Sentry and Your Data
Let's just be clear.
Scrubbing Your Data
You don’t need to send any personal data to Sentry in order to use our Sentry product.
Here’s how to minimize the personal data you send us.
Sentry distributes all SDKs in source code form. Customers can check an SDK’s code to see what data is sent to Sentry.
Sentry offers data scrubbing tools. Customers can use these to remove personal, confidential, or sensitive information from data sent to Sentry.
Sentry offers a standalone service that acts as a middle layer between a customer’s application and Sentry. Customers can scrub data in a central place before sending it.
Data Processing Addendum (DPA)
For customers who do send personal data to Sentry, we offer a Data Processing Addendum.
You’ll find our DPA in the Legal & Compliance section of your organization's navigation menu in Sentry. It can be accessed and accepted by any Owner or Billing Contact within your organization.
If you accept our DPA through the Sentry navigation menu, you can see who accepted it and when.
If you prefer a signed copy of our DPA, go to this DocuSign link and follow the prompts.
The General Data Protection Regulation (GDPR)
We have updated our Data Processing Addendum to incorporate the new Standard Contractual Clauses. Please visit the links below for more details.
To ensure that customer data is protected as under the GDPR, our Data Processing Addendum incorporates the Standard Contractual Clauses.
In addition, our DPA also includes safeguards designed to address concerns raised in Schrems II.
Prior to the Schrems II decision (Case C‑311/18), Sentry relied on the EU-US Privacy Shield as the data transfer mechanism for EU data transfers. Now that the CJEU’s July 16, 2020 ruling that the Privacy Shield is an invalid data transfer mechanism, Sentry will rely instead on the Standard Contractual Clauses (SCCs) to transfer EU data to the U.S. Even as it invalidated the Privacy Shield, the CJEU confirmed in Schrems II that the Standard Contractual Clauses (SCCs) can be used to transfer data outside the EU in compliance with the GDPR.
Sentry uses several measures to ensure that customer data is protected in compliance with the GDPR, even when processed within the US.
- Security. We’re proud of our robust security framework. We have achieved international compliance standards (SOC2 and Privacy Shield) and conduct regular external audits and pen-tests.
- Encryption. All data sent to Sentry is encrypted at rest. Sentry also sends data over HTTPS transport layer security (TLS) encrypted connections for additional security as data transits to and from the application.
- Data scrubbing. Our Data Scrubbing option also allows you to scrub any personally identifiable information (PII) from your data, to ensure that PII doesn't get sent to or stored on Sentry's servers.
- Data retention. We only retain event data for 90 days by default. Post-retention, all event data and most metadata is eradicated from the service and from the server without additional archiving.
- Supplier commitments. We require our subprocessors to enter into GDPR-compliant data processing agreements with us to ensure that customer data will remain protected in accordance with the GDPR and our commitments to you.
- Government requests. We also provide our customers with a number of assurances about government requests for data. You can read more about our approach to data requests below.
Read more on our Security page.
Yes. The SCCs are contractual terms that allow companies to transfer and process data outside the EU in compliance with the GDPR. They were approved by the European Commission and are the primary mechanism for data transfers. You will find the Sentry SCCs in our Data Processing Addendum.
Sentry considers any government request for data very carefully. This includes both requests from law enforcement as well as national security agencies. As a policy, we only respond to requests that legally compel us to do so – for example, if we received a court order, subpoena, warrant, or other valid legal process that legally requires us to provide access to the data. We will also notify you of any requests received except when legally prevented from doing so.
Take a look at our transparency report for more information.
No. Although the CJEU invalidated the EU-US Privacy Shield, it didn't say that all data transfers to the U.S. are illegal or that data should no longer be transferred to the U.S. In fact, the CJEU confirmed that companies can transfer data outside the EU — including to the U.S. — so long as they implement adequate data protection safeguards. There has been a lot of confusion on this topic, so we want to take a moment to explain.
Firstly, the CJEU said that the SCCs can be used to transfer data.
Secondly, it said that companies relying on the SCCs (the "data exporter" and "data importer") must assess whether the data which is subject to the transfer will remain protected according to EU standards.
In some cases, the SCCs will be enough on their own to satisfy this requirement. In other cases, the parties may need to agree on "additional measures" (also referred to as "supplementary measures") alongside the SCCs. Like many other US companies, we eagerly await further guidance from EU regulators and the European Data Protection Board (EDPB) that we hope will provide more clarity on what these "additional measures" should look like.
In the meantime, we are pleased to be able to provide our customers the SCCs and other additional measures as described in these FAQs, on our Security page, and in our Data Processing Addendum.
Yes. We want to reassure you that Sentry is committed to protecting your data and complying with the GDPR. The Schrems II decision does not affect the strong data privacy protections we have put in place to ensure that customer data remains protected when it is transferred to, and stored in, the U.S.
Before Schrems II, Sentry relied on the Privacy Shield to receive customer data from Europe. From now on, we'll be making use of the SCCs to ensure we can continue to receive and process customer data from Europe in compliance with the GDPR.
Our standard Data Processing Addendum automatically incorporates the SCCs.
To accept the DPA, follow the instructions above.
Our transparency report is available here.
Unfortunately, we are not able to provide individual responses to requests for verification forms. However, we have specifically developed these FAQs to answer customer queries and concerns regarding Sentry's compliance with EU/UK data export laws. If you have any remaining questions, please get in touch with us at legal@sentry.io.
The California Consumer Privacy Act (CCPA)
Sentry’s Data Processing Addendum provides assurances regarding our compliance with the CCPA (as amended by the CPRA), including that (1) Sentry does not retain, use or disclose personal data for any purpose other than the purposes described in the DPA and (2) Sentry does not “sell” or “share” (within the meaning under the CCPA) personal data received under the DPA.
Health Insurance Portability and Accountability Act (HIPAA)
Sentry data is hosted on Google Cloud Platform, which encrypts all data at rest by default, in compliance with the Privacy Rule within HIPAA Title II. Sentry also exercises strong access control and technical and administrative safeguards in compliance with HIPAA’s Security Rule.
If you don’t believe us, believe the HIPAA attestation we’ve received.
Our Business Associate Amendment (BAA) is available to customers on a qualifying plan (Business tier or higher). You’ll find our BAA in the Legal & Compliance section of your organization's navigation menu in Sentry. It can be accessed and accepted by any Owner or Billing Contact within your organization.
Data Subject Requests
You may request a copy of your personal data, make changes to your personal data, or delete your personal data by submitting a request to Sentry at any time through this request form.
We will do our best to respond promptly.