SpiderOak's Compliance with GDPR
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation providing data protection for EU citizens, replacing the 1995 Data Protection Directive. In essence it requires businesses that hold data to adhere to standards that SpiderOak has always maintained. In fact, we built our No Knowledge privacy environment specifically to handle the task of safeguarding our customers' data and privacy. As such, each of our products (SpiderOak One and Groups backup, Semaphor messaging, the Encryptr password manager, the Trusted Application Platform, and the Secure Application Updater) all comply with the GDPR.
Although the GDPR only applies to people in the EU, we believe everyone deserves data protection. All of our customers of all of our products, regardless of citizenship or location, enjoy the same high standards of privacy and security.
SpiderOak's servers are located in the United States, so it is relevant to note that under the GDPR the transfer of personal data to a country outside the EU is allowed if the company provides appropriate legal safeguards, which SpiderOak always has. In our opinion this focus on contracts and codes of conduct and the destination country misses the point, however. While legal restrictions are good, history shows that you should not blindly trust your vendor nor public authorities. For that reason, SpiderOak's products encrypt your files and messages before they leave your computer using encryption keys that only you hold. You don't have to trust us (or nosy third parties, or overreaching authorities) to obey the law, because no one but you is able to decrypt your data. That is the essence of our No Knowledge privacy environment.
Because our privacy environment long predates the GDPR, our compliance with it is not yet explicitly stated in our products or terms of service. As new versions of our products are released they will contain GDPR statements of compliance and disclosure messages, and we are updating our contracts and terms of service. Likewise for the moment we self-certify our compliance. As our customers' needs regarding GDPR evolve, we will introduce additional statements of compliance and disclosure. Please feel free to let us know what additional statements of compliance and disclosure you or your business or your clients need and how we can help you.
For information on our datacenter certifications, see Datacenter Locations and Certifications.
What User Data Does SpiderOak Have?
As a company, we keep very sparing information about our users. We have no cookies or tracking data on you, no location data, and we don't hoard personally identifiable information (PII) to sell. The only information we have is:
- Your name. If you provide this information to us, we have it. We take it at your word that the name you provide is your real name, but we have no way of verifying this. You can use an alias if you prefer.
- Your email address. If you provide your actual email address during account setup, it's in our records.
- Billing information. If you set up a subscription with us, our payment processor has that information. We might be able to see the last four digits of your card number, and possibly the country of origin for your card - but not always!
We silo all information. IP addresses are not located together with other PII such as email addresses or names, so you don't have to worry about there being spreadsheets or databases somewhere listing your name alongside your email address, IP address, or other PII.
We have information on our users in three places:
Stripe, our payment processor. If you had an active subscription with us, Stripe is the payment processor used for those payments. The information found here is usually only going to be your email address and your card information, and perhaps your name. The card information isn't visible to us, and is encrypted by Stripe. We don't collect anything other than the billing information for your subscriptions, but because Stripe is used by a lot of online sites your data might be cross-referenced from another site which collects more information at checkout. If you used the same billing information on one of those sites, it might have fed into our records from the Stripe network. We can remove your information from our Stripe records upon request.
Our marketing lists. Typically, these lists only contain your email address. We can remove you from our marketing mailing lists upon request.
Our servers. Server records will contain the name and email address you provided at account creation, along with your billing history if you had an active subscription with us. Any data you may have uploaded to us was stored as an encrypted blob of data blocks, and you are/were the only person with the keys to unlock it. When an account is canceled, that data is removed from our servers and typically zeroed over before being overwritten by other users' data. Our server records cannot be removed for tax liability reasons. We have to retain billing records practically indefinitely, and there's no way to redact one part of the info from these records without removing everything. Again, we do silo information to help protect our users' PII.
Cancelling an account and "right to be forgotten"
If you decide to cancel your account, please follow the steps outlined in these support articles:
Once your account is canceled your can contact our support team to request that your personal data be deleted. Please note that this is not possible on active accounts.
Further details on how SpiderOak handles personally identifiable information and user data can be found in the following pages, along with complete legal disclaimers: