Let's just be clear.
You don’t need to send any personal data to Sentry in order to use our Sentry product.
Here’s how to minimize the personal data you send us.
Sentry distributes all SDKs in source code form. Customers can check an SDK’s code to see what data is sent to Sentry.
Sentry offers data scrubbing tools. Customers can use these to remove personal, confidential, or sensitive information from data sent to Sentry.
Sentry offers a standalone service that acts as a middle layer between a customer’s application and Sentry. Customers can scrub data in a central place before sending it.
For customers who do send personal data to Sentry, we offer a Data Processing Addendum.
You’ll find our DPA in the Legal & Compliance section of your organization's navigation menu in Sentry. It can be accessed and accepted by any Owner or Billing Contact within your organization.
To complete the DPA:
If you accept our DPA through the Sentry navigation menu, you can see who accepted it and when.
If you prefer a signed copy of our DPA, go to this DocuSign link and follow the prompts.
To ensure that customer data is protected as under the GDPR, our Data Processing Addendum incorporates the Standard Contractual Clauses.
In addition, our DPA also includes safeguards designed to address concerns raised in Schrems II.
Prior to the Schrems II decision (Case C‑311/18), Sentry relied on the EU-US Privacy Shield as the data transfer mechanism for EU data transfers. Now that the CJEU’s July 16, 2020 ruling that the Privacy Shield is an invalid data transfer mechanism, Sentry will rely instead on the Standard Contractual Clauses (SCCs) to transfer EU data to the U.S. Even as it invalidated the Privacy Shield, the CJEU confirmed in Schrems II that the Standard Contractual Clauses (SCCs) can be used to transfer data outside the EU in compliance with the GDPR.
Sentry uses several measures to ensure that customer data is protected in compliance with the GDPR, even when processed within the US.
Read more on our Security page.
Yes. The SCCs are contractual terms that allow companies to transfer and process data outside the EU in compliance with the GDPR. They were approved by the European Commission and are the primary mechanism for data transfers. You will find the Sentry SCCs in our Data Processing Addendum.
Sentry considers any government request for data very carefully. This includes both requests from law enforcement as well as national security agencies. As a policy, we only respond to requests that legally compel us to do so – for example, if we received a court order, subpoena, warrant, or other valid legal process that legally requires us to provide access to the data. We will also notify you of any requests received except when legally prevented from doing so.
Take a look at our transparency report for more information.
No. Although the CJEU invalidated the EU-US Privacy Shield, it didn't say that all data transfers to the U.S. are illegal or that data should no longer be transferred to the U.S. In fact, the CJEU confirmed that companies can transfer data outside the EU — including to the U.S. — so long as they implement adequate data protection safeguards. There has been a lot of confusion on this topic, so we want to take a moment to explain.
Firstly, the CJEU said that the SCCs can be used to transfer data.
Secondly, it said that companies relying on the SCCs (the "data exporter" and "data importer") must assess whether the data which is subject to the transfer will remain protected according to EU standards.
In some cases, the SCCs will be enough on their own to satisfy this requirement. In other cases, the parties may need to agree on "additional measures" (also referred to as "supplementary measures") alongside the SCCs. Like many other US companies, we eagerly await further guidance from EU regulators and the European Data Protection Board (EDPB) that we hope will provide more clarity on what these "additional measures" should look like.
Yes. We want to reassure you that Sentry is committed to protecting your data and complying with the GDPR. The Schrems II decision does not affect the strong data privacy protections we have put in place to ensure that customer data remains protected when it is transferred to, and stored in, the U.S.
Before Schrems II, Sentry relied on the Privacy Shield to receive customer data from Europe. From now on, we'll be making use of the SCCs to ensure we can continue to receive and process customer data from Europe in compliance with the GDPR.
Our standard Data Processing Addendum automatically incorporates the SCCs.
To accept the DPA, follow the instructions above.
Unfortunately, we are not able to provide individual responses to requests for verification forms. However, we have specifically developed these FAQs to answer customer queries and concerns regarding Sentry's compliance with EU/UK data export laws. If you have any remaining questions, please get in touch with us at email@example.com.
Sentry’s Data Processing Addendum provides assurances that: (1) Sentry acts solely as a service provider (as that term is defined under the CCPA) on a customer’s behalf, (2) Sentry does not retain, use or disclose personal data for any purpose other than the purposes described in the DPA, (3) and Sentry does not “sell” Personal Data (within the meaning under the CCPA).
Sentry data is hosted on Google Cloud Platform, which encrypts all data at rest by default, in compliance with the Privacy Rule within HIPAA Title II. Sentry also exercises strong access control and technical and administrative safeguards in compliance with HIPAA’s Security Rule.
If you don’t believe us, believe the HIPAA attestation we’ve received.
Sentry can sign a Business Associate Agreement (BAA) with customers on qualifying plans. Please contact us to discuss.
You may request a copy of your personal data, make changes to your personal data, or delete your personal data by submitting a request to Sentry at any time through this request form.
We will do our best to respond within 48 hours.