Last updated: 1st March 2022
In this policy the following words have the following meanings:
- Us, our, we, the company means Structurizr Limited and our staff.
- Website means this website, at structurizr.com
- Software, services, or products means the software and associated services provided and developed by Structurizr Limited that may be supplied to you.
- Customer means you or your organisation and its staff, who have bought a paid subscription.
- Staff means your and our employees, workers, and sub-contractors.
- Personal data means any information relating to an identified natural person that is processed by us as a result of, or in connection with, the provision of the services; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- User data means any information that you or your staff have voluntarily provided to us in order for us to provide our service. This data may include personal data.
- Data Protection Legislation refers to the Data Protection (Jersey) Law 2018 (DPJL), and any other UK or European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications).
- Controller, processor, sub-processor, data subject, personal data, personal data breach, processing and appropriate technical and organisational measures are used as defined in the Data Protection Legislation.
- ICO means the Information Commissioner's Office and any successor to it as data protection authority.
Our website is not intended for children and we do not knowingly collect data relating to children.
You as Data Controller, Structurizr Limited as Data Processor
You are responsible for the input of any user data collected, stored, and processed as a result of your use of our services. You acknowledge that, for the purposes of the Data Protection Legislation, you are the Data Controller and that we are the Data Processor. You will ensure that you have all necessary appropriate consents and notices in place to enable lawful transfer of user data to us.
We shall, in relation to any user data processed in connection with the use of our services:
- Ensure that we have appropriate technical and organisational measures in place, to protect against unauthorised or unlawful processing of user data, and against accidental loss or destruction of, or damage to, user data.
- Ensure that all our staff who have access to and/or process user data are obliged to keep the user data confidential.
- Notify you without undue delay on becoming aware of a user data breach.
- Provide you with the right to erasure.
Personal data we collect
To fulfil your use of our services, you must provide us with certain personal data, including:
|Personal data stored||Why we require it||Special handling|
|Your e-mail address||
Your e-mail address is used as your Structurizr account identifier, for authentication purposes. Unless you explicitly opt-in to receive marketing e-mails (via your user profile page), we will only send you the following types of e-mails:
|Password||Website sign in/authentication.||Your password is stored using a one-way hashing algorithm, called bcrypt, with a random salt.|
|Your name||As a greeting in e-mail correspondence (optional).||None|
|Your address||For display on invoices.||None|
When you use this website as an authenticated user (i.e. signed in), we record some information about important events related to your user account or workspaces; including:
These audit logs are created to help us with security of the service, and to allow us to diagnose certain categories of problems (e.g. a user cannot sign in, or verify their account). Your IP address is a part of these audit logs.
Credit card details
Although we provide an online payment facility for purchasing our paid subscriptions, we do not collect this information directly. Instead, you are entering your credit card details into a PCI compliant form that is hosted by Braintree Payments. We have no access to your full credit card details.
We share your personal and user data for a very limited number of reasons in order to provide our service, engaging the following trusted third parties (sub-processors) to provide services on our behalf.
|Amazon Web Services||Personal data (e-mail address, hashed password, IP address(es), name, invoice address) and other user data (your workspaces).||We use Amazon Web Services for data storage (RDS and S3) and e-mail (SES).||
- AWS GDPR data processing addendum
- AWS Data Privacy FAQ
|IP address (when signing up and starting a subscription).||We use Google reCAPTCHA v2 to fight spam, abuse, and credit card fraud (e.g. carding attacks) on our site.||
- Data Processing and Security Terms (Customers)
We will not sell, rent, or share user data with third parties in other ways without your consent, unless we are entitled by law to do so.
We require all third parties to respect the security of your user data and to treat it in accordance with the law. We do not allow our third-party service providers to use your user data for their own purposes and only permit them to process your user data for specified purposes and in accordance with our instructions.
If we sell or merge our business, we may disclose your information as part of that transaction, only to the extent permitted by law.
Compliance with laws
We may collect, use, retain, and share your user data if we have a good faith belief that it is reasonably necessary to:
- Respond to legal process or to government requests.
- Enforce our agreements, terms and policies.
- Prevent, investigate, and address fraud and other illegal activity, security, or technical issues.
- Protect the rights, property, and safety of our customers, or others.
Please see Cloud service - Security for information about our server locations, and where your user data is stored.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Please see Cloud service - Security for the technical details related to password hashing, data encryption, etc.
We collect and retain user data submitted to Structurizr Limited in an identifiable format for the amount of time necessary to meet your request, provide our service, or fulfil our legal or regulatory obligations.
We will notify you and the Jersey Office of the Information Commissioner ("the JOIC") of a data breach where we are legally required to do so, within 72 hours of becoming aware of the breach.
You may review and update your personal data after signing in to your Structurizr account.
If you are using our service in the European Economic Area (EEA) and Switzerland you also benefit from certain rights granted by applicable law but subject to limitations therein. These rights include the right of access, rectification, restriction, opposition, erasure and portability, and the right not to be subjected to automated decision-making. If you want to exercise those rights or find out more, please contact us.
The right to erasure (the right to be forgotten)
We have a self-service process in place if you would like to delete your personal and user data.
- User data (e.g. workspaces): Use the "Delete workspace" button on the workspace settings page. This will immediately delete your workspace and is irreversible. We do not retain backups of your workspace data.
- Personal data: After deleting all of your workspaces, use the "Delete account" link on your dashboard to delete your account. This will immediately delete your account from our database. We retain a rolling 7-day backup of personal data in the form of database snapshots, and your personal data will purged from these backups after 7 days.
Users in the European Economic Area (EEA) and Switzerland have the right to lodge a complaint with the Supervisory Authority for data protection in their country, should they find that we did not appropriately address their question or concern.
We are registered with the Office of the Information Commissioner, Jersey, Channel Islands under the Data Protection Register. Our registration number with the Jersey Office of the Information Commissioner is 62007.
- Changes to data protection legislation and other laws which may affect this policy.
- Guidance issued by the ICO and others.
- Issues raised by our customers, users, or sub-processors.
Accordingly we suggest that you regularly check this page to ensure that you continue to be comfortable with the measures that we are taking to protect your privacy.
Can we use our own data processing agreement (DPA) and/or non-disclosure agreement (NDA) instead?
At this time, we are unable to enter into a user specific data processing agreements for a number of reasons:
- We are a small company, with thousands of users worldwide, and it's not practical for us to enter into specific agreements with individual organisations or users.