GDPR, Sentry, and You

Richard Huffaker /

Data! As you know, it’s everywhere. Information about you. Your friends. Your customers. Your enemies. Flowing from computer to computer to computer and ensuring only the highest quality targeted ads about Star Wars branded glassware are presented to you on Facebook.

Ensuring your (and our) personal information won’t end up used for spammy or nefarious purposes is a noble thing to do. Which is why we’re legitimately excited about the European Union’s General Data Protection Regulation (GDPR).

If you’re unfamiliar with GDPR, you’ll definitely want to become familiar if you do business with anyone in the EU. Non-compliance can mean fines of up to €20,000,000 or four percent of a company’s yearly profits, whichever is greater. This is the EU, so note that that’s a €. Which means a fine of at least $25,000,000 at the moment, in case you’re in the US and an extra five million makes the difference between you caring or not. GDPR goes into effect on May 25th.

Sentry certainly cares. Of course, every company says they care about privacy, since no organization in its right mind would publicly claim it doesn’t care about privacy. “Your privacy can go straight to hell!” isn’t an endearing or winning message.

But we know we ask for a lot of information about your application. This information is valuable in enabling you to better debug problems and understand your customers, which is the sole reason we collect it at all. We realize that this requires great trust on your part and great responsibility on ours. That’s why we’ve long maintained GDPR level compliance with the data customers send us. Privacy Shield already covers a lot of concerns that both Sentry and our customers have. Visit our Security & Compliance page to see a full break down of our policies.

Legal & Compliance Page
Sentry's Legal & Compliance Page

It’s also why we’re taking two other steps with GDPR:

  • We’re applying it globally for ourselves, instead of just focusing on Europe. All customer data (and all our own much less significant marketing data) is treated in a way that conforms with GDPR.

  • If you’re dealing with any EU data through a vendor (like Sentry), then you need a contractual agreement in place with that vendor called a DPA — or Data Processing Addendum — so the EU knows you’re only doing business with GDPR compliant companies. We were inspired by the approach Google took with G Suite, and created a self-service DPA that you can fill out to make your organization automatically GDPR compliant with Sentry.

For the Sentry DPA, all you need do is accept it and it immediately changes our ToS. We track this consent and let you know exactly who in your org accepted it and when they did so. We provide fields where you can enter the (required) information for your EU representatives and your Data Protection Officer. If we ever change the DPA for some reason, we’ll also version it so you can see the difference between the past and new versions.

Data Processing Addendum
Accepting the Data Processing Addendum

You can find the DPA under the Legal & Compliance section on your Orgs home page. Complete it by:

  • Reviewing and Accepting the DPA itself
  • Adding your designated EU Representative’s info
  • Adding your designated Data Privacy Officer’s info
  • Double checking your company details (specifically, the legal name of your business)
Info about company representatives
Enter info for your designated EU Rep and Data Privacy Officer

If you process any data from the EU, be sure to review and agree to the DPA before May 25th. And if you have any questions about it, please reach out to our team of support engineers.

If you’d like more info about GDPR in general, TechCrunch wrote up an in-depth and useful explainer that they titled WTF is GDPR, apparently hoping everyone would think it was written by a cool teen from 2010.