|
|
|
|
|
|
by rswail
2426 days ago
|
|
|
OK, here's what we're saying (most of which is covered by the GDPR principles): 1. Telemetry of any kind from a self hosted instance of your product MUST be opt in. Telemetry from your SaaS SHOULD be opt in.
2. The type and content of data that is collected MUST be documented.
3. That data MUST only be collected by Gitlab under a privacy policy and if it is collected by a 3rd party, that 3rd party MUST comply with the Gitlab policy. Changing a TOS doesn't cover it at 30 days notice doesn't cover it.
4. Under GDPR, any and all data collected MUST be available on demand to a customer. Even if Gitlab is not EU based, you sell to the EU and are therefore covered by the GDPR.
5. The data MUST NOT be saved if the customer ends their relationship with Gitlab and MUST be deleted on request of the customer if it is not required for the service to operate.
6. Under GDPR, the data MUST NOT be used for any purpose other than the documented purposes and MUST NOT be saved beyond the period required. These are basic privacy principles that apply to ANY business, given that Gitlab operates on data that is highly sensitive (ie a corporation's IPR for their code, a corporation's requirement to also be compliant with GDPR etc), you should be operating to a HIGHER standard. |
|
|