to the production environment.
All Pivotal Tracker development and operations work is done in-house; we do not utilize any outsourcing.
IS PIVOTAL TRACKER CERTIFIED TO ANY DOCUMENTED STANDARDS (E.G., ISO 27001, SSAE16 SOC-1, SOC-2, GSA, PCI, OR HIPAA)?
Although Pivotal Tracker is PCI compliant, we do not currently conform to any other formal process documentation standards or certifications.
HOW CAN I GET MORE INFORMATION?
For any questions or additional information, please email firstname.lastname@example.org.
Disclaimer: This document is provided for informational purposes only and represents VMware’s current offerings as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of VMware’s products or services, each of which is provided “as is” without warranty of any kind, whether express or implied. This document does not create any warranties, representations, contractual commitments, conditions or assurances from VMware, its subsidiaries, affiliates, suppliers or licensors. The responsibilities and liabilities of VMware to its customers are controlled by VMware agreements, and this document is not part of, nor does it modify, any agreement between VMware and its customers.