Ask HN: Server providers missing from privacy policies?

[twa927]

I reviewed a few privacy policies of SaaSes and they don't mention third-parties that they obviously use, like:

- server providers (hosting)

- email sending services (like SendGrid)

- other SaaSes they use like error tracking, backup hosting (S3)

In many cases these SaaSes host personal data in unencrypted forms. Yet the privacy policies mention that they don't share these details with anyone.

Shouldn't they list all used third-parties?

[felicianotech]

That's a very good question. Many SaaS companies I know do encrypt their data. As you said though, there's many that don't. I think it might not be mentioned because why the hosting provider might indeed have access to the data, it's usually in their ToS that they do not inspect customer's data unless served a government order.

Maybe then a SaaS company can reasonable say, the hosting company isn't looking at the data thus it's not considered sharing with them. That's my thought behind it anyway. I'm interested in what others might think.

[twa927]

> Many SaaS companies I know do encrypt their data.

You can encrypt backups, but in many other cases you can't do it (sending emails, generating invoices) or it's too much work (error/log aggregators that can leak personal data).

[detaro]

Many policies have some catch-all clause saying that they share with services that are contracted to perform parts of the service, which would cover those.