Dear Jim and all, We took the decision to move to a third party specialising in ticketing systems rather than continue to update our in-house system. This was to accommodate growing needs for efficiency and functionality. We needed a more resilient system that would meet the needs of our 18,000-strong membership. We ask members not to attach privacy-related documentation and instead to submit it via secure RIPE NCC processes, i.e. the request forms available through their LIR account or via the contact form on the RIPE NCC website. By following these procedures, all documentation is stored securely on RIPE NCC servers. If sensitive personal information is attached to an email, we delete that information from Zendesk once the information is moved to RIPE NCC servers. We also made members aware of these changes well in advance of starting to use Zendesk: https://www.ripe.net/ripe/mail/archives/ncc-announce/2017-August/001189.html As was noted, Zendesk guarantees that it is GDPR-compliant and the services we use are located by contract on servers in the EU. This in itself mitigates some of the concerns that have been raised. Zendesk is a well-established provider of these services, and we believe that their solution is likely to be maintained. And although we believe the likelihood of this company failing to meet our needs in future is very small, we have considered the risk and believe we can make any changes to our processes that scenario would require. We'd like to note that the quoted sections of Zendesk's privacy policy refer to activities that take place on their website. The RIPE NCC mitigated these concerns by choosing not to use these elements of the Zendesk solution. We can continue the discussion at the RIPE NCC Services WG in Marseilles in May and we are happy to take feedback on our approach. Best regards, Andrew de la Haye Chief Operations Officer RIPE NCC On 28/02/2018 10:40, Jim Reid wrote:
On 28 Feb 2018, at 08:57, Hans Petter Holen <hph@oslo.net> wrote:
It would be far more constructive if you could share what is not appropriate in the privacy policy and why.
Hans Petter, I thought I’d already done that by quoting extracts from that policy.
In short, you are fodder for our marketroids (and those of our unnamed partners). We’ll use tracking cookies so advertisers can monitor you. We will spam you too. Oh and you agree your personal data will be thrown over the wall to unknown third parties. Have a nice day. [I lied about the last bit. :-)]
NCC services and the NCC should not be party to any of that. I’m surprised this needs to be explained.
Aside from that, I made a much more important point about outsourcing important functions to the cloud: what happens when the provider goes bust or changes their T&Cs or achieves lock-in?