Rollbar and GDPR

If you are a company that collects and processes data from EU residents, you are likely a data controller and would be required to comply with the new EU General Data Protection Regulation (GDPR) coming into effect on May 25th, 2018.

The GDPR was enacted to strengthen the privacy and control EU residents have over their personal data. Part of that is achieved by extending certain data protection requirements that previously were only for data controllers to data processors as well.

As a data controller, you are now required to work only with GDPR-compliant data processors. Because Rollbar processes data on your behalf, we are a data processor to you and are directly obligated to comply with this regulation.

Rollbar treats all data received as potentially containing personal data, and only processes data that you provide to us for the purpose of monitoring errors in your applications.

Data Processing Agreement

Rollbar agrees to comply to all of the regulations as outlined in GDPR. Customers can now review and accept online the Data Processing Agreement (DPA) reflecting our commitment to GDPR compliance, by going to Account Settings → Security → Data Processing Agreement.

Review Data Processing Agreement

Data Encryption

Rollbar protects all users' personal data through encryption at rest and in transit. All raw data at rest are encrypted with disk-based encryption using industry-standard AES-256 GCM encryption algorithm, and all data in transit is sent through HTTPS (TLS) encrypted connection.

Learn more about encryption at rest

Data Retention

Rollbar allows paying customers to retain their error data only as long as is necessary for them. You can delete error occurrence data after a specified time period ranging between 7 to 180 days, by going to Account Settings → Security → Data Retention. Optionally you can opt to keep person and IP data even after the underlying occurrences are deleted.

Set your data retention policy

Data Scrubbing

Rollbar SDKs include data scrubbing filters that allow you to block or limit the amount of personal data sent to Rollbar. By default, the only person data collected by the SDKs is the person ID. You can opt in to collect person name and email addresses. You can also anonymize IP addresses before sending them to Rollbar.

Read the SDK docs for your language or framework

Person Data Deletion

In the event you receive a request from a user to exercise their right to be forgotten under GDPR and need to delete their personal data from Rollbar systems, you can do so by using our person deletion API.

Read the person deletion API docs

Data Protection Officer

Rollbar has designated a Data Protection Officer who adheres to all tasks as outlined by GDPR, and can be reached via privacy@rollbar.com for any questions or concerns.

More on Security & Compliance

Rollbar is HIPAA and ISO 27001 compliant, CSA STAR registered, and EU-U.S. Privacy Shield certified. To learn more about Rollbar's commitment to security and privacy, our security features, and the physical and administrative safeguards we have put in place, read our Security & Compliance policy.

Read our Security & Compliance policy

Common questions

Where does your data reside?Expand Question

I am a free user. What kind of data protection do I get?Expand Question

I'm not sure if I must comply with GDPR. Could you help?Expand Question

Can I see a copy of your Data Processing Agreement?Expand Question

What is Rollbar Compliant SaaS?Expand Question

I have other questions. How do I reach you?Expand Question

Start your 14-day free trial

Join 100,000+ developers, improving millions of software experiences