Visor Ltd, registered in Ireland, and AccountsIQ, registered in England and Wales (together referred to as “AIQ”, "the Company", "we", "our" and "us") are committed to protecting and respecting privacy, complying with data protection legislation when transferring personal data and protecting the rights of data subjects in relation to data protection.
The purpose of this document is to provide information to help customers assess the data transfer implications of using AIQ products in light of the "Schrems II" ruling of the Court of Justice of the European Union and the recommendations of the European Data Protection Board.
This document describes the legal regimes applicable to AIQ products when clients opt for cloud storage services in the US, the safeguards we put in place in connection with transfers of customer's personal data from the European Economic Area ("EEA") and UK, and our ability to comply with our obligations as "data exporter" under the Standard Contractual Clauses ("SCCs").
For more details about the Company’s GDPR compliance program you can visit our Trust Centre.
AIQ uses Controller to Processor Standard Contractual Clauses (“SSCs”) whenever personal data that it transfers to an organisation outside the EEA is processed by AIQ as the data controller. Where sub-processors are used by AIQ to provide services to its clients, we use processor to processor SSCs.
AIQ offers its customers the option to opt for EEA cloud storage solutions, so any AIQ customer opting for US storage will be responsible as a data controller for completing their Transfer Impact Assessment.
Where AIQ processes personal data subject to European data protection laws, including the EU GDPR, as a data processor for its customers, the customers have given their consent for the personal data processed on their behalf to be stored on cloud servers in the US (i.e, using Microsoft Azure cloud services).
We also comply with our obligations under the Data Processing Addendum, which is available on our website – here ("DPA"). If the customer is a European entity, our DPA is deemed to incorporate the SCCs. It provides the following information:
Please refer to Exhibit 1 to the DPA for information on the nature of AIQ's processing activities in connection with the provision of the AIQ services and the performance of AIQ’s obligations under the principal contract and the DPA or as otherwise agreed by the parties. These services and purposes include but are not limited to: Onboarding new customers; Respond to inquiries and requests by customers; Accounting services; Facilitate integration with 3rd party integrator representative; Communicate API changes to integrators; Interact with customers for project work; Processing employee expenses and customer and supplier payments; Respond to enquires/support from AIQ direct users.
Where personal data originating from Europe is transferred from AIQ to third countries, we rely upon the European Commission's SCCs to provide an appropriate safeguard for the transfer. For AIQ's Data Processing Addendum and applicable SSCs, please see https://www.AIQ.global/trust-center.
An overview of our sub-processors and details of international transfers can be found below:
Microsoft Azure | Hosting AIQ platforms | Headquarters - US (Washington) EEA storage option |
https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA | NA |
Pendo | User engagement tool | Headquarters - US (North Carolina) | https://www.pendo.io/legal/data-processing-addendum/ | SCC - EXHIBIT A |
Beamer | User engagement tool | Headquarters - US (Delaware) | https://drive.google.com/file/d/1fQw-Jq7mI-vkn7lq_zSX0DXY-bxcbZLg/view | SCC - Art. 5.2/Annex I B |
Zendesk | User engagement & customer communication tool | Headquarters - US (California) EEA storage option |
https://cloud4wi.zendesk.com/hc/en-us/articles/360004143612-Data-Processing-Agreement-DPA- | SCC - Art. 6.3/Annex I |
Datadog | Production management tool | Headquarters - US (New York) EEA storage option |
https://www.datadoghq.com/legal/data-processing-addendum/#transfer-mechanisms | SCC - Art. 12.1 |
Mailgun | Emailing deliverability services | Headquarters - US Texas EEA storage option |
The following US laws were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US:
FISA Section 702 (“FISA 702”) – allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering. This information gathering must be approved by the Foreign Intelligence Surveillance Court in Washington, DC. In-scope providers subject FISA 702 are electronic communication service providers ("ECSP") within the meaning of 50 U.S.C § 1881(b)(4), which can include remote computing service providers ("RCSP"), as defined under 18 U.S.C. § 2510 and 18 U.S.C. § 2711.
Executive Order 12333 ("EO 12333") - authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US. It provides authority for US intelligence agencies to collect foreign "signals intelligence" information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US. EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure.
Further information about these US surveillance laws can be found in the U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S .Data Transfers after Schrems II whitepaper from September 2020. This document details the limits and safeguards pertaining to US public authority access to data and was issued in response to the Schrems II ruling.
Regarding FISA 702 the whitepaper notes:
Regarding Executive Order 12333 the whitepaper notes:
AIQ is not an US-based company subject to FISA 702 and EO 12333. However, AIQ does not process personal data that is likely to be of interest to US intelligence agencies.
The EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) were developed to facilitate transatlantic commerce by providing U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union / European Economic Area, the United Kingdom (and Gibraltar), and Switzerland that are consistent with EU, UK, and Swiss law.
Organizations participating in the EU-U.S. DPF may receive personal data from the European Union / European Economic Area in reliance on the EU-U.S. DPF effective July 10, 2023. July 10, 2023 is the date of entry into force of the European Commission’s adequacy decision for the EU-U.S. DPF and the effective date of the EU-U.S. DPF Principles, including the Supplemental Principles and Annex I of the Principles. The adequacy decision enables the transfer of EU personal data to participating organizations consistent with EU law.
This framework addresses two concerns raised by the EU Court of Justice in relation to US surveillance laws: (1) the scope and proportionality of permissible US national security surveillance activities; and (2) the availability of redress mechanisms for Europeans whose personal data are improperly collected and used by US intelligence agencies. The new framework rightly makes clear that US surveillance practices must be both necessary and proportionate. And crucially, it creates an independent data protection review court to provide effective review and redress for Europeans affected by improper surveillance.
For more information regarding how data is stored by Microsoft Azure, please read the overview on data residency – here. Moreover, Microsoft Corporation is certified for EU-U.S. Data Privacy Framework.
For more information on the CLOUD Act, review What is the CLOUD Act? by BSA Software Alliance outlining the scope of the CLOUD Act.
The whitepaper notes:
AIQ employs the following technical measures to secure personal data:
Our organizational measures to secure customer data include:
This document is for informational purposes only the responsibilities and liabilities of AIQ are set in our commercial agreement, and this document is not part of, nor does it modify, any agreement between AIQ and its customers.