Spotinst & General Data Process Regulation (GDPR)

All You Need To Know About Spotinst's Data Policies Regarding The GDPR Changes

What Exactly is GDPR?

Announced nearly 2 years ago, GDPR is the biggest change in data privacy laws since the early 90s, and a necessary step to protect consumers in our new digital age.

It is designed to protect individuals from having their personal information misused by companies and generally increases and enhances the rights of citizens to their privacy. Whilst it is an EU regulation, it affects any company which does work in the EU, regardless of where their base of operations is. It came into action on May 25th, 2018.

Spotinst is proud of the step forward in consumer protection, and even more proud to announce that all Spotinst products fully comply with all of the new GDPR regulations.


Some key GDPR changes


There are many things covered in the GDPR, but some of the most important aspects come under the new parameters for consent, increased accountability and the widening of what is deemed “personal data”.

  • “Personal data” now refers to every and any piece of data that is connected to an identifiable individual, whether this identifying is direct or indirect. It includes email addresses, phone numbers, photographs, bank account details and more.
  • Using or storing personal data will now have to be done with the explicit permission of the individual in question, no longer allowing companies to use automatic opt-ins in any form. Personal data required for the completion of contractual obligations is permitted to be stored (i.e. for confirmation emails or invoices) but clear consent will have to be given for data stored for other reasons.
  • Any personal information stored will also have to have a clear and auditable trail leading back to the exact means of consent given for the data’s collection. Failure to comply with GDPR regulations can lead to a fine of as much as €20 million or 4% of a company’s annual global revenue, whichever is larger.

For more information, check out the ICO’s more comprehensive guide to GDPR.


How does GDPR impact Spotinst users?


In short, it doesn’t – Spotinst’s platform fully complies with GDPR. All of the workloads you run via Spotinst’s platform are completely private – as the platform doesn’t have access to the underlying data, Spotinst is fully aligned with GDPR compliance regulations. Our products (Elastigroup, Multai, Serverless, etc.) operate without using or storing any personal data. The personal data that our platform stores isn’t vital to the working of our products. The data we use when handling Instances is only a ‘role ARN’ (which is the name of the resource) and AWS tokens, neither of which are personal or give us any access to see what running on the Instances we provision. 

As far as the algorithm which Spotinst uses to predict Spot terminations – this also runs without using any personal data. It analyses vast quantities of metadata concerning the running of VMs (i.e. “m4.xlarge was interrupted in AZ X, region Y at time Z”), none of which can be used to identify an individual, and therefore is not personal data.

Naturally, we are not totally exempt from being affected by GDPR. We do store contact details for the purposes of invoicing and customer service and need to comply with the new mailing list regulations (which we do!), but as far as it affects our customers using the Spotinst platform – there is no impact.

We are confident in our GDPR compliance and ability to ensure any customer or prospective customer that we will meet their compliance needs in a post-GDPR world. For more information about Spotinst and GDPR, check out our GDPR FAQ. If you’ve got more specific questions, please feel free to reach out to cs@spotinst.com with any data or privacy concerns.