Data Transfer Impact Assessment
Last updated on November 28, 2022
Overview:
The purpose of this document is to provide information to help Idera, Inc. and its Affiliates (a comprehensive list of Idera affiliates is available at /legal) (collectively the “Company”) customers conduct data transfer impact assessments (“TIAs”) for use of the Company’s products, based on the “Schrems II” ruling of the Court of Justice for the European Union and the recommendations from the European Data Protection Board.
This document describes the legal requirements and obligations applicable to the Company in the United States, the safeguards the Company has put into place in regards to transfers of customer personal data from the European Economic Area (“EEA”), United Kingdom (“UK”) or Switzerland ("Switzerland"), and the Company’s ability to comply with its obligations as "data importer" under the Standard Contractual Clauses ("SCCs").
For more details about the Company’s GDPR compliance please visit this page.
Data Transfers
Where the Company processes personal data governed by EEA, UK or Switzerland data protection laws as a data processor (on behalf of customers), the Company complies with the obligations under the Company (Customer Facing) Data Processing Agreement ("DPA") available via the link in the table below. The Company DPA incorporates the SCCs and the following Exhibits:
- Idera Affiliates Data Processing Terms; and
- Jurisdiction Specific Terms (collectively, the “Exhibits”)
The Company may transfer customer personal data wherever it or its third-party service providers operate for the purpose of providing you the Services. The locations will depend on the particular Services you use, as outlined in the chart below.
|
Idera Corporate Group Company Name
|
In what countries is Customer Personal Data stored?
|
In what countries is Customer Personal Data processed (e.g., accessed, transferred, or otherwise handled)? |
Link to the Company’s DPA |
Link to the Company subprocessors list |
Assembla, Inc. |
United States |
United States |
Universal Customer-Facing Data Processing Agreement Assembla Data Processing Terms Jurisdiction Specific Terms. |
Subprocessors List |
Travis CI Corporation and Travis CI GmbH |
United States |
United States |
Universal Customer-Facing Data Processing Agreement Travis CI Data Processing Terms Jurisdiction Specific Terms |
Subprocessors List |
Kiuwan Software, S.L. |
Ireland |
United States, India, Ireland |
Universal Customer-Facing Data Processing Agreement Kiuwan Data Processing Terms Jurisdiction Specific Terms.
|
Subprocessors List
|
Gurock Software GmbH |
United States |
United States, United Kingdom, Japan, Australia, |
Universal Customer-Facing Data Processing Agreement Gurock Data Processing Terms Jurisdiction Specific Terms
|
Subprocessors List |
Qubole, Inc. |
United States, Europe, India, Asia, Australia |
United States, Europe, India, Asia, Australia |
Universal Customer-Facing Data Processing Agreement Qubole Data Processing Terms Jurisdiction Specific Terms |
Subprocessors List |
apilayer Data products GmbH |
United States |
United States |
Universal Customer-Facing Data Processing Agreement Apilayer Data Processing Terms; Jurisdiction Specific Terms. |
Subprocessors List |
Xblend Software, Unipessoal LDA (Xporter and Xray) |
United States |
United States, Netherlands, Ireland, Malta |
Universal Customer-Facing Data Processing Agreement Xblend Data Processing Terms Jurisdiction Specific Terms |
Subprocessors List |
Perspectium Corp. and Perspectium UK Ltd. |
United States |
United States |
Universal Customer-Facing Data Processing Agreement Perspectium Data Processing Terms;Jurisdiction Specific Terms |
Subprocessors List |
BitTitan, Inc.; BitTitan UK Limited; BitTitan SG Pte, Ltd and BitTitan Pacific Pty Ltd. |
United States, Singapore, South Africa, Brazil, Australia, Japan, Ireland, China, France, Netherlands, United Kingdom, Germany |
United States, Singapore, South Africa, Brazil, Australia, Japan, Ireland, China, France, Netherlands, United Kingdom, Germany |
Universal Customer-Facing Data Processing Agreement BitTitan Data Processing Terms Jurisdiction Specific Terms |
Subprocessors List |
Filestack, Inc. |
United States |
United States, New Zealand, Australia, Canada, Germany |
Universal Customer-Facing Data Processing Agreement Filestack Data Processing Terms Jurisdiction Specific Terms. |
Subprocessors List |
Hexawise Inc. |
|
|
Universal Customer-Facing Data Processing Agreement Hexawise Data Processing Terms; Jurisdiction Specific Terms. |
Subprocessors List |
Standard Contractual Clauses (“SCCs”)
Where personal data originating from the EEA, UK or Switzerland is transferred to the Company, the Company relies upon the SCCs implemented in 2021 to provide an appropriate safeguard for the transfer. To review a specific Company product’s DPA (which incorporates the SCCs) please refer to the applicable links in the table above in the column titled “Link to the Company’s DPA.”
Where customer personal data originating from the EEA, UK or Switzerland is transferred between one of the Company corporate group entities or transferred by the Company to a third-party subprocessors, the Company enters into SCCs with those parties.
U.S. Surveillance Laws
FISA 702 and Executive Order 12333
The following US laws were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US:
- FISA Section 702 (“FISA 702”) – allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering. This information gathering must be approved by the Foreign Intelligence Surveillance Court in Washington, DC. In-scope providers subject FISA 702 are electronic communication service providers ("ECSP") within the meaning of 50 U.S.C § 1881(b)(4), which can include remote computing service providers ("RCSP"), as defined under 18 U.S.C. § 2510 and 18 U.S.C. § 2711.
- Executive Order 12333 ("EO 12333") - authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US. In particular, it provides authority for US intelligence agencies to collect foreign "signals intelligence" information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US. EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure.
Further information about these US surveillance laws can be found in the U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S.Data Transfers after Schrems II whitepaper from September 2020. This whitepaper details the limits and safeguards pertaining to US public authority access to data and was issued in response to the Schrems II ruling.
Regarding FISA 702 the whitepaper notes:
- For most companies, the concerns about national security access to company data highlighted by Schrems II are “unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” Companies handling “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.”
- There is individual redress, including for EU citizens, for violations of FISA section 702 through measures not addressed by the court in the Schrems II ruling, including FISA provisions allowing private actions for compensatory and punitive damages.
Regarding Executive Order 12333 the whitepaper notes:
- EO 12333 does not on its own “authorize the U.S. government to require any company or person to disclose data.” Instead, EO 12333 must rely on a statute, such as FISA 702 to collect data.
- Bulk data collection, the type of data collection at issue in Schrems II, is expressly prohibited under EO 12333.
For more information on the CLOUD Act, review What is the CLOUD Act? by BSA Software Alliance outlining the scope of the CLOUD Act.
The whitepaper notes:
- The CLOUD Act only permits U.S. government access to data in criminal investigations after obtaining a warrant approved by an independent court based on probable cause of a specific criminal act.
- The CLOUD Act does not allow U.S. government access in national security investigations, and it does not permit bulk surveillance.
Is the Company subject to FISA 702 or EO 12333?
The Idera corporate group companies, similar to most US-based SaaS companies, could technically be subject to FISA 702 where it is deemed to be a RCSP. However, the Company does not process personal data that is likely to be of interest to US intelligence agencies.
Furthermore, the Company is not likely to be subject to upstream surveillance orders under FISA 702, the type of order principally addressed in, and deemed problematic by, the Schrems II decision. The Company does not provide internet backbone services, but instead only carries traffic involving its own customers. To date, the U.S. Government has interpreted and applied FISA 702 upstream orders to only target market providers that have traffic flowing through their internet backbone and that carry traffic for third parties (i.e., telecommunications carriers).
EO 12333 contains no authorization to compel private companies to disclose personal data to US authorities and FISA 702 requires an independent court to authorize a specific type of foreign intelligence data acquisition which is generally unrelated to commercial information. In the event that US intelligence agencies were interested in the type of data that the Company processes, safeguards such as the requirement for authorization by an independent court and the necessity and proportionality requirements would protect data from excessive surveillance.
To date, the Company has never received a US National Security Request (including requests for access under FISA 702 or direct access under EO 12333) in connection with customer personal data.
Therefore, while the Company may technically be subject to the surveillance laws identified in Schrems II we have not been subject to these types of requests in our day-to-day business operations. More information on how the Company processes data subject access requests is available in the applicable Universal Customer-Facing DPA in Section 4 “Rights of the Data Subjects,” and in the "Jurisdiction Specific Terms document under Annex A, Section 3 “Applicability of Surveillance Laws to Idera.”
Technical, contractual and organizational measures applied to protect the transferred data
The Company utilizes many different vendors, tools, and processes to protect transferred data. Please refer to the applicable entity’s “Data Processing Terms” in the above table for a specific list of mechanisms.
The Company’s contractual measures are set out in our Data Processing Agreement which incorporates the SCCs. In particular, we are subject to the following requirements:
- Technical measures: The Company is contractually obligated to have in place appropriate technical and organizational measures to safeguard personal data (both under the Data Processing Agreement as well as the SCCs we enter into with customers, service providers, and between entities within the Idera corporate group).
- Transparency: The Company is obligated under the SCCs to notify its customers in the event it is made subject to a request for government access to customer personal data from a government authority. In the event that the Company is legally prohibited from making such a disclosure, the Company is contractually obligated to challenge such prohibition and seek a waiver.
- Actions to challenge access: Under the SCCs, the Company is obligated to review the legality of government authority access requests and challenge such requests where they are considered to be unlawful.
Organizational measures for securing customer data
The “Security and Risk Assessment Overview” document on the Company’s legal webpage under “Policies & Procedures” outlines the Company’s organizational measures for ensuring protection of customer data. Information regarding employee data privacy and protection training, data management, network and physical security, and many other measures can be found here. If you have a question regarding data protection that is not addressed in the documentation available on the Company’s legal webpage, please contact [email protected].
Implementation of supplementary measures
In light of the information provided in this document, including the Company’s practical experience dealing with government requests and the technical, contractual, and organizational measures the Company has implemented to protect customer personal data, the Company considers that the risks involved in transferring and processing EEA, UK and Switzerland personal data in/to the US do not impinge on our ability to comply with our obligations under the SCCs (as "data importer") or to ensure that individuals' rights remain protected. Therefore, no additional supplementary measures are necessary at this time.
The Company will review and, if necessary, reconsider the risks involved and the measures it has implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of the EEA, UK and Switzerland.
Legal Notice: Customers are responsible for making their own independent assessment of the information in this document. This document: (a) is for informational purposes only, (b) represents current Company product offerings and practices, which are subject to change without notice, and (c) does not create any commitments or assurances from the Company and its affiliates, suppliers or licensors. The responsibilities and liabilities of the Company to its customers are controlled by the Company license agreements, and this document is not part of, nor does it modify, any agreement between the Company and its customers.
