UpGuard, Inc. processes personal data of users from the European Economic Area, United Kingdom, and Switzerland (“European Personal Data”) governed by European data protection laws as a data controller under its Data Processing Addendum ("DPA") available here.

UpGuard transfers European Personal Data as a "data importer" under the most up-to-date version of the Standard Contractual Clauses ("SCCs"). In light of the “Schrems II” ruling of the Court of Justice for the European Union and the recommendations from the European Data Protection Board, UpGuard has conducted an analysis of all applicable laws and regulations in order to understand the potential risks that could threaten the security of European Personal Data outside of Europe.

Know your transfers

UpGuard’s DPA provides a description of the processing of European Personal Data in Exhibit A including categories of data subjects, frequency of transfers, nature and purpose of data transfers and further processing.

Categories of data subjects whose personal data is transferred: 

• Customers
• Authorized Users
• Vendors

Categories of personal data transferred: 

• Business contact details including name, job title or position, business physical address, business email address, and business phone numbers of employees and representatives authorized to use the Services.
• Invoicing and payment details.
• Credit card details and billing information where collected through our third-party PCI compliant service provider.

• Records of customer’s use of our Services.

• Prospective customer’s business contact details, including name, job title or position, business physical address, business email address, and business phone number of employees and representatives.

Sensitive data transferred: 

• To the parties’ knowledge, no sensitive data is transferred.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): 

• Personal data is transferred in accordance with the standard functionality of the technology used by the parties, or as otherwise agreed upon by the parties and may be one-off or continuous based on the nature of the data and processing required.

Nature of the processing: 

• Providing and improving the services.
• Other activities described in the Privacy Policy.

Purpose(s) of the data transfer and further processing: 

• Providing and improving the services
• Other activities described in the Privacy Policy.  

UpGuard may further transfer European Personal Data to its affiliates or subcontractors outside of Europe; the list of those affiliates and subcontractors is available here.

Identify transfer tools to be relied on

UpGuard transfers European Personal Data as a "data importer" to the United States in compliance with the SCCs. When European Personal Data is transferred to one of its subcontractors outside of Europe, UpGuard enters into a controller to processor DPA with the SCCs.

Assess if anything in the law or practice of the third country impinges on effectiveness of appropriate safeguards

UpGuard transfers European Personal Data as a "data importer" to the United States in compliance with the SCCs. When European Personal Data is transferred to one of its subcontractors outside of Europe, UpGuard enters into a controller to processor DPA with the SCCs.

United States

UpGuard is subject to several surveillance laws in the United States (“US”) which have been perceived as potential obstacles to ensuring protection of European Personal Data in the US. The US government prepared a white paper in response to the Schrems II ruling with guidance for companies transferring personal data from the European (“EU”) to the US. The discussion includes those potential obstacles that were identified in Schrems II.

• Data Transfer Impact Assessment Summary – EO 12333 and FISA Section 702 Likely Do Not Apply. The processing that UpGuard (and its subprocessors) engage in under the agreement is likely not subject to Executive Order 12333 or FISA Section 702. As a result, transfers to UpGuard and its subprocessors in the United States are likely permitted pursuant to the EDPB Recommendations on Supplementary Measures.

• Executive Order 12333 Likely Does Not Apply. Executive Order 12333 governs how United States’ intelligence agencies carry out surveillance outside the United States with respect to non-U.S. persons to whom the United States Constitution and laws do not apply. Executive Order 12333 likely has limited to no relevance to transfers of EEA, Swiss, or UK personal data to the United States as it generally applies to surveillance activities that are conducted wholly outside of the United States. Accordingly, it’s unlikely that Executive Order 12333 would apply to transfers of personal data to UpGuard or its subprocessors to or within the United States.  

• FISA Section 702 Likely Does Not Apply. FISA Section 702 (codified at 50 U.S.C. § 1881a) permits the United States government to conduct certain surveillance of non-US persons located outside of the United States through compelled assistance of electronic communication service providers. Surveillance under FISA Section 702 is restricted to specific areas of national defense, national security, and the conduct of foreign affairs, with an emphasis on international terrorism, sabotage, the proliferation of weapons of mass destruction, and other grave hostile acts. 

• FISA Section 702’s Limited Scope – Only Foreign Intelligence Information. In specific, FISA Section 702 only permits targeting of individuals where a significant purpose is to obtain “foreign intelligence information.” 

When acquired from a non-U.S. person, “foreign intelligence information” can generally be thought of as information which relates to the United States’ foreign affairs with or national defense against a “foreign power” or “foreign territory” or the United States’ ability to protect against serious attacks of a “foreign power.” 

• UpGuard Likely Will Not Process Foreign Intelligence Information. The transfers of EEA, Swiss, and UK personal data to UpGuard and its subprocessors in the United States will primarily consist of name, business email address, and information about how UpGuard’s service is used. This personal data likely will not meet the definition of “foreign intelligence information” under FISA Section 702.

A white paper published by the United States Department of Commerce, the United States Department of Justice, and the United States Office of the Director of National Security supports this view and states, “[c]ompanies whose EU operations involve ordinary commercial products or services, and whose EU-U.S. transfers of personal data involve ordinary commercial information like employee, customer, or sales records, would have no basis to believe U.S. intelligence agencies would seek to collect that data.”

To date, UpGuard has not received a US National Security Request (including requests for access under FISA 702 or direct access under EO 12333) in connection with any European Personal Data; however, UpGuard has processes in place to respond to these requests. UpGuard requires a subpoena or its equivalent before disclosing any European Personal Data. Prior to submitting the response, UpGuard’s legal team reviews the demands to ensure they are valid and only provides the European Personal Data specified in the legal order.

In light of the above, UpGuard likely will not process “foreign intelligence information” and therefore UpGuard’s (and its subprocessors’) processing of EEA, Swiss, and/or UK personal data under the agreement likely is not subject to FISA Section 702. 

• Conclusion: Transfers of Personal Data to UpGuard and its Subprocessors in the United States are Likely Permitted. Transfers of EEA, Swiss, and/or UK personal data to UpGuard or its subprocessors in the United States will be supported by the EU Standard Contractual Clauses. Even though the CJEU held in Schrems II that Executive Order 12333 and FISA Section 702 are “problematic legislation”, UpGuard has demonstrated and documented that it has no reason to believe that these problematic laws will be interpreted and/or applied in practice so as to cover the transfer of EEA, Swiss, and/or UK personal data to the UpGuard or its subprocessors in the United States. As a result, transfers of EEA, Swiss, and/or UK personal data to UpGuard and its subprocessors in the United States are likely permitted pursuant to the EDPB Recommendations on Supplementary Measures. Identify and adopt effective supplemental measures

Identify and adopt effective supplemental measures

UpGuard implements technical and organization methods set out in our Security exhibit to our DPA to protect an individual’s privacy rights. Given the entirety of circumstances surrounding international data transfers including the UpGuard’s minimal processing of personal data, UpGuard has determined the risks involved in transfering European Personal Data to the United States does not impinge the effectiveness of the SCCs, UpGuard’s compliance with the SCCs, or the protection of an individual data subject’s rights.

Re-evaluate at appropriate intervals

UpGuard will regularly monitor legal developments in the United States (and any other country added in the future) in order to ensure that the security levels for the European Personal Data remain adequate.

Resources

Schrems II ruling

EDPB Guidance in light of Schrems II ruling

US Privacy Safeguards for EU-US data transfers post-Schrems II

‍

‍