In this article, we will explain how the invalidation of the Privacy Shield affected the way we store our client and participant data.

Last updated: August 11, 2020

On July 16, 2020, the Court of Justice of the European Union invalidated the EU-US Privacy Shield. This means that the Privacy Shield is no longer a valid legal framework for transferring personal data from the European Economic Area to the United States. We, and thousands of other companies, relied on this framework for essential parts of our system. Because this decision was unexpected, there is a lot of uncertainty about our options regarding the use of US-based services.

Privacy and security are very important to us. We are storing all data within the European Union, but we have sub-processors in the United States that are essential for the functioning of our LMS. We are following the developments around the invalidation of the Privacy Shield and are currently investigating our options with our non-EU based sub-processors.

We intend to be fully GDPR compliant, so we will do everything to make sure all our data is lawfully and securely processed, safeguarding the privacy of our clients and their clients. We have decided for now to sign Data Processing Agreements (DPAs), containing Standard Contractual Clauses (SCCs), with all our US sub-processors, ensuring a protection of all personal data on a level similar to that under the GDPR. When there are any updates, they will be posted on this page.

Because we want to be transparent about how we are dealing with this situation, we have created a list of all our non-EU sub-processors, what personal data they process, and our response to the invalidation of the Privacy Shield. Because we process the data of both our direct clients and our clients’ participants, we will refer to these different groups of personal data as ‘client personal data’ and ‘participant personal data’ respectively.

Participant personal data

These systems process participant personal data:

AWS

Our application is hosted on Amazon AWS servers in Frankfurt, Germany. All data is stored on another AWS server at the same location, fully encrypted. Up until now, we have relied on the Privacy Shield for any data transfers to the US. Even though all data is encrypted and should be safe, we are currently looking into signing SCCs that should secure all data completely. You can read more about AWS and privacy here.

Mandrill

We are using Mandrill for all our emails that are generated from our LMS system. Mandrill stores and processes all information in the United States. They have incorporated SCCs in their Terms of Service and they state on their website that they will keep following the same data protection measures, giving essentially the same data protection as before the invalidation of the Privacy Shield.

The following emails are sent through Mandrill to the participants:
Invitation emails
Result emails
Certificate emails
Password reset emails
And to the admins:
Result notification emails
Export notification emails
Admin invitation emails
Admin password reset emails
Invoice emails
Most of these emails contain personal information of the participant, namely their name and email address.

You can ensure that no emails are sent to participants through Mandrill by using your own mail server. How to do this can be found here.

This does not affect the emails that are sent to admins. We are working on changing that, but in the meantime, you can disable notifications when a participant finishes. In combination with your own mail server, no participant personal data is sent to Mandrill. This does not prevent client personal data from being sent to Mailchimp.

Client personal data

The following systems only process client personal data

Demo tools

We use several tools for our demos and feature requests, which include:
Calendly
GoToMeeting
Pipedrive
Productboard
Zapier
We have reviewed and signed DPAs with all these companies, ensuring safety and security when they process names, email addresses, phone numbers, and company details.

Atlassian products

We are using several products of Atlassian, mostly for internal process tracking. Some of this data includes customer emails, so we have signed their DPA to make sure that this data is safely stored and processed.

Google Drive

We use Google Drive for internal document storage. We are looking into multiple solutions to ensure the future safety of personal data, including storing data in the EU, anonymizing data in the drive, and finding an alternative.

Slack

We use Slack as our internal communication tool, where sometimes we discuss client requests. We have signed their DPA.

Intercom

Previously, we used Intercom for our help center and chat, but we switched to Crisp, which is based within the European Union. They are fully GDPR compliant, so no problems there!
Was this article helpful?
Cancel
Thank you!