Because data is our business, we take our data responsibilities seriously – including compliance with all data security and privacy regulations, such as the General Data Protection Regulation (GDPR). In accordance with GDPR, you have “the right to be forgotten” in terms of asking us to delete all information about you that currently resides in our business systems.
If you want erwin to delete your information, please email us at privacy@erwin.com.
erwin, Inc. (“erwin”), as a software-as-a-service (SaaS) and hosting services provider, acts only as a data processor and with respect to the personal data processed pursuant to the contract between the customer as a data controller and the service provider (erwin) as the processor. The data controller retains the overall responsibility for the data that is placed into any of the SaaS or hosted platforms. erwin, in its role of data processor will ensure it carries out its responsibilities, to ensure the data remains secure with technical and operational controls in place.
erwin limits the amount of personal data it stores, in its role of processor, to just data that is needed for a user to be able to access and use the service/system being provided, as part of the contract. This often just means a username and corporate email address, to allow a user record to be created within a SaaS or hosting system. Once this is no longer needed, the user can be removed or anonymised, meaning that no personal information will remain, and the record will be changed to a non-identifiable number/string. From a privacy perspective, any other personal data stored within the service content itself is at control of the customer (the controller of service data), with erwin acting as the data processor. This means that throughout the time that a customer subscribes to the SaaS or hosting services with erwin, the customer retains ownership of and control over service content within its platforms.
To offer these services for SaaS and hosting, erwin uses certain subprocessors and subcontractors. A subprocessor is a third-party data processor, used by erwin, who potentially has access to process data placed within the service, by the customer. erwin engages different types of subprocessors to perform various functions as explained in the table below. erwin refers to third parties that do not have access to process data in the service, but who are otherwise used to provide the system/services as “subcontractors” and not subprocessors.
erwin undertakes a due diligence process by which it evaluates the security, privacy and confidentiality practices of proposed subprocessors that potentially may have access to process data within the service. This is done annually, as part of erwin’s ISO27001 activities.
erwin requires its subprocessors to satisfy obligations as those equivalently required for erwin (as a data processor) as set forth in erwin’s Data Processing Agreement (DPA), including but not limited to the requirements to:
erwin makes use of a few subprocessors to supply the infrastructure used to host service data submitted to the SaaS and hosting services offered. Currently, the erwin production SaaS systems consist of multi-tenant systems, hosted in data centers in the United States and London and single-tenant systems (SaaS and hosting), hosted in any of the MS Azure or AWS data center locations, selected by the end user.
Subscriber accounts are established in one of these regions based on where the subscriber company chooses the base data location to be; the subscriber’s service data subsequently remains in that region unless agreed between subscriber and erwin but may be shifted among data centers within a region to ensure resiliency and availability of the services. The following table describes the subprocessors engaged in the storage and delivery of SaaS and hosting services.
| Entity Name | Entity Type | Entity Country |
| Amazon Web Services, Inc. | Cloud Service Provider and associated services | United States |
| Microsoft Azure | Cloud Service Provider and associated services | United States |
erwin works with certain third parties to provide specific functionality within the services. These providers are the subcontractors set forth below. To provide the relevant functionality, these subcontractors do not directly access data that the customer places into the service, but they may have access to surrounding personal data to be able to deliver their function.
| Entity Name | Purpose | Applicable Services | Entity Country |
| Zendesk | erwin uses Zendesk for its SaaS support and ticketing system. erwin customers create accounts directly in the system, with an email address and username.
Zendesk has access to subscribers’ and end users’ information as needed to allow us to communicate back and forth on bug tickets, enhancement requests and answer any other questions raised. The only information Zendesk has access to for this purpose is end-user name and email address. |
Support | United States |
Any personal data that we store within the systems that offer SaaS or hosting/BYOL services does not leave the region of which, the core, chosen data center is hosted in. We may back up systems within another availability zone, but these will still be within the same geographical region. We host on Azure and AWS, and they both guarantee, that data will not leave the regions that we specify.
See section 2.8 on the terms of service: https://erwin.com/terms-of-service/.
We offer both multi-tenant SaaS web platforms in the United States and the United Kingdom, that have a defined data location, along with a single-tenant option, for both SaaS web and hosting/BYOL platforms, that allows the customer to choose the core data center location.
The personal data stored within the systems that offer these services is retained as part of the contract with the data controller purchasing the service from erwin. The personal data will be kept for the duration of the service contract/subscription, unless removed by the data controller beforehand. There may be an extension requested by the data controller, of up to 30 days after the end of a service contract/subscription, where the data can be restored, to aid in data export activities. After the 30-day extension, the data will be permanently removed from the system.
erwin undertakes to implement the following general security principles:
Some of the technical security measures that erwin undertakes as part of its SaaS/Hosting/BYOL services are:
More information can be found at https://help.myerwin.io/security_response.
erwin SaaS and hosting/BYOL environments and processes are annually audited to the ISO27001 standard, by an independent third party. erwin also performs continual due diligence activities on its infrastructure suppliers, AWS and MS Azure, including the physical and environmental security of hardware and data centers, so its customers can take advantage of the rich array of certifications they possess.