Replicated is super focused on data security and privacy (Security at Replicated - Replicated). We are also, VERY familiar with the GDPR regulations that are designed to protect the personal data of EU citizens (we wrote: EnterpriseReady GDPR Overview).
The entire premise of Replicated is to enable security/privacy focused enterprises with the means to deploy and integrate 3rd-party services without sharing sensitive data with the any additional application vendors. Therefore, the amount of personal data that Replicated handles is very limited by design, particularly from the end-customer (enterprise perspective, i.e. where Replicated would be seen as a “sub-processor” of a vendor’s data). No personal data ever leaves the on-prem environment, only machine/application metadata (see our data transmission policy).
Support bundles have support for collecting any information that the vendor specifies and also feature complex redaction options (generally used for secrets). The resulting output could potentially contain personal data & should always be run through a DLP tool before it is ever delivered to Replicated or the vendor to remove any sensitive personal data about the end customer or their clients.
Replicated will also sign a separate customer agreement and Data Processing Addendum for further compliance with privacy regulations.