Preparing for the GDPR

Written by Anna Burman

The General Data Protection Regulation (GDPR) is approaching and will set the bar high in regards to protecting the integrity of the individual in the EU. CloudMQTT is currently working with preparing our business for compliance. This post is intended to give our customers an update on our current status in regards to GDPR.

The General Data Protection Regulation (GDPR) is the new legal regulation for personal data, applying to all organizations operating within the EU (as well as non-EU organizations with customers who are individuals in the EU zone). The definition of personal data under GDPR has been boiled down into “any information relating to an identified or identifiable person”. The purpose of GDPR is to harmonize the data protection laws across all member countries of the EU to strengthen the integrity of the individual. The law will come to effect on May 25th, 2018.

GDPR applies to both data controllers and data processors. The data controller is the party who determines the purposes and the manner in which personal data is processed. While the data processor is a third-party processing personal data on behalf of the controller.

What does this mean?
This means that CloudMQTT is both a data controller and a data processor. We are a data controller in the sense that we are storing personal data such as your email address and billing address etc. But as a cloud hosting company providing a service where your data resides on, our main responsibility is as a data processor, processing your data.

What is CloudMQTT doing?
We are currently working on getting GDPR compliant. By doing so we’re examining and updating our internal data systems and processes to make sure we’re compliant by May. We will also update our Terms of Service and Privacy Policy in line with the GDPR restrictions. We will send information regarding this to all our customers once this process is finished (which will be before May 25th).

Further, there must exist a Data Processing Agreement (DPA) between the data controller and the data processor, in the cases the data controller is affected by GDPR. The data controller is affected by the GDPR, if it is a controller of personal data of end-users in the European Union. The DPA lay out the foundation of the obligations of the data processing. Soon (sometime during the upcoming month), we’ll be releasing a DPA to allow our customers to continue to lawfully transfer EU personal data to CloudMQTT when the GDPR goes into effect. Once the DPA is available we will send an email to you.

How CloudMQTT handles your data
CloudMQTT doesn’t know what kind of data you are handling while using our service. We don't look at your data, we don't copy your data to other server others than yours, and all data are encrypted in transit and can be encrypted for additional security of data at rest, but such an encryption has to be handled by you.Therefore, we don't (and will not) "manage" personal data, which means that if you would send personal information data in your messages - we will not know. However, we temporarily store the data you send us. The data you send us is only stored in RAM or on the hard drive until you've consumed the data again. This can be for a millisecond or a month, depending on when you decide to consume the data. Once the data has been consumed - it's gone.

What are the datacenters doing?
Find out what Amazon Web Services is working with in regards to GDPR here:

Terms of Service and Policies
Our Terms of Service, Privacy Policy, Security Policy, and Program Policy can be found here:

Further Information
If you have any questions in regards to GDPR and your use of CloudMQTT, feel free to email

Please note that this post is for informational purposes only, and should not be considered legal advice.