Book a demo
Close close
Press enter to search

AIQ’s Data Transfer Impact Assessment

The purpose of this document is to provide information to help customers assess the data transfer implications of using AIQ products.
Why You Shouldn't Wait Until Year-End to Upgrade Your Finance System
Overview 

Visor Ltd, registered in Ireland, and AccountsIQ, registered in England and Wales (together referred to as “AIQ”, "the Company", "we", "our" and "us") are committed to protecting and respecting privacy, complying with data protection legislation when transferring personal data and protecting the rights of data subjects in relation to data protection.  

The purpose of this document is to provide information to help customers assess the data transfer implications of using AIQ products in light of the "Schrems II" ruling of the Court of Justice of the European Union and the recommendations of the European Data Protection Board. 

This document describes the legal regimes applicable to AIQ products when clients opt for cloud storage services in the US, the safeguards we put in place in connection with transfers of customer's personal data from the European Economic Area ("EEA") and UK, and our ability to comply with our obligations as "data exporter" under the Standard Contractual Clauses ("SCCs"). 

For more details about the Company’s GDPR compliance program you can visit our Trust Centre

About the transfer 

AIQ uses Controller to Processor Standard Contractual Clauses (“SSCs”) whenever personal data that it transfers to an organisation outside the EEA is processed by AIQ as the data controller. Where sub-processors are used by AIQ to provide services to its clients, we use processor to processor SSCs. 

AIQ offers its customers the option to opt for EEA cloud storage solutions, so any AIQ customer opting for US storage will be responsible as a data controller for completing their Transfer Impact Assessment. 

Where AIQ processes personal data subject to European data protection laws, including the EU GDPR, as a data processor for its customers, the customers have given their consent for the personal data processed on their behalf to be stored on cloud servers in the US (i.e, using Microsoft Azure cloud services).  

We also comply with our obligations under the Data Processing Addendum, which is available on our website – here  ("DPA"). If the customer is a European entity, our DPA is deemed to incorporate the SCCs. It provides the following information: 

  • description of AIQ’s processing activities involving customer personal data (Annex 1); and 
  • description of AIQ’s sub-processors, restricted transfers and safeguards (Annex 2 and 3). 

Please refer to Exhibit 1 to the DPA for information on the nature of AIQ's processing activities in connection with the provision of the AIQ services and the performance of AIQ’s obligations under the principal contract and the DPA or as otherwise agreed by the parties. These services and purposes include but are not limited to: Onboarding new customers; Respond to inquiries and requests by customers; Accounting services; Facilitate integration with 3rd party integrator representative; Communicate API changes to integrators; Interact with customers for project work; Processing employee expenses and customer and supplier payments; Respond to enquires/support from AIQ direct users.  

Identify the safeguards on which we rely 

Where personal data originating from Europe is transferred from AIQ to third countries, we rely upon the European Commission's SCCs to provide an appropriate safeguard for the transfer. For AIQ's Data Processing Addendum and applicable SSCs, please see https://www.AIQ.global/trust-center.  

An overview of our sub-processors and details of international transfers can be found below: 

Microsoft Azure   Hosting AIQ platforms   Headquarters - US (Washington)   
EEA storage option  
https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA   NA  
Pendo   User engagement tool    Headquarters - US (North Carolina)   https://www.pendo.io/legal/data-processing-addendum/   SCC - EXHIBIT A
Beamer User engagement tool   Headquarters - US (Delaware)   https://drive.google.com/file/d/1fQw-Jq7mI-vkn7lq_zSX0DXY-bxcbZLg/view   SCC - Art. 5.2/Annex I B  
Zendesk User engagement & customer communication tool   Headquarters - US (California)  
EEA storage option  
https://cloud4wi.zendesk.com/hc/en-us/articles/360004143612-Data-Processing-Agreement-DPA-   SCC - Art. 6.3/Annex I  
Datadog Production management tool  Headquarters - US (New York)   
EEA storage option  
https://www.datadoghq.com/legal/data-processing-addendum/#transfer-mechanisms SCC - Art. 12.1  
Mailgun Emailing deliverability services   Headquarters - US Texas  
EEA storage option  
Assess whether the transfer tool relied upon is effective in light of the circumstances of the transfer 

The following US laws were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US: 

FISA Section 702 (“FISA 702”) – allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering. This information gathering must be approved by the Foreign Intelligence Surveillance Court in Washington, DC. In-scope providers subject FISA 702 are electronic communication service providers ("ECSP") within the meaning of 50 U.S.C § 1881(b)(4), which can include remote computing service providers ("RCSP"), as defined under 18 U.S.C. § 2510 and 18 U.S.C. § 2711. 

Executive Order 12333 ("EO 12333") - authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US. It provides authority for US intelligence agencies to collect foreign "signals intelligence" information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US. EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure. 

Further information about these US surveillance laws can be found in the U.S. Privacy  Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S .Data Transfers after  Schrems II whitepaper from September 2020. This document details the limits and safeguards pertaining to US public authority access to data and was issued in response to the Schrems II ruling. 

Regarding FISA 702 the whitepaper notes: 

  • For most companies, the concerns about national security access to company data highlighted by Schrems II are “unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” Companies handling “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.” 
  • There is individual redress, including for EU citizens, for violations of FISA section 702 through measures not addressed by the court in the Schrems II ruling, including FISA provisions allowing private actions for compensatory and punitive damages. 

Regarding Executive Order 12333 the whitepaper notes: 

  • EO 12333 does not on its own “authorize the U.S. government to require any company or person to disclose data.” Instead, EO 12333 must rely on a statute, such as FISA 702 to collect data. 
  • Bulk data collection, the type of data collection at issue in Schrems II, is expressly prohibited under EO 12333. 

AIQ is not an US-based company subject to FISA 702 and EO 12333. However, AIQ does not process personal data that is likely to be of interest to US intelligence agencies. 

The EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) were developed to facilitate transatlantic commerce by providing U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union / European Economic Area, the United Kingdom (and Gibraltar), and Switzerland that are consistent with EU, UK, and Swiss law. 

Organizations participating in the EU-U.S. DPF may receive personal data from the European Union / European Economic Area in reliance on the EU-U.S. DPF effective July 10, 2023. July 10, 2023 is the date of entry into force of the European Commission’s adequacy decision for the EU-U.S. DPF and the effective date of the EU-U.S. DPF Principles, including the Supplemental Principles and Annex I of the Principles. The adequacy decision enables the transfer of EU personal data to participating organizations consistent with EU law. 

This framework addresses two concerns raised by the EU Court of Justice in relation to US surveillance laws: (1) the scope and proportionality of permissible US national security surveillance activities; and (2) the availability of redress mechanisms for Europeans whose personal data are improperly collected and used by US intelligence agencies. The new framework rightly makes clear that US surveillance practices must be both necessary and proportionate. And crucially, it creates an independent data protection review court to provide effective review and redress for Europeans affected by improper surveillance. 

For more information regarding how data is stored by Microsoft Azure, please read the overview on data residency – here. Moreover, Microsoft Corporation is certified for EU-U.S. Data Privacy Framework. 

CLOUD Act 

For more information on the CLOUD Act, review What is the CLOUD Act? by BSA Software Alliance outlining the scope of the CLOUD Act. 

The whitepaper notes: 

  • The CLOUD Act only permits U.S. government access to data in criminal investigations after obtaining a warrant approved by an independent court based on probable cause of a specific criminal act.
  • The CLOUD Act does not allow U.S. government access to national security investigations, and it does not permit bulk surveillance. 
Technical, contractual and organizational measures applied to protect the transferred data 

AIQ employs the following technical measures to secure personal data:  

  • Security and certifications: Additional information about our security practices and certifications are available in Data Processing Addendum, and on our Trust centre.  
  • Technical measures: We contractually obligated to have in place appropriate technical and organizational measures to safeguard personal data (both under the Data Processing Addendum as well as the SCCs we enter into with customers, service providers, and between entities with the AIQ group/affiliated, as the case may be). 
  • Transparency: The customer(s) will be informed of the transfers and must be notified in the event of a government request for access to the customer's personal information.  
  • Actions to challenge access: Under the SCCs, the parties are obliged to review the legality of government authority access requests and challenge such requests where they are unlawful. 

Our organizational measures to secure customer data include: 

  • AIQ is not an US-based company. 
  • We have not received any disclosure requests from the U.S. government, including requests for access under FISA 702. Where customers choose such locations, the cloud service provider for US locations (Microsoft Azure) states that it does not provide any government (including law enforcement or other government agencies) with direct or unfettered access to customer data. For more information about government requests and national security reports regarding Microsoft's activity in recent years, see here.  
  • We have a detailed Cross-Border Transfers Procedure, which sets out the rules for transferring personal data to third countries, a General Data Protection Policy, which also covers details of personal data transfers, a Data Subject Rights Policy, a Data Breach Policy and a dedicated Incident Response Team, which guides our investigation and mitigation of any identified or potential data breaches.  
  • The transfer of customers' personal data to the USA could be considered necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller (i.e. the customer) and another natural or legal person (i.e. AIQ as processor and its sub-processors assisting AIQ in the provision of its services). 
  • AIQ uses Controller to Processor SSCs whenever personal data that it transfers to an organisation outside the EEA is processed by AIQ as the data controller. Where sub-processors are used by AIQ to provide services to its customers, we use processor to processor SSCs. 
  • We have appointed a Data Protection Officer. 
  • All our employees, contractors ("Personnel") are required to observe confidentiality obligations and to sign confidentiality agreements, clauses, and non-disclosure agreements. 
  • We have strict access controls in place to ensure that the only people who have access to personal information are those who absolutely need it to do their job. 
  • We provide privacy and security training to all our employees. As a result, our employees are always up to date with security and privacy best practices. 
  • To ensure that all our services are built in compliance with data protection and privacy regulations, we ensure that privacy reviews and considerations are explicitly included in the product design lifecycle. To this end, AIQ implements internal policies to ensure privacy by design and by default in accordance with applicable privacy legislation. 

This document is for informational purposes only the responsibilities and liabilities of AIQ are set in our commercial agreement, and this document is not part of, nor does it modify, any agreement between AIQ and its customers.