Data Transfer Assessment

REC Parenting Limited 

Date: 01.06.2023 

Overview  

This document provides information to on the data transfer assessment we have carried out in connection with use of our Services, in light of the “Schrems II” ruling of the European Union Court of Justice and the recommendations from the European Data Protection Board. 

In particular, this document describes the legal regimes applicable to transfers made, the safeguards put in place in connection with transfers of customer personal data from the European Economic Area, United Kingdom or Switzerland (“Europe“), and our ability to comply with our obligations as “data importer” under the EU, Swiss and UK Standard Contractual Clauses (together “SCCs“). 

Step 1: Know your transfer  

Where we process personal data governed by European data protection laws as a data processor, we comply with the obligations set out in our data processing agreement published at https://www.recparenting.com/dpa/ (“DPA“). Our DPA incorporates the SCCs and provides the following information: 

• description of our processing of customer personal data (Exhibit A); and 
• description of our security measures (Exhibit B) 

Please refer to Exhibit A of our DPA for information on the nature of our processing activities in connection with the provision of the Services, the types of customer personal data we process and transfer, and the categories of data subjects. 

A list of all of our sub-processors is published at https://www.recparenting.com/sub-processor-list/. 

We may transfer Customer personal data to the sub-processers listed below for the purpose of providing the Services to you. The countries to which Customer personal data will be transferred will depend upon: (i) the sub-processor used; (ii) the particular part of our Services used: and (iii) the location of the sub-processor providing this service on our behalf, and their own sub-processors.  

Details of all transfers of Customer personal data to sub-processors are set out in the table below: 

	Name	Service	Location of Sub-Processor	Name
A)	Amazon Web Services Inc.	AWS hosting, backup and cloud storage services	USA	USA and any countries in which AWS’ sub-processors are located as set out in the AWS sub-processor list.
B)	Microsoft Corporation	Cloud file storage and project management services	USA	USA and any countries in which Microsoft’s sub-processors are located as set out in the Microsoft sub-processor list.
C)	Zoom Video Communications Inc.	Video conferencing services.	USA	USA and any countries in which Zoom sub-processors are located as set out in the Zoom sub-processor list.
D)	Hostinger International Limited	Email and newsletter services	Cyprus	Any countries in which Hostinger’s sub-processors are located as set out in the Hostinger sub-processor list.
E)	Messagebird B.V.	In-app notifications and chat	The Netherlands	Any countries in which Messagebird’’s sub-processors are located as set out in the Messagebird subprocessor list.
F)	The Rocket  Science Group,  LLC (Mailchimp)	Email services	USA	USA and any countries in which AWS’ sub-processors are located as set out in the Mailchimp sub processor list.

Step 2: Identify the transfer mechanism relied upon  

Where personal data originating from Europe is transferred to a sub-processor (including any of our group companies) the transfer mechanism set out in the table below is relied upon: 

	Name	Transfer Mechanism
1.	AWS Inc.	SCCs incorporated in the AWS Data Processing Addendum.
2.	Microsoft Corporation	SCCs incorporated into the Microsoft DPA.
3.	Zoom Video Communications Inc.	SCCs incorporated into the Zoom Data Processing Addendum.
4.	Hostinger International Limited.	None required as the company is located within the EEA.
5.	Message Bird B. V.	None required as the company is located within the EEA.
6.	The Rocket Science Group LLC (Mailchimp)	SCCs incorporated into the Mailchimp DPA.

1. AWS INC. 

Step 3: Assess whether the transfer mechanism relied upon is effective in light of the circumstances of the transfer  

U.S. Surveillance Laws 

FISA 702 and Executive Order 12333 

The following US laws were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US: 

• FISA Section 702 (“FISA 702”) – allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering.  This information gathering must be approved by the Foreign Intelligence Surveillance Court in Washington, DC.  In-scope providers subject FISA 702 are electronic communication service providers (“ECSP”) within the meaning of 50 U.S.C § 1881(b)(4), which can include remote computing service providers (“RCSP”), as defined under 18 U.S.C. § 2510 and 18 U.S.C. § 2711. 
• Executive Order 12333 (“EO 12333”) – authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US.  In particular, it provides authority for US intelligence agencies to collect foreign “signals intelligence” information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US.  EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure. 

Further information about these US surveillance laws can be found in the U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S.Data Transfers after Schrems II whitepaper from September 2020. This whitepaper details the limits and safeguards pertaining to US public authority access to data and was issued in response to the Schrems II ruling. 

Regarding FISA 702 the whitepaper notes: 

• For most companies, the concerns about national security access to company data highlighted by Schrems II are “unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” Companies handling “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.” 
• There is individual redress, including for EU citizens, for violations of FISA section 702 through measures not addressed by the court in the Schrems II ruling, including FISA provisions allowing private actions for compensatory and punitive damages. 

Regarding Executive Order 12333 the whitepaper notes: 

• EO 12333 does not on its own “authorize the U.S. government to require any company or person to disclose data.” Instead, EO 12333 must rely on a statute, such as FISA 702 to collect data. 
• Bulk data collection, the type of data collection at issue in Schrems II, is expressly prohibited under EO 12333. 

CLOUD Act 

For more information on the CLOUD Act, review What is the CLOUD Act? by BSA Software Alliance outlining the scope of the CLOUD Act. 

The whitepaper notes: 

• The CLOUD Act only permits U.S. government access to data in criminal investigations after obtaining a warrant approved by an independent court based on probable cause of a specific criminal act. 

• The CLOUD Act does not allow U.S. government access in national security investigations, and it does not permit bulk surveillance 

Are AWS subject to FISA 702 or EO 12333? 

AWS, like most US-based SaaS companies, could technically be subject to FISA 702 where it is deemed to be a RCSP.  However, AWS do not process personal data that is likely to be of interest to US intelligence agencies. 

Furthermore, AWS is not likely to be subject to upstream surveillance orders under FISA 702, the type of order principally addressed in, and deemed problematic by, the Schrems II decision.  AWS do not provide internet backbone services, but instead only carries traffic involving our own customers.   To date, the U.S. Government has interpreted and applied FISA 702 upstream orders to only target market providers that have traffic flowing through their internet backbone and that carry traffic for third parties (i.e., telecommunications carriers). 

EO 12333 contains no authorization to compel private companies (such as AWS) to disclose personal data to US authorities and FISA 702 requires an independent court to authorize a specific type of foreign intelligence data acquisition which is generally unrelated to commercial information. In the event that US intelligence agencies were interested in the type of data that AWS process, safeguards such as the requirement for authorization by an independent court and the necessity and proportionality requirements would protect data from excessive surveillance. 

What is our practical experience dealing with government access requests? 

AWS publish an annual Transparency Report with information about government requests to access data.  To date, AWS have never received a US National Security Request (including requests for access under FISA 702 or direct access under EO 12333) in connection with Customer personal data. 

Therefore, while AWS may technically be subject to the surveillance laws identified in Schrems II AWS have not been subject to these types of requests in its day-to-day business operations. 

Step 4: Identify the technical, contractual and organizational measures applied to protect the transferred data  

AWS provide the following technical measures to secure customer data: 

• Data residency: AWS allow customers to choose a location within Europe where data is held at rest. Planned expansions to our data residency program (including data residency for apps and additional locations) are highlighted in our roadmap. 
• Encryption: AWS offer data encryption at rest and in transit. 
• Security and certifications: Additional information about AWS security practices and certifications are available in Annex II of the SCCs. 

AWS contractual measures are set out in our DPA which incorporates the SCCs. In particular, we are subject to the following requirements: 

• Technical measures: AWS are contractually obligated to have in place appropriate technical and organizational measures to safeguard personal data (both under the DPA and under the SCCs we enter into with customers, service providers, and between entities within our group). 
• Transparency: AWS are obliged under the SCCs to notify Customers in the event we are made subject to a request for government access to Customer personal data from a government authority. In the event that we are legally prohibited from making such a disclosure, we will challenge such prohibition and seek a waiver. 
• Actions to challenge access: Under the SCCs, AWS are required to review the legality of government authority access requests and challenge such requests where they are considered to be unlawful. 

AWS organizational measures to secure customer data include: 

• Policy for government access: To obtain data from us, law enforcement officials must provide legal process appropriate for the type of information sought, such as a subpoena, court order, or a warrant. 

• Onward transfers: Whenever AWS share your data with our sub-processors, we remain accountable to you for how it is used. We require all sub-processors to undergo a thorough cross-functional diligence process to ensure our Customers’ personal data receives adequate protection. This process includes a review of the supplier’s security policies, measures, and third-party audits. 
• Employee training: AWS provide data protection training to all of our staff. 

Step 5: Procedural steps necessary to implement effective supplementary measures  

In light of the information provided in this assessment document, including AWS’ practical experience dealing with government requests and the technical, contractual, and organizational measures we have implemented to protect Customer personal data, AWS consider that the risks involved in transferring and processing European personal data in/to the USA do not impinge on our ability to comply with our obligations under the SCCs (as “data importer”) or to ensure that individuals’ rights remain protected. Therefore, no additional supplementary measures are necessary at this time. 

Step 6: Re-evaluate at appropriate intervals  

We will review and, if necessary, reconsider the risks involved and the measures AWS have implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of Europe on a regular basis, and as a minimum once per calendar year. 

2. MICROSOFT CORPORATION 

Step 3: Assess whether the transfer mechanism relied upon is effective in light of the circumstances of the transfer  

U.S. Surveillance Laws 

FISA 702 and Executive Order 12333 

The following US laws were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US: 

• FISA Section 702 (“FISA 702”) – allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering.  This information gathering must be approved by the Foreign Intelligence Surveillance Court in Washington, DC.  In-scope providers subject FISA 702 are electronic communication service providers (“ECSP”) within the meaning of 50 U.S.C § 1881(b)(4), which can include remote computing service providers (“RCSP”), as defined under 18 U.S.C. § 2510 and 18 U.S.C. § 2711. 
• Executive Order 12333 (“EO 12333”) – authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US.  In particular, it provides authority for US intelligence agencies to collect foreign “signals intelligence” information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US.  EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure. 

Further information about these US surveillance laws can be found in the U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S.Data Transfers after Schrems II whitepaper from September 2020. This whitepaper details the limits and safeguards pertaining to US public authority access to data and was issued in response to the Schrems II ruling. 

Regarding FISA 702 the whitepaper notes: 

• For most companies, the concerns about national security access to company data highlighted by Schrems II are “unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” Companies handling “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.” 
• There is individual redress, including for EU citizens, for violations of FISA section 702 through measures not addressed by the court in the Schrems II ruling, including FISA provisions allowing private actions for compensatory and punitive damages. 

Regarding Executive Order 12333 the whitepaper notes: 

• EO 12333 does not on its own “authorize the U.S. government to require any company or person to disclose data.” Instead, EO 12333 must rely on a statute, such as FISA 702 to collect data. 
• Bulk data collection, the type of data collection at issue in Schrems II, is expressly prohibited under EO 12333. 

CLOUD Act 

For more information on the CLOUD Act, review What is the CLOUD Act? by BSA Software Alliance outlining the scope of the CLOUD Act. 

The whitepaper notes: 

• The CLOUD Act only permits U.S. government access to data in criminal investigations after obtaining a warrant approved by an independent court based on probable cause of a specific criminal act. 
• The CLOUD Act does not allow U.S. government access in national security investigations, and it does not permit bulk surveillance 

Microsoft is subject to FISA 702 and EO 12333. 

Step 4: Identify the technical, contractual and organizational measures applied to protect the transferred data  

Microsoft provide the following technical measures to secure customer data: 

• Data residency: Microsoft allow customers to choose a location within Europe where data is held at rest. 
• Encryption: Microsoft offer data encryption at rest and in transit. 
• Security and certifications: Additional information about Microsoft security practices and certifications are available in Annex II of the SCCs. 

Microsoft contractual measures are set out in our DPA which incorporates the SCCs.  

Microsoft organizational measures to secure customer data include: 

Microsoft provides additional safeguards for the processing of personal data, within the scope of the GDPR and additional redress to data subjects to whom that personal data relates.  

1. Challenges to Orders. In the event Microsoft receives an order from any third party for compelled disclosure of any personal data processed under their DPA, Microsoft shall: 

1. use every reasonable effort to redirect the third party to request data directly from REC Parenting Limited; 

2. promptly notify REC Parenting Limited, unless prohibited under the law applicable to the requesting third party, and, if prohibited from notifying REC Parenting Limited, use all lawful efforts to obtain the right to waive the prohibition in order to communicate as much information to REC Parenting Limited as soon as possible; and 

3. use all lawful efforts to challenge the order for disclosure on the basis of any legal deficiencies under the laws of the requesting party or any relevant conflicts with applicable law of the European Union or applicable Member State law.   

If, after the steps described in a. through c. above, Microsoft or any of its affiliates remains compelled to disclose personal data, Microsoft will disclose only the minimum amount of that data necessary to satisfy the order for compelled disclosure. 

For purpose of this section, lawful efforts do not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.   

2. Indemnification of Data Subjects. Subject to Sections 3 and 4 below, Microsoft shall indemnify a data subject for any material or non-material damage to the data subject caused by Microsoft’s disclosure of personal data of the data subject that has been transferred in response to an order from a non-EU/EEA government body or law enforcement agency in violation of Microsoft’s obligations under Chapter V of the GDPR  (a “Relevant Disclosure”). Notwithstanding the foregoing, Microsoft shall have no obligation to indemnify the data subject under this Section 2 to the extent the data subject has already received compensation for the same damage, whether from Microsoft or otherwise. 

3. Conditions of Indemnification. Indemnification under Section 2 is conditional upon the data subject establishing, to Microsoft’s reasonable satisfaction, that: 

1. Microsoft engaged in a Relevant Disclosure;  

2. the Relevant Disclosure was the basis of an official proceeding by the non-EU/EEA government body or law enforcement agency against the data subject; and 

3. the Relevant Disclosure directly caused the data subject to suffer material or non-material damage. 

The data subject bears the burden of proof with respect to conditions a. though c. 

Notwithstanding the foregoing, Microsoft shall have no obligation to indemnify the data subject under Section 2 if Microsoft establishes that the Relevant Disclosure did not violate its obligations under Chapter V of the GDPR.  

4. Scope of Damages. Indemnification under Section 2 is limited to material and non-material damages as provided in the GDPR and excludes consequential damages and all other damages not resulting from Microsoft’s infringement of the GDPR. 

5. Exercise of Rights. Rights granted to data subjects under the Microsoft DPA may be enforced by the data subject against Microsoft irrespective of any restriction in Clauses 3 or 6 of the Standard Contractual Clauses. The data subject may only bring a claim under the Microsoft DPA on an individual basis, and not part of a class, collective, group or representative action. Rights granted to data subjects under the Microsoft DPA are personal to the data subject and may not be assigned. 

6. Notice of Change. Microsoft agrees and warrants that it has no reason to believe that the legislation applicable to it or its sub-processors, including in any country to which personal data is transferred either by itself or through a sub-processor, prevents it from fulfilling the instructions received from REC Parenting Limited and its obligations under the Microsoft DPA, the 2010 Standard Contractual Clauses, or the 2021 Standard Contractual Clauses and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Microsoft DPA or the Standard Contractual Clauses, it will promptly notify the change to REC Parenting Limited as soon as it is aware, in which case REC Parenting Limited is entitled to suspend the transfer of data and/or terminate the DPA. 

Step 5: Procedural steps necessary to implement effective supplementary measures  

Microsoft warrants that it has no reason to believe that the legislation applicable to it or its sub-processors, including in any country to which personal data is transferred either by itself or through a sub-processor, prevents it from fulfilling the instructions received from REC Parenting Limited and its obligations under the Microsoft DPA, the 2010 Standard Contractual Clauses, or the 2021 Standard Contractual Clauses and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Microsoft DPA or the Standard Contractual Clauses, it will promptly notify the change to REC Parenting Limited as soon as it is aware, in which case REC Parenting Limited is entitled to suspend the transfer of data and/or terminate the DPA. 

Step 6: Re-evaluate at appropriate intervals  

REC Parenting Limited will review and, if necessary, reconsider the risks involved and the measures we have implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of the EEA on a regular basis, and as a minimum once per calendar year. 

3. ZOOM VIDEO COMMUNICATIONS INC. 

Step 3: Assess whether the transfer mechanism relied upon is effective in light of the circumstances of the transfer  

U.S. Surveillance Laws 

FISA 702 and Executive Order 12333 

The following US laws were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US: 

• FISA Section 702 (“FISA 702”) – allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering.  This information gathering must be approved by the Foreign Intelligence Surveillance Court in Washington, DC.  In-scope providers subject FISA 702 are electronic communication service providers (“ECSP”) within the meaning of 50 U.S.C § 1881(b)(4), which can include remote computing service providers (“RCSP”), as defined under 18 U.S.C. § 2510 and 18 U.S.C. § 2711. 
• Executive Order 12333 (“EO 12333”) – authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US.  In particular, it provides authority for US intelligence agencies to collect foreign “signals intelligence” information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US.  EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure. 

Further information about these US surveillance laws can be found in the U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S.Data Transfers after Schrems II whitepaper from September 2020. This whitepaper details the limits and safeguards pertaining to US public authority access to data and was issued in response to the Schrems II ruling. 

Regarding FISA 702 the whitepaper notes: 

• For most companies, the concerns about national security access to company data highlighted by Schrems II are “unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” Companies handling “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.” 
• There is individual redress, including for EU citizens, for violations of FISA section 702 through measures not addressed by the court in the Schrems II ruling, including FISA provisions allowing private actions for compensatory and punitive damages. 

Regarding Executive Order 12333 the whitepaper notes: 

• EO 12333 does not on its own “authorize the U.S. government to require any company or person to disclose data.” Instead, EO 12333 must rely on a statute, such as FISA 702 to collect data. 
• Bulk data collection, the type of data collection at issue in Schrems II, is expressly prohibited under EO 12333. 

CLOUD Act 

For more information on the CLOUD Act, review What is the CLOUD Act? by BSA Software Alliance outlining the scope of the CLOUD Act. 

The whitepaper notes: 

• The CLOUD Act only permits U.S. government access to data in criminal investigations after obtaining a warrant approved by an independent court based on probable cause of a specific criminal act. 
• The CLOUD Act does not allow U.S. government access in national security investigations, and it does not permit bulk surveillance 

Zoom Video Communications Inc. is subject to FISA 702 and EO 12333. 

Step 4: Identify the technical, contractual and organizational measures applied to protect the transferred data  

 Zoom minimises the collection of Website Data by only collecting strictly necessary information through cookies and similar technology on both its restricted and public access website by default. Visitors need to provide specific consent for additional data processing through other cookies by Zoom.  

 
To mitigate the risk and impact of unauthorized access to systems and the Webserver access logs, Zoom implements standards that are aligned to the following policy statements: Access to systems and data must only be granted to authorized users; Access to systems and data must be granted and remain commensurate with the principle of least privilege; Accountability and oversight must be established for system and user accounts; and Segregation of duties conflicts must be considered when authorizing access.  
To mitigate the risk and impact of improper access to the Webserver access logs, Zoom establishes standards that are aligned to the following policy statements: Secure authentication mechanisms and unique identifiers must be managed; Multi-Factor Authentication (MFA) must be employed, where feasible.; Authentication mechanisms for the authentication of accounts must be replay-resistant; Approved methods must be used to validate the initial identity of account holders prior to being granted initial access via an authenticator mechanism, and Access to Zoom information systems must be managed over time to ensure active accounts are valid and assigned to legitimate personnel and services and that privileges assigned to accounts are appropriate.  
Zoom’s SOC 2 Type II audit will include the Privacy Trust Principle for the 2022 cycle 

EU EDU and Enterprise customers are automatically redirected to Zoom’s EU webservers when they log-in. However, this EU data residency does not prevent access to the servers from the USA, because Zoom is a US-based company. 

EU website data are pseudonymous. Recommendation to admins to use SSO if the Account Data are confidential. Additionally, all traffic over the internet is protected by encryption in transit (SSL/TLS). 

All traffic over the internet is protected by encryption in transit (SSL/TLS), however, IP addresses are always transferred in the clear. 

Step 5: Procedural steps necessary to implement effective supplementary measures  

In light of the information provided in this assessment document, no additional supplementary measures are necessary at this time. 

Step 6: Re-evaluate at appropriate intervals  

REC Parenting Limited will review and, if necessary, reconsider the risks involved and the measures we have implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of the EEA on a regular basis, and as a minimum once per calendar year. 

4. THE ROCKET SCIENCE GROUP LLC (MAILCHIMP) 

Step 3: Assess whether the transfer mechanism relied upon is effective in light of the circumstances of the transfer  

U.S. Surveillance Laws 

FISA 702 and Executive Order 12333 

The following US laws were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US: 

• FISA Section 702 (“FISA 702”) – allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering.  This information gathering must be approved by the Foreign Intelligence Surveillance Court in Washington, DC.  In-scope providers subject FISA 702 are electronic communication service providers (“ECSP”) within the meaning of 50 U.S.C § 1881(b)(4), which can include remote computing service providers (“RCSP”), as defined under 18 U.S.C. § 2510 and 18 U.S.C. § 2711. 

• Executive Order 12333 (“EO 12333”) – authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US.  In particular, it provides authority for US intelligence agencies to collect foreign “signals intelligence” information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US.  EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure. 

Further information about these US surveillance laws can be found in the U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S.Data Transfers after Schrems II whitepaper from September 2020. This whitepaper details the limits and safeguards pertaining to US public authority access to data and was issued in response to the Schrems II ruling. 

Regarding FISA 702 the whitepaper notes: 

• For most companies, the concerns about national security access to company data highlighted by Schrems II are “unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” Companies handling “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.” 
• There is individual redress, including for EU citizens, for violations of FISA section 702 through measures not addressed by the court in the Schrems II ruling, including FISA provisions allowing private actions for compensatory and punitive damages. 

Regarding Executive Order 12333 the whitepaper notes: 

• EO 12333 does not on its own “authorize the U.S. government to require any company or person to disclose data.” Instead, EO 12333 must rely on a statute, such as FISA 702 to collect data. 
• Bulk data collection, the type of data collection at issue in Schrems II, is expressly prohibited under EO 12333. 

CLOUD Act 

For more information on the CLOUD Act, review What is the CLOUD Act? by BSA Software Alliance outlining the scope of the CLOUD Act. 

The whitepaper notes: 

• The CLOUD Act only permits U.S. government access to data in criminal investigations after obtaining a warrant approved by an independent court based on probable cause of a specific criminal act. 
• The CLOUD Act does not allow U.S. government access in national security investigations, and it does not permit bulk surveillance 

The Rocket Science Group LLC. (Mailchimp) is subject to FISA 702 and EO 12333. 

Step 4: Identify the technical, contractual and organizational measures applied to protect the transferred data  

Mailchimp has put a number of measures in place to ensure that European data remains protected when it’s transferred outside of Europe. 

Contractual commitments 

In addition to incorporating the SCCs, Mailchimps’ Data Processing Addendum also specifies its commitments to security, confidentiality of processing, limitations on international transfers of personal data, cooperation with data subject rights, notice of security incidents, and more. 

Importantly, Mailchimp does not sell, rent, or trade user data. 

Security measures 

Mailchimp treats the privacy and security of its users’ data with paramount importance. Its security and privacy program is outlined in detail on its Security page. 

Here’s a summary of some of the important and specific technical and organizational measures Mailchimp has implemented (and will continue to implement) to safeguard against unauthorized access to user data: 

(1) Encryption 

 Mailchimp has, where and to the extent technically feasible, implemented encryption technologies across its infrastructure to help protect user data from unauthorized access when it’s processed internally by Mailchimp. For example, all Mailchimp production pages use transport layer security (TLS), a secure encryption protocol, and Mailchimp’s internal wireless network utilizes 128bit WPA2 encryption. Further, Mailchimp email (256bit), all VPN connections (256bit), and the internal chat application (256bit) are also encrypted. Login pages use TLS and have brute-force attack protection. This also applies to mobile Mailchimp applications and the Mailchimp API. 

(2) Access controls 

 Mailchimp restricts third-party access to its internal tooling and infrastructure. Its legal team evaluates all requests for access, ensures that the request is appropriate for the work to be performed, and ensures that the third-party follows all security and privacy provisions outlined in their contract. Once approved, Mailchimp only grants access through controlled accounts to clearly defined portions of the system. 

Mailchimp remains committed to maintaining the highest levels of privacy and security for our users.  

Vendor Agreements 

Mailchimp take all steps necessary to ensure that their agreements with their third-party international vendors (including sub-processors) contain appropriate commitments from such third parties regarding the transfer and processing of European data outside Europe and that Mailchimp implements an appropriate and lawful data transfer mechanism (such as the Standard Contractual Clauses) and additional safeguards as necessary.  

Mailchimp no longer relies on the Privacy Shield as a transfer mechanism for data transfers given the EU-US Privacy Shield and Swiss-US Privacy Shield are no longer valid as a result of the recent CJEU ruling in Schrems II. However, to the extent Mailchimp has ongoing obligations under our existing Privacy Shield Certification, it will continue to honour them, including honouring the direct rights of redress provided to individuals against Mailchimp, including a right to invoke binding arbitration. 

Step 5: Procedural steps necessary to implement effective supplementary measures  

In light of the information provided in this assessment document, no additional supplementary measures are necessary at this time. 

Step 6: Re-evaluate at appropriate intervals  

REC Parenting Limited will review and, if necessary, reconsider the risks involved and the measures we have implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of the EEA on a regular basis, and as a minimum once per calendar year.