Privacy Shield decision for our customers

On July 28, in a ruling privacy experts had long predicted, the Court of Justice of the European Union in its Schrem II decision struck down the Privacy Shield framework. While the decision has forced many companies to rebuild their privacy policies on the fly, the more stringent policies adopted by Platform.sh to comply with international data protection regulations have kept it protected from the fallout of the Privacy Shield invalidation.

Privacy Shield is the data transfer mechanism that was supposed to provide legal protection to authorize transatlantic transfers of European users’ data. For years, companies relied on it to evade the exacting requirements of the EU General Data Protection Regulation (GDPR). The court ruled that companies relying on Privacy Shield were not to be afforded a grace period to bring their data protection policies into compliance with the Schrem II ruling, leaving these companies scrambling and their customers in confusion.

Platform.sh and its customers, however, have nothing to worry about. Recognizing the regulatory weaknesses of Privacy Shield, Platform.sh has instead relied on Standard Contractual Clauses (SCCs) issued by the European Commission to permit the transfer of personal data to processors outside of the EU. In its Schrem II ruling, the court affirmed that SCCs remain a valid mechanism.

All our customer data is protected by SCCs. Platform.sh has executed SCCs with our cloud providers, including AWS, GCP, Azure, OVH, and Orange. We’ve also undertaken a review of our other suppliers; none of them rely on Privacy Shield.

In addition, we’ve taken measures such as encryption in transit and encryption at rest to further protect our customer data. We are also audited by a third party and hold SOC 2 Type 2 and PCI DSS Level 1 certifications.

If you have any questions about our data privacy policies, please visit our Security and Compliance page.