Data Transfer Risk Assessment

(January 10, 2022)

Overview

This document is intended to provide information to help Contentstack’s customers conduct data transfer impact assessments in connection with their use of Contentstack’s products, in light of the “Schrems II” ruling of the Court of Justice for the European Union and the recommendations from the European Data Protection Board.

This document describes the legal regimes applicable to Contentstack in the US, the safeguards Contentstack puts in place in connection with transfers of customer personal data from the European Economic Area, United Kingdom or Switzerland ("Europe"), and Contentstack's ability to comply with its obligations as "data importer" under the Standard Contractual Clauses ("SCCs").

The transfer impact assessment(s) below identify and describe the risks associated with data transfers of Customer personal data to third countries in cases where Customer is the Controller (or otherwise), as well as any supplementary measures we have taken — or have required our vendors to take — to safeguard Customer Content. Our Data Processing Addendum is the contract that governs the transfer of personal data where Customer is controller of the data. Please see Data Procesing Addendum for any details, such as the nature of the processing or the retention period of the data, that are not specific to onward transfer. In all such cases, the categories of data subjects are Contentstack customers and their authorized Users or where specifically noted, end users.

As The Court of Justice of the European Union (CJEU) ruled in Schrems II that a company intending to transfer data to a third country should conduct a case-by-case assessment of the laws and practices of the third country in order for data exporters to verify what security measures and safeguards are being implemented by the third country (Schrems II, para 134, 146). More specifically, Transfer Impact Assessments aim to assess:

the relevant aspects of the legal system of the third country to which personal data are transferred and the possibility of public authorities of that third country having access to that data;
The relevant cooperation mechanisms, under which data subjects will be able to enjoy effective and enforceable rights and effective administrative and judicial redress.

The EDPB (Europe Data Protection Board) has placed emphasis on the thorough examination of practices by third country public authorities to ascertain whether such practices can hinder the efficacy of the SCCs. The rationale lying behind the Court’s decision of introducing TIAs (Transfer Impact Assessments) is the fact that while SCCs bind data exporters and data importers in relation to data processing, they do not bind public authorities from getting access to the data transferred. An example is third country legislation permitting government agencies or public authorities gaining access to any data transferred by EU entities. Such legislation has been termed ‘problematic legislation’ by the EDPB.

Problematic legislation is legislation that:

imposes on the recipient of personal data from the European Union obligations and/or affect the data transferred in a manner that may impinge on the transfer tools’ contractual guarantee of an essentially equivalent level of protection, and
does not respect the essence of the fundamental rights and freedoms recognized by the EU Charter of Fundamental Rights or exceeds what is necessary and proportionate in a democratic society to safeguard one of the important objectives as also recognized in Union or EU Member States’ law, such as those listed in Article 23 (1) GDPR’

Step 1: Know your transfer

Where Contentstack processes personal data governed by European data protection laws as a data processor (on behalf of our customers), Contentstack complies with its obligations under its Data Processing Addendum (“DPA”). Contentstack DPA incorporates the SCCs and provides the following information:

description of Contentstack’s processing of customer personal data and description of Contentstack’s security measures (Attachment 1)

Please refer to the Attachment 1 to the DPA for information on the nature of Contenstack's processing activities in connection with the provision of the Services, the types of customer personal data we process and transfer, and the categories of data subjects, but in general we only collect personal data of the Users of the services authorized by the Customers that upload the data into the services.

Please note that in some cases, the same data may be used by Contentstack both as a processor and controller.

We transfer data to a number of sub-processors. A list of all of our data sub-processors in connection with the services we offier and an RSS feed subscription where you can stay up to date on changes is available at www.contentstack.com/legal/sub-processors/.

We may transfer customer personal data wherever we or our third-party service providers operate for the purpose of providing you the Services as outlined in the chart below.

Contentstack Service

In what countries does Contentstack’s subprocessors store or process Customer Personal Data?

In what countries does Contentstack process (e.g., access, transfer, or otherwise handle) Customer Personal Data?

Contentstack

United States and Ireland/Germany

Contentstack’s primary storage of data through a cloud sub-processor takes place in either the United States or in Ireland and Germany (customer can pick one instance), but there are offices in the United States and the Netherlands and customer personnel in the United States, United Kingdom, Iceland, and Luxembourg,

United States, Iceland, Germany, Luxembourg, United Kingdom and India.

Contentstack’s processing of personal data takes place in either the United States or in Ireland and Germany (customer can pick one instance), but there are offices in the United States and the Netherlands and support personnel in the United States, India, Iceland, the Netherlands, Germany, the United Kingdom and Luxembourg who may need to process data.

Contentstack’s sub-processors process data in the United States, Canada, Ireland, Germany and additional support is provided by Contentstack’s subsidiary in India.

Contentstack Enablement Services

United States and Ireland/Germany

United States, Iceland, Germany, Luxembourg, United Kingdom and India

Step 2: Identify the transfer tool relied upon

Where personal data originating from Europe is transferred to Contenstack, Contenstack relies upon the European Commission's SCCs to provide an appropriate safeguard for the transfer. To review Contenstack’s Data Processing Addendum (which incorporates the SCCs) please visit Data Processing Addendum.

Where customer personal data originating from Europe is transferred between Contentstack subsiadries or transferred by Contentstack to third-party sub-processors, Contentstack enters into SCCs with those parties.

Step 3: Assess whether the transfer tool relied upon is effective in light of the circumstances of the transfer

U.S. Surveillance Laws

FISA 702 and Executive Order 12333

The following US laws (FISA 702 and Executive Order 12333) were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US.

FISA generally requires the government to apply for a court order with respect to each target of surveillance. FISA requires the government to include information in its applications that demonstrates that probable cause exists to believe that the target of surveillance is a foreign power or an agent of a foreign power. Such applications are made to, and evaluated by, the specialized FISC, which is comprised of sitting Article III judges who have been designated for that role by the Chief Justice of the U.S. Supreme Court.

Congress added Section 702 in the FISA Amendments Act (FAA) of 2008 to provide less restrictive procedures for acquiring foreign intelligence information targeting non-U.S. persons who are not within the United States. Surveillance under Section 702 is subject to supervision by the FISC, but the provision does not require the FISC to review individual targets of surveillance. Instead, under Section 702, the FISC reviews generally applicable targeting and minimization procedures and guidelines submitted by the U.S. Attorney General and the Director of National Intelligence to determine whether they are “reasonably designed” to: (1) ensure that surveillance only targets persons who are reasonably believed to be outside the United States; and (2) prevent the intentional acquisition of purely domestic communications. Once the FISC approves those procedures and guidelines, the government may issue directives to electronic communication service providers requiring them to provide the government with “all information, facilities, or assistance” needed to conduct the surveillance in a manner that does not undermine its secrecy.

The information must also be acquired from an “electronic communication service provider,” or with the assistance of such a provider. As used in Section 702, the term “electronic communication service provider” includes communications providers (such as telephone, email, or internet service providers (ISPs)) as well as remote computing service providers that provide “computer storage or processing services” to the public. Although Section 702 requires the target of surveillance to be outside the United States (e.g., an EU citizen in Europe), the information may be acquired from facilities within the United States, such as data centers operated by U.S.-based electronic communication service providers. If the government targets a non-U.S. person through an acquisition that occurs outside the United States, that acquisition would not necessarily be governed by FISA, including Section 702, but would still need to comply with E.O. 12333, as discussed in the following section.

For example, the government has used FISA 702 to implement downstream (previously referred to as “PRISM”) and upstream collection programs. In downstream collection, the government typically directs consumer-facing communications service providers—such as ISPs, telephone providers, or email providers—to provide all communications “to or from” a “selector” (e.g., an email address).Upstream collection similarly involves the collection of all communications “to or from” a selector, but the requests are directed at telecommunications “backbone” providers (i.e., companies that operate the long-distance, high-capacity internet cables that interconnect with ISPs’ local networks) and it does not involve collection of telephone calls. Under the government’s procedures, the National Security Agency (NSA) is the primary intelligence agency that collects data through the downstream and upstream programs, although the Federal Bureau of Investigation (FBI) and Central Intelligence Agency (CIA) also receive data from these programs in more limited circumstances.

Executive Order 12333

In its Schrems II decision, the CJEU also objected to surveillance conducted under E.O. 12333, United States Intelligence Activities, which addresses the organization and allocation of foreign intelligence surveillance responsibilities among elements of the U.S. Intelligence Community. E.O. 12333 addresses all U.S. foreign intelligence surveillance activities, including those which may fall outside of FISA’s statutory scheme, such as activities conducted overseas targeting non- U.S. persons. Under E.O. 12333, the NSA may “collect (including through clandestine means), process, analyze, produce, and disseminate signals intelligence information and data for foreign intelligence and counterintelligence purposes to support national and departmental missions.” As described in a 2014 report by the Privacy and Civil Liberties Oversight Board:

The government also conducts foreign intelligence surveillance outside of the United States against non-U.S. persons under the authority of Executive Order 12333. In some instances, this surveillance can capture the same communications that the government obtains within the United States through Section 702. And because this collection takes place outside the United States, it is not restricted by the detailed rules of FISA outlined above.

E.O. 12333 also includes some privacy protections generally applicable to U.S. foreign intelligence surveillance, but these do not appear to extend to non-U.S. persons. For example, with respect to surveillance conducted abroad, the order requires the Attorney General to determine that probable cause exists to believe that the target of surveillance is an agent of a foreign power, but only if the surveillance is against a U.S. person under circumstances in which a warrant would have been required for law enforcement purposes. Furthermore, the order also expressly states that it does not create any legally enforceable right or benefit against the United States. As a result, the CJEU found that EU data subjects did not have enforceable rights under E.O. 12333, and that the order did not include sufficient protections to limit surveillance to only what was strictly necessary.

Given the above:

FISA Section 702 (“FISA 702”) – allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering. This information gathering must be approved by the Foreign Intelligence Surveillance Court in Washington, DC. In-scope providers subject FISA 702 are electronic communication service providers ("ECSP") within the meaning of 50 U.S.C § 1881(b)(4), which can include remote computing service providers ("RCSP"), as defined under 18 U.S.C. § 2510 and 18 U.S.C. § 2711.
Executive Order 12333 ("EO 12333") - authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US. In particular, it provides authority for US intelligence agencies to collect foreign "signals intelligence" information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US. EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure.

Further information about these US surveillance laws can be found in the White Paper on Privacy Safeguard following Schrems II.

In the wake of the Court of Justice of the European Union’s (“ECJ”) Schrems II decision Invalidating the EU-U.S. Privacy Shield (“Privacy Shield”) but upholding the validity of standard contractual clauses (“SCCs”), the U.S. government has released a White Paper entitled “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II.” The Schrems II ruling requires companies relying on SCCs “to verify, on a case-by-case basis,” whether the level of protections afforded by the SCCs are respected and observed in the recipient country. According to the cover letter accompanying the White Paper, it outlines the robust limits and safeguards in the United States pertaining to government access to data as part of “an effort to assist organizations in assessing whether their transfers offer appropriate data protection in accordance with the ECJ’s ruling.”

The cover letter emphasizes that while the White Paper is intended to help companies make the case that they can transfer personal data from the EU to the United States in compliance with EU law, it does not eliminate the urgent need for clarity from European authorities or the onerous compliance burdens generated by the Schrems II decision.

The White Paper was prepared by the U.S. Department of Commerce in conjunction with the Department of Justice and the Office of the Director of National Intelligence. It begins by stating that as a practical matter, most U.S. companies do not deal in data that is of interest to U.S. intelligence agencies and therefore do not engage in data transfers that present the type of privacy risks that appear to have concerned the ECJ in Schrems II. And the “theoretical possibility” that a U.S. intelligence agency could access EU data is “no different than the theoretical possibility that other governments’ intelligence agencies, including those of EU Member States, or a private entity acting illicitly, might access the data.”

The White Paper next states that companies transferring data from the EU that have received orders requiring data disclosure to U.S. intelligence agencies may consider the applicability of the “public interest” derogation in Article 49 of the GDPR as a basis for those transfers. In support of this position, the White Paper describes the frequent sharing of intelligence information between the U.S. government and EU Member States to counter threats such as terrorism, weapons proliferation, and hostile foreign cyber activity. According to the White Paper, this information sharing “undoubtedly serves important EU public interests by protecting the governments and people of the Member States.”

The remainder of the White Paper focuses on relevant U.S. law and practice in light of the Schrems II ruling that reliance on SCCs requires companies to independently assess whether U.S. law ensures adequate data protection under EU law, including by providing additional safeguards where necessary. It focuses on the two sources of U.S. intelligence law that have been the focus of the ECJ, FISA 702 and EO 12333, and includes information not addressed by the Privacy Shield adequacy decision in 2016 and also new developments that have occurred since that time.

For FISA 702, the topics covered include supervision by the Foreign Intelligence Surveillance Court, individual redress for violations, additional privacy safeguards added since 2017, and a statement that FISA 702 is “essentially equivalent” to EU law because “data transferred to the United States enjoys comparable or greater privacy protections relating to intelligence surveillance than data held within the EU.” On EO 12333, the White Paper highlights that it does not require any disclosure of data to the U.S. government and that “bulk collection is expressly prohibited.”

CLOUD Act

What are the two major parts of the CLOUD Act?

The CLOUD Act contains two key parts. One part responds to foreign governments’ concerns about U.S. laws that restrict foreign law enforcement’s access to communications content held by U.S. service providers —restrictions that apply even when foreign governments are seeking to access data regarding their own nationals in the investigation of local crime. This part of the CLOUD Act authorizes the creation of bilateral executive agreements that would lift those restrictions and thereby enable foreign governments to access communications content directly from U.S.-based service providers, subject to a set of conditions.

The other key part clarifies the rules governing U.S. law enforcement access to data in the hands of U.S. providers. The following seeks to answer key questions and clarify the operation of both parts.

Executive Agreements and Non-U.S. Access to Evidence

How does the Stored Communications Act create obstacles for non-U.S. law enforcement to access evidence?

The Stored Communications Act (SCA) operates as a “blocking statute.” Except where a statutory exception applies, it prohibits U.S.-based service providers from disclosing communications content to a foreign government, unless there is a CLOUD Act agreement in place (as discussed below).

The SCA applies even if the non-U.S. government is seeking communications content with regard to one of its own nationals in the investigation of a local crime. It also applies even if the non-U.S. government has obtained a compelled disclosure order pursuant its national laws.

More specifically, the SCA states that a covered service provider “shall not divulge” stored communications content to “any person or entity,” unless pursuant to one of nine statutory exceptions, none of which authorizes disclosure to foreign governments.

The SCA also sets out the situations in which service providers can be compelled to disclose communications content. Only a “governmental entity”—defined as a U.S. federal or state department or agency —is given the authority to compel a provider to disclose communications content, and only according to specified substantive and procedural standards. As discussed further below, access to communications content requires a search warrant, signed by an independent U.S. judge, based on the judge’s finding that there is “probable cause” both that (a) a specific crime has occurred or is occurring and (b) the place to be searched, such as an email account, contains evidence of that specific crime. In addition, the warrant must describe with particularity the data to be searched or seized. Service providers who furnish the content of communications to a U.S. or foreign government, in the absence of such a search warrant or a CLOUD Act-authorized executive agreement, risk civil liability. Prior to the Cloud Act, there was no provision that authorized disclosure of communications content to foreign law enforcement in any circumstance, even in response to compelled disclosure orders issued by foreign courts.

The white paper notes:

The CLOUD Act only permits U.S. government access to data in criminal investigations after obtaining a warrant approved by an independent court based on probable cause of a specific criminal act.
The CLOUD Act does not allow U.S. government access in national security investigations, and it does not permit bulk surveillance

Is Contentstack subject to FISA 702 or EO 12333?

Contentstack, like most US-based SaaS companies, could, on a theoretical and technical level be subject to FISA 702 where it is deemed to be a RCSP. However, Contentstack, as an enterprise-level content management SaaS Service that primarily collects a very limited scope of personal data related to our customer personnel does not process personal data that is likely to be of interest to US intelligence agencies.

Furthermore, for the same reason, Contentstack is not likely to be subject to upstream surveillance orders under FISA 702, the type of order principally addressed in, and deemed problematic by, the Schrems II decision. Contentstack does not provide internet backbone services, but instead only carries traffic involving its own customers. To date, the U.S. Government has interpreted and applied FISA 702 upstream orders to only target market providers that have traffic flowing through their internet backbone and that carry traffic for third parties (i.e., telecommunications carriers).

EO 12333 contains no authorization to compel private companies (such as Contentstack) to disclose personal data to US authorities and FISA 702 requires an independent court to authorize a specific type of foreign intelligence data acquisition which is generally unrelated to commercial information. In the event that US intelligence agencies were interested in the type of data that Contentstack processes, safeguards such as the requirement for authorization by an independent court and the necessity and proportionality requirements would protect data from excessive surveillance.

What is Contentstack’s practical experience dealing with government access requests?

To date, Contentstaack has never received a US National Security Request (including requests for access under FISA 702 or direct access under EO 12333) in connection with customer personal data. Once we receive such a request, we will commence providing a transparency report with respect to such requests. Therefore, while Contentstack may theoretically and technically be subject to the surveillance laws identified in Schrems II we have not been subject to these types of requests in our day-to-day business operations.

Step 4: Identify the supplementary measures applied to protect the transferred data

Contentstack provides the following technical measures to secure customer data:

Data residency: Contentstack allows customers to choose between a US or EU instance for their primary cloud storage location.
Encryption: Contentstack offers data encryption at rest and in transit.
Security and certifications: Additional information about Atlassian's security practices and certifications are available in Attachment I of the Data Processing Addendum and at www.contentstack.com/securityaddendum.

Contentstack’s contractual measures are set out in our Data Processing Addendum which incorporates the SCCs. In particular, we are subject to the following requirements:

Technical measures: Contentstack is contractually obligated to have in place appropriate technical and organizational measures to safeguard personal data (both under the Data Processing Addendum as well as the SCCs we enter into with customers, service providers, and between Contentstack’s entities).
Transparency: Contentstack is obligated under the SCCs to notify its customers in the event it is made subject to a request for government access to customer personal data from a government authority. In the event that Contentstack is legally prohibited from making such a disclosure, Contentstack is contractually obligated to challenge such prohibition and seek a waiver.
Actions to challenge access: Under the SCCs, Contentstack is obligated to review the legality of government authority access requests and challenge such requests where they are considered to be unlawful.

Contentstack’s organizational measures to secure customer data include:

Policy for government access: . To obtain data from Atlassian, law enforcement officials must provide legal process appropriate for the type of information sought, such as a subpoena, court order, or a warrant.
Onward transfers: Whenever we share your data with Contentstack service providers, we remain accountable to you for how it is used. We require all service providers to undergo a thorough cross-functional diligence process by subject matter experts in our Security, Privacy, and Risk & Compliance Teams to ensure our customers' personal data receives adequate protection. This process includes a review of the data Contentstack plans to share with the service provider and the associated level of risk, the supplier’s security policies, measures, and third-party audits, and whether the supplier has a mature privacy program that respects the rights of data subjects. We provide a list of our sub-processors on our www.contentstack.com/legal/sub-processors/ (subscribe to our RSS feed so you can stay up to date on any changes).
Employee training: Contentstack provides data protection training to all Contenstack staff.

Step 5: Procedural steps necessary to implement effective supplementary measures

In light of the information provided in this document, including Contentstack 's practical experience dealing with government requests and the technical, contractual, and organizational measures Contentstack has implemented to protect customer personal data, Contenstack considers that the risks involved in transferring and processing European personal data in/to the US do not impinge on our ability to comply with our obligations under the SCCs (as "data importer") or to ensure that individuals' rights remain protected. Therefore, no additional supplementary measures are necessary at this time.

Step 6: Re-evaluate at appropriate intervals

Contentstack will costantly review and, if necessary, reconsider the risks involved and the measures it has implemented to face changing data privacy regulations and risk environments associated with transfers of personal data outside of Europe.