Database Performance Analyser and GPDR - What exactly does DPA keep? Could customer data be exposed?

Question

Morning Thwacksters,

A client of mine just asked me a very interesting question. With GPDR just around the corner, and said client having many databases monitored by DPA, including some which sit within a PCI environment, does SWI have a statement of compliance with GPDR for DPA?

In other words, given the information potentially available, could DPA store any customer information in it's historical data, resulting from it's monitoring of a given database, which could be made available to nefarious individuals via what is stored in the repository database(s), or in the Orion database itself?

According to the DPA Installation Guide, the DPA Repository Database "...holds the performance data that DPA collects", but it doesn't go into any detail as to WHAT is stored in this performance data set, and whether any of that performance data could contain anything potential compromising, such as parts of select queries which would have a subset of customer data, for example.

Disclaimer: I'm on site, and I don't have access to a DPA repository database at the time of writing, else I would have a look at the tables in an effort to answer my own question

Edit: Found this, which explains that SWI have deemend themselves compliant across the board for the MSP brand of products. Is there such a page for Orion?

https://www.solarwindsmsp.com/resources/gdpr

mandevil · Answer

There IS such a page for SolarWinds Core products.  In regard to SolarWinds compliance, please see the SolarWinds Readiness statement, https://www.solarwinds.com/general-data-protection-regulation-core-it

Additionally, the software products purchased from SolarWinds are products that customers use in an on-premise deployment, behind your firewall.  As a result, you control all of your data, not SolarWinds. By keeping the software and data in your infrastructure, it is you who decides how, where, and under which conditions data is stored.

SolarWinds US Affiliates have registered with Privacy Shield, which certifies its compliance with the following Privacy Shield principles with respect to the data we process on behalf of our customers in the EU and Switzerland:  Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability. SolarWinds’s self-certification to the Privacy Shield will be subject to the investigatory and enforcement authority of the Federal Trade Commission.

We understand that this is a large issue for our customers and hope you find these materials useful.  Please let us know if you have any other questions.

silverbacksays · Answer

No problem davej​. It's an important question for a lot of us, as today is implementation day for GPDR. Maybe wabbott​ could help us?

davej · Answer

silverbacksays​ I'm happy I found your question. And your link to GDPR. I had similar questions.

Thanks

Dave