Spot and General Data Process Regulation (GDPR) Compliance

All You Need To Know About Spot’s Data Policies Regarding The GDPR Changes

What Exactly is GDPR?

GDPR has been one of the biggest changes in data privacy laws in decades, and an important step to protect consumers in the digital age. It is designed to protect individuals from having their personal information misused by companies and generally increases and enhances the rights of citizens to their privacy. While it is an EU regulation, it affects any company which does work in the EU, regardless of where their base of operations is. It came into effect on May 25th, 2018.

Spot is proud to state that all Spot products fully comply with all of the new GDPR regulations.


Some Key GDPR Impacts


There are many things covered in the GDPR, but some of the most important aspects come under the new parameters for consent, increased accountability and the widening of what is deemed “personal data”.

  • “Personal data” now refers to every and any piece of data that is connected to an identifiable individual, whether this identifying is direct or indirect. It includes email addresses, phone numbers, photographs, bank account details and more.
  • Using or storing personal data will now have to be done with the explicit permission of the individual in question, no longer allowing companies to use automatic opt-ins in any form. Personal data required for the completion of contractual obligations is permitted to be stored (i.e. for confirmation emails or invoices) but clear consent will have to be given for data stored for other reasons.
  • Any personal information stored will also have to have a clear and auditable trail leading back to the exact means of consent given for the data’s collection. Failure to comply with GDPR regulations can lead to a fine of as much as €20 million or 4% of a company’s annual global revenue, whichever is larger.

For more information, check out the ICO’s more comprehensive guide to GDPR.


How Does GDPR Impact Spot Customers and Users


In short, it doesn’t – Spot’s platform fully complies with GDPR. Because the platform does not have access to the underlying data, all of the workloads you run via our platform are completely private and Spot is fully aligned with GDPR compliance regulations. Our products (Elastigroup, Eco, Ocean, Managed Instance, etc.) operate without using or storing any personal data. The personal data that our platform stores isn’t vital to the working of our products. The data we use when handling Instances is a ‘role ARN’ (which is the name of the resource) and AWS tokens, neither of which are personal or give us any access to see what running on the instances we provision.

As far as the algorithm which Spot uses to predict terminations of spot instances, this also runs without using any personal data. It analyses vast quantities of metadata concerning the running of VMs (i.e. “m4.xlarge was interrupted in AZ X, region Y at time Z”), none of which can be used to identify an individual, and therefore is not personal data.

Naturally, we are not totally exempt from being affected by GDPR. We do store contact details for the purposes of invoicing and customer service and need to comply with GDPR’s mailing list regulations (which we do!), but as far as it affects customers using our platform – there is no impact.

We are confident in our GDPR compliance and ability to ensure any customer or prospective customer that we will meet their compliance needs. For more information about Spot and GDPR, check out our GDPR FAQ. If you have more specific questions, please feel free to contact with any data or privacy concerns.