Infrastructure FAQ

When should I notify privacy@?

All changes which may require an update in our terms or other privacy related documentation need to be reported to privacy@apache.org. In best case, with some time between announcement and change.

Examples for changes which may require privacy policy updates:

• adding a new service, like webhost server company
• removing a service, which may not be any longer in the terms
• changes to logfiles, in example when IP addresses are logged (which werent’t before)
• moving data with PI to other services like a managed service
• a new domain was registered, transferred or removed

Other notifications may be sent when:

• another office or committee requests user data from infra, which they may not access (like running analytics on diversification with a 3rd party)
• a security issue happened and user addresses and password have been stolen (data leaks in general)

No notification is required when:

• new VMs are started or reorganized with companies which we already have an DPA for
• data is migrated from an outdated database version to a new version
• a CDN is setup with a company which we already have a DPA for and which is already mentioned in the terms
• a new project subdomain was created or removed
• a new user account was created or removed