Data Transfer impact assessment
Overview
This document provides information to help Teamspective customers conduct data transfer impact assessments, in light of the “Schrems II” ruling of the Court of Justice for the European Union and the recommendations from the European Data Protection Board.
Step 1: Describe the intended transfer
a) Data exporter
Teamspective Oy
b) Country of data exporter
Finland
c) Data importers
- Stripe
- Postmark / Wildbit, LLC
- Sentry / Functional Software, Inc
- Heap
- Intercom
- Hubspot
d) Country of data importers
USA
e) Context and purpose of the transfer
- Stripe: Payment processing to manage Teamspective’s customers’ software licenses, license fees and invoices.
- Postmark / Wildbit, LLC: Email processing in order to deliver Teamspective users relevant communications as part of the service.
- Sentry / Functional Software, Inc: Error reporting that allows Teamspective to document, notice, analyze and fix software issues that may arise as the service is operated.
- Heap: Software usage analytics that is necessary for maintenance and development of the software, and for helping Teamspective customers to gain maximum benefit of the service.
- Intercom: Customer service and software usage analytics that are necessary for delivering relevant communication to the users of the software.
- Hubspot: Contact information management and customer service solutions that are necessary for ensuring a relevant communications and satisfactory customer experience.
f) Categories of data subjects concerned
Employees.
g) Categories of personal data transferred:
Contact information, personal information.
h) Sensitive personal data
Not transferred.
i) Technical implementation of the transfer
The data is transferred over an encrypted connection to the data importers and stored on their servers.
j) Technical and organizational measures in place
Please refer to our Trust center
k) Relevant onward transfers of personal data
None
l) Countries of recipients of relevant onward transfers
n/a
Step 2: Define the TIA Parameters
a) Starting date of the transfer
1.3.2020
b) Assessment period
Five years – once we approach the end of the period, we will re-assess the situation (1.3.2025).
c) Determining the acceptable residual risk of foreign lawful access
Due to the nature of the transferred data (software usage analytics, customer service communication, payment information and contact information), we believe that the probability of a prohibited lawful access to happen is low. This means that within the assessment period there is a less than 5% chance of this occurring, which we interpret as "no reason to believe" that it will actually occur during the period.
d) Target jurisdiction for which the TIA is made
USA
e) Relevant local laws taken into consideration
Section 702 FISA, EO 12.333 (and PPD-28)
Step 3: Define the safeguards in place
a) Would it be feasible, from a practical, technical and economical point of view, for the data exporter to transfer the personal data in question to a location in a whitelisted country instead?
- Stripe: No, the payment processing needs to be done with this service due to a combination of technical, practical and economical criteria used to evaluate a range of alternative services. Their service is located in the US for technical reasons.
- Postmark / Wildbit, LLC: No, the email processing needs to be done with this service due to a combination of technical, practical and economical criteria used to evaluate a range of alternative services. Their service is located in the US for technical reasons.
- Sentry / Functional Software, Inc: No, the error reporting needs to be done with this service due to a combination of technical, practical and economical criteria used to evaluate a range of alternative services. Their service is located in the US for technical reasons.
- Heap: No, the software usage analytics needs to be done with this service due to a combination of technical, practical and economical criteria used to evaluate a range of alternative services. Their service is located in the US for technical reasons.
- Intercom: No, this part of customer service and software usage analytics needs to be done with this service due to a combination of technical, practical and economical criteria used to evaluate a range of alternative services. Their service is located in the US for technical reasons.
- Hubspot: No, the customer relationship management and certain parts of customer service needs to be done with this service due to a combination of technical, practical and economical criteria used to evaluate a range of alternative services. Their service is located in the US for technical reasons.
b) Is the personal data transferred under one of the exemptions pursuant to applicable data protection law (e.g., Art. 49 GDPR in case of the GDPR)?
No. Appropriate safeguards pursuant to Article 46 apply.
c) Is the personal data at issue transmitted to the target jurisdiction in clear text (i.e. there is no appropriate encryption in-transit)?
All transmitted data is encrypted end-to-end with state-of-the art encryption.
d) Is the personal data at issue accessible in the target jurisdiction in clear text by the data importer/recipient or a third party (i.e. the data is either not appropriately encrypted or access to the keys to decrypt is possible)?
Yes. The listed service providers need access to certain data in clear text in order to be able to use it for delivering their services. Thus data encryption irreversible by the data importer is not possible. Therefore, foreign lawful access is at least technically possible.
e) Is the personal data at issue protected by a transfer mechanism approved by the applicable data protection law (e.g., the EU Standard Contractual Clauses in case of the GDPR, approved BCR, or - in the case of an onward transfer - a back-to-back-contract in line with the EU SCC), and can you expect compliance with it, insofar permitted by the target jurisdiction, and judicial enforcement (where applicable)?
Yes. Teamspective has entered into the relevant EU Standard Contractual Clauses with each data importer and are, thus, compliant with Clause 8.7 of the EU SCC. We have no reason to believe that the provider will not comply with the EU SCC, to the extent that US law permits so.
Step 4: Assess the risk of prohibited lawful access in the target jurisdiction
a) Assess the probability that during the assessment period, the following legal arguments will prevent the local authorities in the target jurisdiction from successfully forcing the data importer/recipient to disclose personal data at issue under the relevant local laws as identified in Step 2 above.
Legal argument limiting access | Estimated probability of preventing access | Reasoning for probability |
---|---|---|
The data importer/recipient is no "Electronic Communications Service Provider" with regard to the processing of personal data at issue and, thus, out of scope of the relevant laws | 70% | By our reasoning none of the data importers are ECSPs. However, alternative interpretations are possible so we have conservatively estimated this at 70%. |
The data importer/recipient has no possession, custody or control over the personal data at issue in clear text and can, thus, not be (successfully) ordered to provide or search it in clear text under the relevant laws | 0% | The provider holds Teamspective’s data on its servers and is able to decrypt it. |
The transfer of the personal data at issue or the content of the personal data will be considered communications to either a person located in the United States or a US person, which may not be "intentionally targeted" by the US authorities under the relevant laws, but such targeting would occur in the present case, and, thus, prevent such a request | 50% | The data importer is a US person, and the data at issue is sent to such company. The service providers are US companies and their data is thus protected from the relevant surveillance actions. The same protection should apply to foreign companies transferring data to a US company, however this is not yet 100% certain. However, it contains communications that was never targeted to a US person and not intended to be sent to the US. It would amount to a circumvention of Section 702 FISA if one were to refuse compliance with a search order for such non-US communications by having it first transferred to the US. |
Performing a prohibited lawful access would violate the data exporter's or other applicable foreign law in a manner that is not permitted under the US law doctrine of international comity, which, thus, prevents such a request | 70% | The access may, indeed, violate European data protection law, but it is not very likely that the US authorities will consider this as sufficient grounds not to order access such data. |
b) Is the data importer/recipient contractually required to defend the personal data at issue against lawful access attempts?
Yes. This is a requirement under the EU SCC entered into with the data importer.
c) Probability that during the assessment period, the data is regarded as content that is the subject of lawful access requests at issue under the relevant local laws, based on past experience?
Less than 5% probability. The processed data is customer service communications, payment information and software usage data. None of these are the target of data gathering under Section 702 FISA or EO 12.333. This is confirmed both by a report of the Privacy and Civil Liberty Oversight Board (PCLOB) (https://bit.ly/3yeO7us), the NSA's comments (https://bit.ly/3dFalhk), and the decisions of the Foreign Intelligence Surveillance Court (FISC) granting accesses in such cases (2019: https://bit.ly/3heBYQB). These sources contain no indication that such data has ever been the target of searches under Section 702 FISA or EO 12.333. Also, Section 702 FISA is only about communications services provided to the targets of the searches, and not to others or applications such as the present one. Therefore, we believe that the probability that the provider has or will receive a surveillance order with respect to our data during the period under consideration is very low.
d) Probability that during the assessment period, the data importer/recipient is technically able to on an ongoing basis search the data in plain text for selectors (i.e. search terms such certain recipients or senders of electronic communications) without the data exporter's permission as part of the lawful access requests at issue under the relevant local laws?
100%. The providers do have access to the data, and can, therefore, search it.
f) Are measures in place to find out if during the assessment period the circumstances taken into account in the above assessments are no longer valid?
Yes. We are regularly monitoring the legal development in this area. Also, we have agreed with the data importer to regularly report on its experience with lawful access requests.
Final Step: Conclusion
Overall probability of being the subject of a lawful access attempt prohibited under applicable data protection laws: Approximately 5%
Overall probability of a lawful access prohibited under applicable data protection laws: Approximately 95.5%.
Probability of a successful lawful but prohibited access under applicable data protection laws: Approximately 0.25%
We have made the assessement on the basis of internal legal analysis, legal research, public documentation and statistics.
In view of the above and the applicable data protection laws, the residual risk of prohibited lawful access is acceptable and the transfer is permitted. This conclusion will be reassessed at the latest by: 1.3.2027 (or if there are any changes in circumstances).