New! Deploy Bonsai in your AWS Account with Bonsai Vaults →

GDPR and Bonsai: An Overview of Your Data Privacy

Dru Sellers · May 03, 2018
3 minute read

Along with many of your favorite service providers, Bonsai will be taking a firm stance of support for the new GDPR (General Data Protection Regulation) legislation. We at Bonsai believe this is an important piece of legislation that is designed to strengthen and unify data protection laws for all individuals within the European Union. In essence, the GDPR requires internet companies to expose how they store and share data belonging to any EU citizen. The regulation will become effective and enforceable on May 25, 2018.

While this regulation specifically protects EU citizens, Bonsai has always been committed to the data privacy of its customers. As Internet users and developers ourselves, we appreciate the goals and ideals of this legislation, and find no reason to not apply the features we build for GDPR to everyone.

What is Bonsai doing about the GDPR?

From its beginning, Bonsai has been designed to store as little personal information as possible. We generally store things required to communicate with you without sounding like complete robots. Nonetheless, we did a thorough review of our data stores to make sure that nothing was hiding in our database tables.

We personally reviewed every table in our database. For those of you that are using PostgreSQL for your database, this was the SQL I used to manually inspect every column.

SELECT table_name, column_name, *
FROM information_schema.columns
WHERE table_schema = 'public'
ORDER BY table_name;

Additionally, has collaborated with our lawyers to ensure that we are able to fulfill every aspect of this regulation. Here are the measures we’ve taken in advance of our attorneys to meet the GDPR deadline:

  1. We have reviewed all of the data that we track about our customers, and identified what needs to be kept and what can be thrown away. This list will be incorporated into our application soon for your review.
  2. We have internally documented our data flows of this data, and verified that all usage is needed for business operation. We then removed any data that was deemed unnecessary.
  3. We have removed any vendor that is either not planning to support GDPR or has no public stance on GDPR.
  4. We are improving security around the management and display of resource credentials, and are improving administrative workflows around system access for operational maintenance.
  5. We have identified all third party cookies and removed those we no longer need or use. As an example, after review, we have decided to remove Facebook Pixel tracking.
  6. We reviewed our Privacy policy, and are working to further clarify or update it where needed to satisfy new GDPR compliance requirements.

What do Bonsai Customers need to do?

GDPR identifies two roles for handling data. The role of the Data Processor, a legal entity that processes personal data on behalf of the Data Controller and the role of Data Controller, a legal entity that determines the purposes and means of the processing. As a customer of Bonsai, you will be in the role of Data Controller for the data loaded into Bonsai’s services, and Bonsai wil be in the role of Data Processor. Its important when you are reviewing GDPR to keep this in mind.

Among many other things, there are two things that you might need to do depending on your situation and jurisdiction. Below are the only impactful changes that we can foresee that might affect you as a result of using Bonsai:

  1. Make sure your Terms of Service or Privacy Policy properly communicate to your users how you are using Bonsai (and any other similar services) on your website or app. We recommend you ensure your policies are up to date and clear to your readers.
  2. If you are in the European Union, you’ll likely want to sign a Data Processing Agreement (DPA) with Bonsai. We’re happy to do so. Working with outside counsel, we are building a standard DPA that will be available to all customers.

If you have any questions, please don’t hesitate to contact us at legal@bonsai.io.