Introduction
Instabase has prepared this document to assist our Customers in assessing the risks of transferring Customer Personal Data (as defined in the Data Protection Agreement) outside the European Economic Area, Switzerland and United Kingdom (“Europe“) when using any of our hosted Services. In particular, this document may help you conduct a transfer impact assessment in light of the “Schrems II” decision and subsequent recommendations from the European Data Protection Board.Any capitalized terms used but not defined below have the meaning given to them in the Instabase Data Protection Agreement (“InstabaseDPA“)
Disclaimer
Please note this document is intended for informational purposes only and does not constitute legal advice. Instabase cannot make a determination as to the risks for your data subjects because we are a data agnostic platform. Our Customers are solely responsible for addressing their compliance with applicable laws and regulations when using the Instabase Services and determining whether our commitments are sufficient in light of your intended use.
Background
What does the GDPR say about data transfers?
Chapter V of the GDPR states that personal data may only be transferred outside Europe under certain conditions. In particular, Article 46 provides that in the absence of an adequacy decision adopted by the European Commission or UK authorities (as applicable), a controller or processor may only transfer personal data outside Europe if the controller or processor has put in place “appropriate safeguards”, such as the standard contractual clauses, binding corporate rules or approved code of conducts or certifications. These transfer mechanisms are required to ensure that the level of protection guaranteed by the GDPR travels with the data wherever it goes.
What was the Schrems II decision?
On 16 July 2020, the Court of Justice of the European Union issued the Schrems II decision that requires organizations transferring personal data outside Europe (“data exporters“) to ensure that the data continues to be afforded an essentially equivalent level of protection to that guaranteed by the GDPR. This involves an assessment of the recipient country’s laws and practices, in particular surveillance laws and practices that allow public authorities to gain access to personal data. This has become known as a transfer impact assessment (“TIA“). Where the TIA concludes that surveillance laws and practices impinge on the level of protection, the data exporter must either suspend the transfer or implement “supplementary measures” to ensure that the data is afforded an essentially equivalent level of protection.
What are the EDPB Recommendations?
The European Data Protection Board (“EDPB“) has provided guidance for data exporters performing transfer impact assessments in its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (“EDPB Recommendations“). The EDPB Recommendations outline a six-step approach for performing transfer impact assessments:
- Step 1: Know your transfers by mapping all transfers of personal data outside Europe
- Step 2: Verify the transfer tools on which your transfers rely
- Step 3: Assess the laws and practices of the recipient countries that may impinge on the effectiveness of the transfer tools
- Step 4: If the laws and practices of the recipient countries do impinge on the effectiveness of your transfer tools, identify supplementary measures that can bring the level of protection up to the standard required
- Step 5: Take formal steps to adopt the supplementary measures identified
- Step 6: Re-evaluate the level of protection at appropriate intervals
The EDPB Recommendations state that data exporters should take into account the specific circumstances of the transfer, including the purposes of the transfer, the categories of personal data transferred, the format of the data, and the practical experience of the data importer dealing with government access requests.
We have prepared this document to assist you in performing a TIA when using any of our hosting Services to process Customer Personal Data outside Europe.
Step 1: Mapping data transfers
| This information will help you complete Step 1 of your TIA, in mapping transfers of personal data outside Europe when using the Instabase Services. |
What services does Instabase provide?
Instabase provides an application platform that can be used to understand unstructured data and automate business processes. Instabase is a global company headquartered in San Francisco, California. Our Services allow you to understand unstructured data with proprietary deep learning technologies, rapidly build end-to-end workflows with pre-packaged solution blocks, and innovate at scale across in real time. For more information about Instabase, please see https://www.instabase.com/company/.
Is Customer Personal Data transferred or processed outside Europe?
This depends on the Instabase Services you are receiving. If you are using any of our on-premises Services (for example, our managed services), we only access and process Customer Personal Data in environments that you control. However, if you use any of our hosted Services then we process Customer Personal Data in our technology environments and therefore Customer Personal Data will be transferred and processed outside Europe.
Instabase is a US company and our servers are located in the US. Additionally, depending on the Services we may also engage one or more of our Affiliates and Subprocessors to deliver some or all of the Services. You can find a list of our Affiliates and Subprocessors here. This means that, if you are using any of our hosted Services, Customer Personal Data will be transferred to and stored in the US and other countries outside Europe.
What data is transferred?
Again, this depends on your use of the Services. Our Customers provide us with text, image files and other data or content that may contain personal data of European individuals. Instabase is a data agnostic platform and we are generally unaware of the types of data that we may process on our Customers’ behalf. You decide what data you provide to Instabase, including the categories of personal data and categories of data subjects.
For example, depending on your use of the Services, the categories of personal data may include (i) name, address and contact details (as found in KYC or other documents); (ii) financial data (as found in bank statements, pay slips and other financial and tax documents); biometric data (as found in drivers’ licenses, ID cards, passports, etc.); and/or (iii) health data (as found in health records, lab reports, x-rays, insurance claims, etc.). Similarly, the categories of data subjects may include (i) your employees, agents, authorized sub-contractors and advisors; and/or (ii) your prospects, customers, business partners and vendors.
Ultimately, only you are in a position to determine the level of risk and are responsible for making this assessment including determining whether our commitments are sufficient in light of your intended use of Instabase.
Step 2: Data transfer tools
| This information will help you complete Step 2 of your TIA, in verifying the transfer tools relied on to transfer personal data outside Europe. |
What tool does Instabase rely on to transfer Customer Personal Data?
Where we host Customer Personal Data outside Europe in order to provide the Services, the Instabase DPA incorporates the 2021 Standard Contractual Clauses (“SCCs“). This means that the SCCs apply automatically for all Customers who use the hosted Services to process Customer Personal Data outside the EEA as well as the UK and Switzerland (subject to relevant modifications).
How does Instabase perform onward transfers?
Instabase has implemented appropriate safeguards to ensure that Customer Personal Data remains protected whenever it is processed by our Affiliates and Subprocessors, including entering into data processing agreement and transfer mechanisms (such as the SCCs) and implementing supplementary measures where necessary. Instabase also has a process in place to review the privacy and security controls for Subprocessors that have access to Customer Personal Data.
Step 3: Assessing laws and practices of the recipient country
| This information will help you complete Step 3 of your TIA, in assessing the laws and practices of the recipient countries. |
Are there any laws in the US that enable government authorities to access personal data for security, surveillance and intelligence purposes?
Instabase is aware of US national security and surveillance laws that could (at least theoretically) compel US-based service providers to disclose personal data in a manner that does not ensure an essentially equivalent level of protection for personal data under the GDPR. In particular, the Schrems II decision cited two laws – Section 702 of the Foreign Intelligence Surveillance Act (“702 FISA“) and Executive Order 12333 (“EO 12333“) – that authorize US government surveillance programmes in a manner that may interfere with the protection of personal data.
Is Instabase subject to FISA 702 and EO 12333?
Like most US service providers, Instabase could technically be subject to 702 FISA and other US surveillance laws.
What is Instabase’s practical experience dealing with government access requests?
To date, we have never received a request under 702 FISA and are not aware of any direct access to Customer Personal Data under EO 12333. This is also quite unlikely due to the nature of our Services, as the type of data we generally process on our Customers’ behalf is not of interest to US intelligence agencies. As indicated in a white paper issued by the US Department of Commerce, companies whose operations involve data transfers limited to commercial information are not generally targeted by US intelligence and counter-terrorism agencies.
Step 4: Supplementary measures
| This information will help you complete Step 4 of your TIA, in identifying supplementary measures that support the transfer tools. |
How does Instabase protect Customer Personal Data outside Europe?
In addition to the SCCs, we have also implemented a number of technical, organizational and contractual measures to ensure that Customer Personal Data remains protected outside Europe. In particular:
- We have implemented a comprehensive security program designed to protect Customer Personal Data.
- The Instabase DPA includes rigorous contractual commitments to security, confidentiality of processing, international data transfers, cooperation with data subject rights, and more.
- We have robust internal policies and procedures to address government access requests and ensure that Customer Personal Data remains protected wherever it is processed.
We encourage you to review our Trust Center page and Instabase DPA to see the safeguards that we provide for Customer Personal Data, but if you have questions please email privacy@Instabase.com.
How does Instabase handle access requests from the US government?
Customers typically have direct access to their data and therefore are generally in a better position to identify and access their own data in response to access requests from law enforcement or a government authority. However, in the event that Instabase receives an access request directly, we will not voluntarily provide law enforcement or government authorities with access to Customer Personal Data as a matter of general policy and only provide such access where we reasonably believe that we are legally required to do so. In addition, we will promptly notify you of any requests unless we are legally prohibited from doing so.
Does Instabase publish transparency reports?
Instabase does not publish transparency reports at this time. However, in the event that we ever receive an access request from law enforcement or a government authority we will start to publish a transparency report.
Step 5: Formal steps to adopt supplementary measures
| This information will help you complete Step 5 of your TIA, in identifying any formal steps required to adopt the supplementary measures. |
Are any formal steps required to adopt the supplementary measures?
Our Customers will automatically benefit from the supplementary measures identified above by entering our Instabase DPA and using the hosted Services.
Step 6: Re-evaluating the level of protection
| This information will help you complete Step 6 of your TIA, in re-evaluating the level of protection at appropriate intervals. |
When should Customers re-evaluate the level of protection?
Instabase is committed to ensuring the security of our Services and Customer Personal Data, and will assist Customers with any additional assessments that may be reasonably required in light of changes to our Services and/or applicable laws and practices to ensure compliance with the GDPR.
Additional resources
To help you further perform your TIA and understand how you can address your data protection requirements under the GDPR, we encourage you to read our Trust Center. If you have questions or need more information, please email privacy@Instabase.com.