Skip to main content
This post was originally published on the Platform.sh blog and reflects information from the time of publication.
As a Platform-as-a-Service (PaaS) that hosts web applications on the cloud, we take every measure necessary to protect our users’ personal data. Sounds pretty straightforward, right? However, due to the nature of our service offering, the fact we operate an Infrastructure Control Plane (which is defined further below), and the fact we provide a Customer Data Plane, our exact role as defined under the GDPR can be complex. Due to this complexity, we have adjusted our data processing agreement (DPA) Annexes to better reflect how Platform.sh operates under the European Union’s General Data Protection Regulation.

GDPR roles defined

First, a quick refresher for anyone who stumbled upon this article and is still unfamiliar with the General Data Protection Regulation, or GDPR, a set of privacy laws established by the EU that act to protect individuals’ personal data Under Article 7 of the GDPR, there are two main roles that handle personal data: a controller and a processor. A “controller” is defined as “a body that determines the purposes and means of the processing of personal data” while a “processor”’ is “a body that processes personal data on behalf of the controller.” In other words, a data controller would usually be a company that collects the personally identifiable information of its users (such as names, email addresses, physical addresses). This party is primarily responsible for protecting the privacy and rights of data subjects.
A data processor could be a third-party company that the controller uses to handle the processing of that controller’s data.

Platform.sh as a data controller

So, which one is Platform.sh? A data controller or a data processor? The answer is a little complicated, so let’s break it down. Platform.sh is a controller for the overall PaaS service—specifically, when we have a direct relationship with data subjects who are explicitly the users of Platform.sh. For example, when we collect a customer’s personal data, including their name, email address, and billing information for the purposes of creating a Platform.sh account for the customer, responding to support tickets they may submit, or billing for services we provide, we are acting as the data controller. Because the minimal amount of personal data we collect comes from our direct customers using our account systems, we also act as the controller for our Infrastructure Control Plane, where we use this information to establish and operate regions, provision services, and networks. The Infrastructure Control Plane is unique to Platform.sh and cannot be modified by our customers. The one exception is incoming connections that transit this infrastructure from the internet to our customer’s Cardholder Data Environment (CDE), which may hold personal data such as IP addresses or unencrypted URLs.

Platform.sh as a data processor

Platform.sh is also a data processor for the Customer Data Plane, where we provide the user with their own data and project environment. That user “determines the purposes and means” of processing personal data, if any, they add to their project environment, therefore acting as the data controller. Meanwhile, Platform.sh “processes this personal data on behalf of the controller” by storing said data, and erasing it at the user’s direction.

So, what’s changed in the DPA?

We made a few changes in our DPA Annexes. First, we realized that some of the information in the “description of processing” section applies when Platform.sh is acting as a data controller rather than a data processor. This caused some confusion because our DPA applies to our processing activities related to the Customer Data Plane when we are acting as a processor. So, we removed any information that applies to Platform.sh acting as a controller and moved that information to our Controller vs. Processor documentation. Please visit that page for details on how we may process your information as a data controller. The following reflects edits we made to our DPA to clarify Platform.sh processing as a data processor: In Annex I, we added a note that explains when Platform.sh is a controller and when Platform.sh is a processor. In Annex II, we made the following changes: We clarified that the category of data subjects whose personal data we process as a Processor are:
  • The data subject can be any person whose personal data is being collected by the controller and contained in the customer’s project environment.
We added a note that clarifies that while we do not know the categories of personal data, if any, contained in the customer’s project environment, we operate under the assumption that there is personal data and possibly even sensitive personal data in the customer’s environment. Thus, we implement necessary controls including technical, organizational, and security measures which are audited by third-party auditors. We updated the section describing how we may utilize sensitive data:
  • As a processor: if a Platform.sh customer chooses to store sensitive personal data in their project environment (with the caveat that we do not know what types of personal data are contained in the customer’s environment, but we operate under the assumption mentioned above).
We updated the “processing purposes” section to more accurately describe what we do with personal data when we are acting as a processor. The main takeaway is:
  • As a processor: we do not explicitly collect personal data nor do we decide what personal data a customer adds to their project environment. Our main processing purpose is to fulfill our contractual terms related to project hosting (for example: storage, code execution, backups, network traversal).
Lastly, we added the following situation to the “duration of processing” section:
  • Until deletion of all customer data pursuant to termination of the Customer’s subscription.

What does this mean for you?

If you are a PSH customer who processes European Economic Area (EEA) personal data, and you have agreed to our online Terms of Service, our EU DPA is part of your agreement and any updates made to the EU DPA are automatic, so no action is required on your end. The updates referred to in this blog post can be viewed here. If you are strictly bound by paper terms, please contact your customer representative to execute the updated DPA. And for more general information about our privacy and security certifications and standards, please visit our Trust Center.
Last modified on April 27, 2026