Sentry and Your Data

Sentry uses several measures to ensure that customer data is protected in compliance with the GDPR, even when processed within the US.

• Security. We’re proud of our robust security framework. We have achieved international compliance standards (SOC2 and Privacy Shield) and conduct regular external audits and pen-tests.
• Encryption. All data sent to Sentry is encrypted at rest. Sentry also sends data over HTTPS transport layer security (TLS) encrypted connections for additional security as data transits to and from the application.
• Data scrubbing. Our Data Scrubbing option also allows you to scrub any personally identifiable information (PII) from your data, to ensure that PII doesn't get sent to or stored on Sentry's servers.
• Data retention. We only retain event data for 90 days by default. Post-retention, all event data and most metadata is eradicated from the service and from the server without additional archiving.
• Supplier commitments. We require our subprocessors to enter into GDPR-compliant data processing agreements with us to ensure that customer data will remain protected in accordance with the GDPR and our commitments to you.
• Government requests. We also provide our customers with a number of assurances about government requests for data. You can read more about our approach to data requests below.

Read more on our Security page.

Sentry considers any government request for data very carefully. This includes both requests from law enforcement as well as national security agencies. As a policy, we only respond to requests that legally compel us to do so – for example, if we received a court order, subpoena, warrant, or other valid legal process that legally requires us to provide access to the data. We will also notify you of any requests received except when legally prevented from doing so.

Take a look at our transparency report for more information.

No. Although the CJEU invalidated the EU-US Privacy Shield, it didn't say that all data transfers to the U.S. are illegal or that data should no longer be transferred to the U.S. In fact, the CJEU confirmed that companies can transfer data outside the EU — including to the U.S. — so long as they implement adequate data protection safeguards. There has been a lot of confusion on this topic, so we want to take a moment to explain.

Firstly, the CJEU said that the SCCs can be used to transfer data.

Secondly, it said that companies relying on the SCCs (the "data exporter" and "data importer") must assess whether the data which is subject to the transfer will remain protected according to EU standards.

In some cases, the SCCs will be enough on their own to satisfy this requirement. In other cases, the parties may need to agree on "additional measures" (also referred to as "supplementary measures") alongside the SCCs. Like many other US companies, we eagerly await further guidance from EU regulators and the European Data Protection Board (EDPB) that we hope will provide more clarity on what these "additional measures" should look like.

In the meantime, we are pleased to be able to provide our customers the SCCs and other additional measures as described in these FAQs, on our Security page, and in our Data Processing Addendum.

Yes. We want to reassure you that Sentry is committed to protecting your data and complying with the GDPR. The Schrems II decision does not affect the strong data privacy protections we have put in place to ensure that customer data remains protected when it is transferred to, and stored in, the U.S.

Before Schrems II, Sentry relied on the Privacy Shield to receive customer data from Europe. From now on, we'll be making use of the SCCs to ensure we can continue to receive and process customer data from Europe in compliance with the GDPR.

Our standard Data Processing Addendum automatically incorporates the SCCs.

To accept the DPA, follow the instructions above.