Last updated: Feb 18, 2025
European Union Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“EU GDPR”) and the EU GDPR it forms part of the laws of the United Kingdom (“UK GDPR”) by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR”), including, in each case (i) and (ii) any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and any successor, amendment or re-enactment, to or of the foregoing (together, the “GDPR”) and Switzerland require Sauce Labs to provide additional and different information about its data processing practices to data subjects in the European Economic Area (“EEA”), the United Kingdom and Switzerland (collectively, “EEA+”).
Scope
If you are located in the EEA+ and access our Services or we collect, transmit, capture, or otherwise process your personal data, this Supplemental EEA+ Privacy Policy applies to you.
This Supplemental EEA+ Privacy Policy does not apply where:
You are not in the EEA+; or
Sauce Labs acts as a Processor and not a Controller.
Sauce Labs acts as a Processor on behalf of our customers, where we process personal data contained in their Customer Data (as defined in the Sauce Labs Terms of Service) to provide our services to them. In these cases, we process that personal data on their behalf under the terms and conditions of our type: asset-hyperlink id: 752TpOq9zzeWUH1b52xoHN.
Who is the Controller?
If you are using our Services, the Controller is Sauce Labs Inc, 450 Sansome Street, 9th Floor, San Francisco, California, 94111 USA +1-855-677-0011.
If you are communicating with the personnel of a Sauce Labs entity in-person or via phone, email or mail, the controllers are Sauce Labs Inc., the Sauce Labs entity with whom you are communicating and any other Sauce Labs entity with whom you or your organization does business.
What Are Our Legal Bases for Processing Personal Data?
We process your personal data on several different legal bases, as follows:
Contract Performance: We process the personal data of users of our Services as necessary to perform our contractual obligations to such users or take steps at such users’ request prior to entering into a contract, pursuant to Article 6(1)(b) of the GDPR.
Legitimate Interests: We process the personal data of users of our Services as necessary to pursue the following legitimate interests, pursuant to Article 6(1)(f) of the GDPR: To provide users with a good user experience, to maintain and secure our Services, to manage and secure our events, to understand our users so that we can tailor our communications and services, including our marketing communications, to them, and to support and provide requested services and information to our users or customers. In these cases, we will ensure that your privacy and other fundamental interests do not override our legitimate interests.
Legal Obligations: If we are subject to a lawful access request, engaged in a legal proceeding or suspect a user of illegal conduct, we may need to process your personal data as necessary to comply with relevant laws, regulatory requirements and to respond to lawful requests, court orders, and legal process, pursuant to Article 6(1)(c) of the GDPR.
Consent: If we are required to obtain your consent to send you marketing communications, place certain cookies on your device, or engage in other processing activities associated with the Services, we may perform such processing on the basis of your consent if you have provided it, pursuant to Article 6(1)(a) of the GDPR. In such cases, you may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. In such cases, providing your consent is voluntary, but we will not be able to provide you with a service for which we require your consent until we obtain such consent.
Vital Interests: In extenuating circumstances, we may need to process your personal data to protect the vital interests of you or another natural person, pursuant to Article 6(1)(d) of the GDPR.
We have set out below the legal bases we rely on in respect of the relevant purposes for which we use your personal data, as further described in ‘How Do We Use Your Personal Information?’ in the Privacy Policy.
Data Types | Purposes | Legal Bases |
Contact Data | To communicate with you in relation to your account | Contract Performance |
| To provide you with marketing communications, promotional offers and updates on new products and services | Legitimate Interests We have a legitimate interest in promoting our operations and goals as an organization and sending marketing communications for that purpose Consent, in circumstances or in jurisdictions where consent is required under applicable data protection laws to the sending of any given marketing communications |
| To administer, secure, optimize, and run a Sauce Labs event, such as SauceCon, and improve future events | Contract Performance to administer Sauce Labs events in accordance with the terms or rules thereof In respect of securing, optimizing, and running Sauce Labs events and improving future events, these promotions and contests: Legitimate Interests – we have a legitimate interest in promoting Sauce Labs events, including associated publicizing of our business and operations; and Consent – in circumstances or in jurisdictions where consent is required under applicable data protection laws to the sending of any given promotional communications |
Account Information | To create an account for you or the organization for which you work | Contract Performance Legitimate Interests We have a legitimate interest in using and authenticating your Account Information with a view to ensuring the ongoing security of our Services and associated systems and networks |
| To manage the account | Contract Performance Legitimate Interests We have a legitimate interest in using and authenticating your Account Information with a view to ensuring the ongoing security of our Services and associated systems and networks |
| To fulfill your orders for products and services | Contract Performance Legitimate Interests We have a legitimate interest in using and authenticating your Account Information with a view to ensuring the ongoing security of our Services and associated systems and networks |
Correspondence Data | To respond to any specific comments or questions you may have | Legitimate Interests We have a legitimate interest in responding to you where you have asked questions or made comments about our Services or Sauce Labs |
Technical Data and Usage Date | To provide, maintain, monitor, secure, debug, customize and optimize our Services | Legal Obligations Legitimate Interests We have a legitimate interest in ensuring the ongoing security and proper operation of our Services and associated systems and networks |
| To develop and improve our products and Services | Legitimate Interests We have a legitimate interest in providing you with a good service, which is personalized to you and that remembers your selections and preferences Consent, in respect of any optional cookies used for this purpose |
Publicly Available Information | To supplement the other personal data we hold about you in support of our sales and marketing activities | Legitimate Interests We have a legitimate interest in promoting our operations and goals as an organization and ensuring our marketing databases are accurate, relevant and up-to-date for that purpose |
Any and all data types relevant in the circumstances | To perform activities necessary to ensure compliance with applicable national, state, provincial and other applicable laws, and to respond to requests from government authorities | Legal Obligations Legitimate Interests Where Legal Obligations is not applicable, we have a legitimate interest in participating in, supporting, and following legal process and requests, including through cooperation with authorities. We may also have a legitimate interest in ensuring the protection, maintenance, and enforcement of our rights, property, and/or safety Vital Interests, where necessary in extenuating circumstances such as needing to protect the health or safety of a user or another natural person |
| To protect the legal interests, health or safety of a user, us, or other third parties, such as in the event of a complaint or dispute, or to perform credit recovery procedures or credit assignments to authorized third parties | Legal Obligations Legitimate Interests Where Legal Obligations is not applicable, we have a legitimate interest in participating in, supporting, and following legal process and requests, including through co-operation with authorities. We may also have a legitimate interest in ensuring the protection, maintenance, and enforcement of our rights, property, and/or safety Vital Interests, where necessary in extenuating circumstances such as needing to protect the health or safety of a user or another natural person |
| Sharing amongst our Affiliates | Legitimate Interests We and our Affiliates have a legitimate interest in ensuring the effective and connected operation of our Group and to help to improve our and their services and business practices. |
| In the context of corporate events, we may share certain personal information in the context of actual or prospective business transactions (e.g., investments in Sauce Labs, financing of Sauce Labs, public stock offerings, or the sale, transfer or merger of all or part of our business, assets or shares), for example, we may need to share certain personal information with prospective counterparties and their advisers. We may also disclose your personal information to an acquirer, successor, or assignee of Sauce Labs. as part of any merger, acquisition, sale of assets, or similar transaction, and/or in the event of an insolvency, bankruptcy, or receivership in which personal information is transferred to one or more third parties as one of our business assets | Legitimate Interests We and any relevant third parties have a legitimate interest in providing information to relevant third parties who are involved in an actual or prospective corporate event (including to enable them to investigate – and, where relevant, to continue to operate – all or relevant part(s) of our operations). However, we would always look to take steps to minimize the amount and sensitivity of any personal information shared in these contexts as possible and as we consider appropriate in the circumstances. |
Where Do We Transfer Personal Data, and How Do We Protect Such Transfers?
We disclose your personal data only to recipients in the following jurisdictions outside of the EEA+:
Jurisdictions deemed by the relevant bodies to provide an adequate level of protection for personal data which is equivalent to that provided by applicable data protection laws in the EEA+; and
Other jurisdictions in circumstances where:
We have established specific appropriate safeguards, which are designed to give personal data effectively the same protection it has in the EEA+ – for example, standard-form contracts approved by the relevant bodies used for this purpose (e.g., the ‘Standard Contractual Clauses’ in the EEA, or the ‘International Data Transfer Agreement’ in the UK); or
We can rely on an exception, or ‘derogation’, which permits us to transfer your personal data to such country despite the absence of an ‘adequacy decision’ or ‘appropriate safeguards’ – for example, reliance on your explicit consent to that transfer; or
Participation in the Data Privacy Framework (DPF), as detailed below.
Subprocessors
To support delivery of our Services, Sauce Labs engages certain Sub-Processors to Process Customer Personal Data in accordance with the terms and conditions of the Sauce Labs Customer DPA (the “DPA”).
The Sauce Labs Trust Center contains important information about such Sub-Processors engaged by Sauce Labs from time to time to Process Customer Personal Data, including their functions, locations and contact information.
Please use the alert icon (depicted as a bell) in the Trust Center to receive updates to this Trust Center and our list of Sub-Processors.
Data Privacy Framework (DPF)
Principles
Sauce Labs complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Sauce Labs has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Sauce Labs has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit Data privacy framework website.
You can ask for more information, including a copy of such appropriate safeguards, by contacting privacy@saucelabs.com.
Dispute Resolution
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Sauce Labs commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.
Enforcement and Obligations
The Federal Trade Commission has jurisdiction over Sauce Labs’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
As described respectively in Annex I of the EU-U.S. DPF Principles, the Letter from the ITA regarding the UK Extension to the EU-U.S. DPF, and Annex I of the Swiss-U.S. DPF Principles, an EU, UK, or Swiss individual has the option to invoke binding arbitration to determine whether a participating organization has violated its obligations under the DPF Principles as to that individual and whether any such violation remains fully or partially unremedied (“residual claims”).
The Accountability for Onward Transfer Principle explains that to transfer personal information to a third party acting as a controller, a participating organization must, among other things, comply with the Notice and Choice Principles. The Recourse, Enforcement and Liability Principle explains that, in the context of an onward transfer, Sauce Labs has responsibility for the processing of personal information it receives under the DPF Principles and subsequently transfers to a third party acting as an agent on its behalf. Sauce Labs shall remain liable under the DPF Principles if its agent processes such personal information in a manner inconsistent with the DPF Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.
Sauce Labs will always grant access to individuals regarding personal information about them that the organization holds and be able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.
Sauce Labs makes available the opportunity to choose (opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. Individuals must be provided with clear, conspicuous, and readily available mechanisms to exercise choice.
By derogation to the previous paragraph, it is not necessary to provide choice when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of and under the instructions of the organization. However, Sauce Labs shall always enter into a contract with the agent.
Lawful Requests from Public Authorities
Sauce Labs is, like all individuals and entities, obligated to respond to lawful requests by public authorities, including to meet national security or law enforcement requirements, and may disclose personal data to meet these requirements. In relation to this, Sauce Labs upholds the importance of fundamental privacy protection of user data, constitutional guardrails and judicial oversight of government data collection and surveillance.
Sauce Labs is committed to maintaining customer privacy and confidentiality. All legal process requesting access to personal data is carefully reviewed.
Sauce Labs construes legal process as narrowly as possible and challenges any request that has no legal basis or is unclear, overbroad, or otherwise inappropriate.
Wherever possible, we encourage third parties to obtain relevant data without our intervention.
Sauce Labs has further determined through thorough analysis that, while we are theoretically subject to a subpoena or an access request such as that under FISA 702, we have never received such a request, nor would expect to given the nature of our processing.
Data Protection Officer (DPO) and Supervisory Authority
Sauce Labs maintains a relationship with the following Data Protection Officer (DPO) via ISiCO Datenschutz, GmbH in Berlin:
Joanna Zielinska (zielinska@isico-datenschutz.de)
The application of relevant laws and regulations for Sauce Labs in Europe is governed by the Berlin Supervisory Authority:
Berlin Commissioner for Data Protection and Freedom of Information Berliner Beauftragte fur Datenschutz und Informationsfreiheit
Friedrichstrasse 219
10969 Berlin
Tel: 030/138 89-0
Fax: 030/215 50 50
mailbox@datenschutz-berlin.de
