Data Transfer Impact Assessment
Dated: January 12, 2022
Purpose of this document
This document provides information to help RudderStack’s (‘us’, ‘our’) customers (‘you’) conduct Data Transfer Impact Assessments (DTIA) in connection with their use of our platform, in light of the recent “Schrems II” ruling of the Court of Justice for the European Union and the recommendations from the European Data Protection Board (EPDB).
In particular, this document describes the safeguards RudderStack puts in place in connection with transfers of customer personal data from the European Economic Area, RudderStack's ability to comply with its obligations as "data importer" under the Standard Contractual Clauses ("SCCs"), and the legal regimes applicable to RudderStack.
RudderStack is an open-source, enterprise-ready Customer Data Platform for collecting, storing, and routing customer event data to customer data warehouse and cloud platforms. Our data pipelines make it easy for our customers to collect event data from any application, website, mobile device or SaaS platform, and then activate it in the customer’s data warehouse and other business tools. We also provide a transformation framework to transform and enhance the events before routing them to the destination.
Our product incorporates privacy by design considerations. As a data processor to our customers, RudderStack does not determine or control the type of data transmitted through its systems by our customers. With RudderStack’s Control Plane, our customers determine the source and end points for their data – making sure our customers have complete visibility and control of their data. Also, because the data never leaves our customer’s infrastructure, our customers can rest assured that their data is only being used in the manner they intended.
Description of transfer
- Purpose of transfer: We receive, transform, and route customer end-user event data from source (application, website, mobile device or SaaS platform) to destination (customer warehouse or business tools) systems.
We collect customer user (employee) and account information to establish and maintain a commercial relationship with you and to provide ongoing service for the performance of our contract with you.
- Frequency of transfer: Data is transferred continuously or as directed by the customer
- Categories of data subjects: Customer’s data subjects and platform users
- Categories of personal data transferred, including sensitive data (if applicable): Customer’s data subjects: As data pipeline providers, RudderStack provides the application/network enabling our customers to fetch event data from one or more multiple sources to one or more data warehouse providers or business tools. We do not control the personal data that is sent to our platform and our customers determine what data travels across our pipelines. We are not aware of the content that our customers are passing through. However, in the event the customer requests to transfer special categories of Personal Data , it would then be specified in the DPA.
Platform users: Account and business contact information to provision service, such as name, contact number and email address
- Duration of processing: All data sent by customer systems and applications are purged within a maximum of 3 hours unless customers choose 30 days retention.
Upon termination of service or expiry of subscription, customer user accounts from the control plane are downgraded to the Free Tier. At this point, customers can request deletion of their account at any time by reaching out to our Customer Support team.
- Applicable transfer mechanism: For transfers from Europe, we rely on Data Processing Agreements (DPAs) incorporating the new European Commission-approved SCCs for enabling international transfers to the United States or other appropriate and approved transfer mechanisms.
- Onward transfers: RudderStack's hosted solution is running on AWS EKS with the cluster spanning multiple availability zones within the United States.
As our subprocessor, any data sent to AWS is subject to equal enforcement of the terms of the DPA we sign with our customers. Our agreement with AWS is supplemented with AWS’s DPA, incorporating the new SCCs. Our complete list of subprocessors is included in our DPA.
Safeguards to protect customer data
- Encryption: All data traffic to and from RudderStack is transmitted over Secure HTTP (HTTPS) using TLS v1.2. All EBS volumes underlying RudderStack data stores are encrypted using the industry standard AES-256 encryption algorithm to encrypt your data. AWS KMS is used for key management and cryptographic operations.
- Multi-tenancy: We have adopted a multi-tenancy model to ensure that one customer’s data is never available to another customer. Customer data separation is logical. Each customer is assigned a unique Workspace ID and customer data is separated by this ID.
- Logical separation between control and data plane: The control plane manages the configuration of our customer’s sources and destinations, while the data plane is RudderStack's core engine responsible for receiving and buffering the event data, transforming the events into the required destination format and relaying the events to the destination. The data plane is intentionally separated from the control plane to give you complete ownership of your data.
- No login to Postgresql database: Events are stored temporarily in Postgresql database, until they are either transmitted to the destination or purged within a maximum duration of 3 hours. There are no users configured in Postgresql and human login to the database is not possible; Postgresql can only connect to the application nodes within the Kubernetes cluster. Therefore, there is no way for RudderStack to access your data transiting through our platform.
- Control plane access control and authentication: The platform supports role-based access control and our Enterprise version supports 2-Factor Authentication via email or phone verification using a one-time password (OTP).
- Personnel security: All personnel go through background screening, and are bound by privacy and confidentiality obligations as part of their contract and non-disclosure agreement with RudderStack. All personnel are also required to undertake relevant security and privacy training.
- Certifications: We have attained System and Organization Controls (SOC) 2 Type II certification through a third-party auditor. The SOC 2 Type II report validates that RudderStack meets the requirements of customers in highly controlled industries who need expert evaluation about how vendors handle the principles of security.
- Contractual measures: Our contractual measures are set out in the DPA we sign with our customers. We are obligated under the SCCs (incorporated within your DPA) to notify our customers in the event we are made subject to a request for government access to customer personal data from a government authority.
Relevant local laws that apply within the jurisdiction of transfer
The following US laws were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US:
- FISA Section 702 (“FISA 702”): FISA 702 allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering. In-scope providers subject to FISA 702 are electronic communication service providers ("ECSP") within the meaning of 50 U.S.C § 1881(b)(4), which can include remote computing service providers ("RCSP") as defined under 18 U.S.C. § 2510 and 18 U.S.C. § 2711.
- Executive Order 12333 ("EO 12333"): EO 12333 authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US. In particular, it provides authority for US intelligence agencies to collect foreign "signals intelligence" information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US. EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure.
The U.S government, in response, has prepared a White Paper, providing information about privacy protections in current U.S. law and practices relating to government access to data for national security purposes, focusing in particular on the issues that appear to have concerned the ECJ in Schrems II, for consideration by companies transferring personal data from the EU to the United States. To summarize some of the key points, the White Paper notes:
Regarding FISA 702
- For most companies, the concerns about national security access to company data highlighted by Schrems II are “unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” Companies handling “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.”
- There is individual redress, including for EU citizens, for violations of FISA section 702 through measures not addressed by the court in the Schrems II ruling, including FISA provisions allowing private actions for compensatory and punitive damages.
Regarding EO 12333
- EO 12333 does not on its own “authorize the U.S. government to require any company or person to disclose data.” Instead, EO 12333 must rely on a statute, such as FISA 702 to collect data.
- Bulk data collection, the type of data collection at issue in Schrems II, is expressly prohibited under EO 12333.
Is RudderStack likely impacted byFISA 702 or EO 12333?
Like most US-based SaaS companies, RudderStack could technically be subject to FISA 702 or EO12333. However, we have not been subject to any FISA 702 or EO 12333 requests in the past and we believe that the risk of access to your data is low. Here is why:
FISA 702: The term "electronic communications service provider" is defined broadly to include telecommunications carriers, providers of electronic communications services and remote computing services, as well as any other communications service providers that have access to wire or electronic communications (either in transit or in storage). RudderStack neither provides internet backbone services nor is a telecommunication carrier. However, the definition of a RCSP is broad enough that it could potentially capture any company that sends and receives electronic communications, regardless of the company's primary business or function.
- While AWS (our subcontractor) is considered to be a RCSP and is technically subject to FISA 702, our DPA with AWS requires them to notify us in case of access by public authorities. Even so, we do not process personal data that is likely to be of interest to US intelligence agencies.
- The RudderStack platform was designed with security and compliance in mind to reduce the risk of access to your data. This means that access is further mitigated through the following measures:
- RudderStack does not store customer data beyond a maximum duration of 3 hours.
- In an unlikely event that we receive a request by the relevant authorities, there is no capability for us to access your data within Postgresql in the absence of a user login.
On top of this, we are committed to assist our customers in preventing, limiting, and handling such requests through additional contractual steps as outlined in our DPA.
EO 1233: EO 12333 contains no authorization to compel private companies like (such as RudderStack) to disclose personal data to US authorities and FISA 702 requires an independent court to authorize a specific type of foreign intelligence data acquisition, which is generally unrelated to commercial information.
Have we practically dealt with such requests?
RudderStack has not been subject to these types of requests in our day-to-day business operations.
Our position with regards to EU-US transfers
At RudderStack, we believe that transfers of personal data by data exporters to RudderStack (as the data importer) do not undermine the protections afforded data subjects by the SCCs, the GDPR, and the service agreement between RudderStack and its customers. This is because:
- RudderStack does not have control over what personal data transits through our systems;
- Customer data is purged after a maximum duration of 3 hours, or otherwise after 30 days of retention if Customer chooses to do so. We do not persist any customer data that our customers feed into the service beyond the duration defined;
- RudderStack’s inability to access transient customer data by design; and
- The low likelihood that surveillance orders would be issued under the relevant laws discussed above.