International data protection with EU-entities of US-headquartered IaaS providers

The General Data Protection Regulation (GDPR), a legal mandate across the EU, requires enhanced protection for EU personal data transferred to countries with inadequate levels of data protection safeguards—including the US. The EU-US Privacy Shield, which was in place until 2020, facilitated these protections but was invalidated by the Schrems II ruling as a result of US surveillance concerns. This meant that, based on EDPB-recommended security measures, data exporters had to implement additional protective measures to remain GDPR-compliant. So, what are the measures that can be taken to ensure personal data is protected? 

Both the European Data Protection Board and the EU Council of State recognize that encryption is an acceptable layer of security when transferring data to inadequate countries. Provided that the encryption keys are controlled by the EU customers. That’s why we encrypt customer data storage disks and, along with our IaaS providers, jointly manage the encryption keys from the necessary EU headquarters. However, our customers can also choose to encrypt their data at the application or database level, which also aligns with the EDPB-recommended security measures. 

Establishing additional guarantees with our IaaS providers

To further bolster our data protection measures, we put in place the necessary Standard Contractual Clauses with our IaaS providers with “Additional Guarantees” which details supplementary security obligations to reflect the Schrems II concerns. As a result, as outlined in our Transparency Report, we did not receive any data requests such as National Security Letters, FISA orders, or Cloud Act orders in 2022. A result we want to continue to drive in the years to come. 

Collectively, these measures fortify our servers’ defense against cyber threats and unauthorized access. While GDPR compels providers to adhere to rigorous standards in safeguarding user data. This robust legal framework ensures that personal information is handled with the utmost care and transparency, offering individuals greater control over their data. 

Our choice of EU-headquartered IaaS providers

We choose to work with EU-based IaaS providers, including OVHcloud and Orange, which offer robust and secure alternatives for our sales operations. These providers prioritize data security through a comprehensive set of protective measures, such as: 

1. Access Control Lists to regulate data access.
2. Strong Encryption protocols to safeguard information.
3. Intrusion Detection Tools to proactively identify threats.
4. Rigorous Logging Practices.
5. Data Backup routines.
6. Employ Anti-Malware defenses.
7. Firewalls for network security. 
8. Multi-factor authentication. 

If you would like to know more about our privacy and security measures, head over to our Trust Center.