Jamie's Blog

Ruby developer. CTO. Swimmer. Always trying to write more

A quick privacy audit of common web services

The issue of data protection and privacy was brought up recently so I’ve done a quick audit of our services to see which are compliant with the EU Safe Harbor standards. I’ve thought about this before but mostly at the superficial level (i.e., is the server hosting Safe Harbor compliant and/or hosted in the EU?) but it’s kinda scary when you think about all the other services we rely on:

Safe Harbor compliant

Google Drive Linode Postmark Intercom OnePageCRM (hosted on Amazon AWS which is compliant) Trello

Not currently compliant


One of the best features of Rollbar is that it will tell you exactly which user encountered the problem… but to do that you need to send it user-identifying information, and as an EU company you shouldn’t because it’s not Safe Harbor compliant.

When I asked, Brian Rue (CEO) responded: “We haven’t looked into this deeply but will do so soon; we definitely do intend to support it.”. Good news because I really like Rollbar.

And alternative to Rollbar is Bugsnag but they’re not currently Safe Harbor compliant either. I’m awaiting a response. Another popular service is Honeybadger though they aren’t compliant either and even explicitly make that your problem.

You can use these services without sending user information but it really cuts out a very useful part of the service which lets you reach out and support effected customers. And even then, the data from the form parameter will be included.


Why the hell does an (awesome) team chat room need to comply with these data protection standards? Well, Slack isn’t just about chat, it’s also about the integrations. We post notifications of errors, new user signups, etc into various chat room and… yep, that includes user identifiable information. In fairness, Slack responded positively on twitter so it looks like it will soon be compliant


Zapier lets you connect services together and so you can reasonably expect user-identifiable information to be processed by Zapier. I’m currently awaiting a response [update: not officially certified but they believe they’re mostly compliant]


What! My project tracker too? If you attach documents or user email addresses to issues, then yes. Pivotal Tracker isn’t currently Safe Harbor compliant but Trello is.

Help me out?

I’m still learning a lot in this area but, as you’d expect, the actual legislation is verbose and dense. If there’s any easier-to-grok guide for EU businesses/SaaS owners, please let me know!


Heroku is finally useable for EU companies:

22 Sept: Yay, Slack are now Safe-harbor compliant

3 Dec: Rock and Roll…bar! Rollbar, my favourite exception notification service, will be compliant with EU data protection laws from 14th December.