Data Transfer Impact Assessment

Effective starting: December 1, 2023

Introduction

This Data Transfer Impact Assessment (“DTIA”) serves the purpose of assisting Crossbill customers in conducting a risk assessment for the transfer of personal data in connection with Crossbill’s provision of its Cloud Products, Support, and Services (together, “Services”), and subsequent processing of such personal data by Crossbill, its Affiliates and sub-processors in light of the “Schrems II” ruling of the Court of Justice for the European Union and the subsequent recommendations from the European Data Protection Board. The DTIA supplements the information necessary for compliance with data transfer provisions under the European Data Protection Law.

As a provider of global services, Crossbill runs its services with common operational practices and features across multiple jurisdictions. Therefore, we store personal data in data centers located in the United Kingdom, the United States, EMEA, and APAC, and process it in other locations worldwide for the provision of products, features, as well as customer and technical support purposes.

Under the European Data Protection Laws, personal data may not be transferred outside of Europe unless (i) the importing country has been deemed adequate by the relevant governmental body; or (ii) the data exporter has appropriate safeguards in place to ensure that personal data transferred is subject to an adequate level of protection. Those safeguards are referred to as “transfer mechanisms.”

The Crossbill follows the Standard Contractual Clauses between Crossbill and its customers as such transfer mechanism as follows:

  • Where personal data protected by the GDPR is transferred to Crossbill outside of Europe, Crossbill relies upon the EU Standard Contractual Clauses (SCCs) to provide an appropriate safeguard for the transfer. Under the SCCs, our Customers are acting as the "Data Exporter" and Crossbill is the "Data Importer".
  • Where personal data protected by the UK Data Protection Law, Crossbill relies on the UK Addendum in accordance with the ICO guidance from 2022. “UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner's Office under S119(A) of the UK Data Protection Act 2018, as may be amended, superseded, or replaced from time to time.
  • Where personal data is protected by the Swiss Federal Act on Data Protection is transferred to Crossbill outside of Europe, Crossbill relies upon the EU SCCs plus certain interpretative provisions to make the SCCs work for Switzerland's legal regime.

Scope of the Data Transfer Impact Assessment

Please note, that the processing locations depend on which Cloud Products you as a customer may have purchased, e.g. if you have purchased Crossbill Cone Cloud, the relevant sub-processors and processing locations may be different (as listed under our sub-processor page) from the sub-processors and locations applicable for Crossbill Bone Cloud, or Crossbill Nest Cloud. Additionally, you may also configure data residency for certain data in those Cloud Products which could further reduce the scope of transfers indicated on this page. Therefore, please review the sub-processor page in connection with the Cloud Products you have purchased in order to draw relevant information from this document.

The Crossbill DTIA is scoped to cover direct and onward data transfers in connection with Crossbill’s provision of Services.

Crossbill processes personal data in a number of jurisdictions, which includes transferring the data out of Europe/EEA, the UK, and Switzerland (together, “Europe”) to both, countries holding adequacy status under the European Data Protection Laws (as defined in Crossbill’s Data Processing Addendums), and third countries, as outlined below:

Europe/EEA and Adequate Countries United Kingdon
Third Countries Australia

Our analysis of transfers to third countries is described below. Please note that the transfers apply to all Crossbill Services:

Australia

Purpose for transfer and any further processing

Direct transfers: Crossbill has offices in Australia where our employees may access personal data for the purposes of the provision of Services.

Onward transfers: Crossbill transfers Customer Personal Data to its sub-processors for the purposes of assisting in the provision of Services as further outlined in our sub-processor page.

The frequency of  the transfer

Direct transfers: Continuous.

Onward transfers: Continuous.

Categories of personal data transferred

Direct transfers: 

User Account Information, for example:

  • Crossbill identifier associated with user account
  • About Me
  • Avatar Image and URL
  • Full name
  • Email address
  • Time zone

Personal Identification, for example:

  • IP address
  • Cookie information
  • Language setting
  • Location/ Region/ City
  • Phone numbers
  • Screen name/ Handle/ Nickname

Employment Information, for example:

  • Job title / role
  • Office / location
  • Company/organization

Payment and billing information, to the extent it includes personal data.

Personal data included in user generated content.

Device and connection information, for example:

  • IP address
  • Cookie information
  • Device information
  • Browser information

Personal data provided through various Crossbill support channels, including for example Crossbill ID, username, contact information and any personal data contained within a summary of the problem experienced or information needed to resolve the support case.

Onward transfers: Please refer to Crossbill's sub-processor page for more information.

Sensitive data transferred (if applicable)

Direct transfers: Determined at the sole discretion of the data exporter.

Onward transfers: Determined at the sole discretion of the data exporter.

Length of processing  chain

Onward transfers: Please refer to Crossbill's sub-processor page.

Applicable transfer mechanism

 

Direct transfers: Standard Contractual Clauses between Crossbill and its customers.

Onward transfers: Standard Contractual Clauses between Crossbill and its sub-processors. Crossbill imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws.

Identifying laws and practices relevant in light of all circumstances of the transfer

Australia has various laws, legislation and executive powers that could be used to compel companies to disclose personal data, or that provides for investigation and enforcement agencies to obtain data where there is a suspected contravention. A high-level summary of several of the key laws is provided below:

  • Crimes Act 1914 (Cth) and the Criminal Code Act 1995 (Cth), which permits government agencies to collect both electronic and physical data where there are reasonable grounds to believe there is a criminal offense.

  • Surveillance Devices Act 2004 (Cth) and equivalent state and territory laws that grant authorities covert access to electronic and physical data.

  • Telecommunications (Interception and Access) Act 1979 (Cth) and Part 15 of the Telecommunications Act 1997 (Cth) grants government bodies powers to oblige telecommunications carriers, carriage service providers, and other communications providers to assist law enforcement and intelligence agencies.

For aspects of each of the above laws, there are potential extra-territorial powers that could theoretically compel those outside of Australia to assist in the investigative process. However, in practice, it is highly unlikely that law enforcement and surveillance authorities will be able to do so without operating through existing bilateral processes, such as mutual legal assistance treaties. In practice, it can be difficult to determine how governmental authorities use all of their powers to conduct surveillance and collect data (and therefore whether it involves unnecessary or disproportionate data access in any circumstances) because in several cases, government authorities are not required to publicly report on when and how they use these powers (although independent oversight and review, including reporting to independent statutory authorities, is embedded throughout the surveillance legislation framework). In addition, not all requests for access to data and surveillance are currently subject to prior independent judicial authorization, although a process for review and reform of Australia’s surveillance laws has commenced and this may change in the future.

Supplemental Measures

In order to protect personal data in accordance with Applicable Data Protection Laws, Crossbill implements the following supplemental technical, contractual, and organizational measures:

Technical Measures

Crossbill provides the following technical measures to provide additional security for personal data:

  • Data residency: Crossbill allows customers to pin in-scope product content at rest to a location.
  • Encryption: Crossbill offers data encryption at rest and in transit.
  • Security and certifications: We have a formal security management program and we review our Information Security Management Program (ISMP) on an annual basis. Additional information about Crossbill’s security practices and certifications are available in the Crossbill DPA.

Contractual Measures

Crossbill’s contractual measures are set out in accordance to the SCCs, as well as UK Addendum and Swiss modifications for SCCs. In particular, we are subject to the following requirements:

  • Technical measures: Crossbill is contractually obligated to have in place appropriate technical and organizational measures to safeguard personal data (both under the Customer DPA as well as the SCCs we enter into with customers, service providers, and between entities with the Crossbill group).
  • Transparency: Crossbill is obligated under the SCCs to notify its customers in the event it is made subject to a request for government access to customer personal data from a government authority. In the event that Crossbill is legally prohibited from making such a disclosure, Crossbill is contractually obligated to challenge such prohibition and seek a waiver.
  • Actions to challenge access: Under the SCCs, Crossbill is obligated to review the legality of government authority access requests and challenge such requests where they are considered to be unlawful.

Organizational Measures

Crossbill’s organizational measures to secure data include:

  • Policy for government access: Crossbill follows Crossbill Guidelines for Law Enforcement Requests in responding to any government requests for data. To obtain data from Crossbill, law enforcement officials must provide legal process appropriate for the type of information sought, such as a subpoena, court order, or a warrant.
  • Onward transfers: Whenever we share your data with Crossbill service providers, we remain accountable to you for how it is used. We require all service providers to undergo a thorough cross-functional diligence process by subject matter experts in our Security, Privacy, and Risk & Compliance Teams to ensure our customers' personal data receives adequate protection. This process includes a review of the data Crossbill plans to share with the service provider and the associated level of risk, the supplier’s security policies, measures, and third-party audits, and whether the supplier has a mature privacy program that respects the rights of data subjects. We provide a list of our sub-processors on our sub-processors page.
  • Privacy by design: Crossbill’s Privacy Principles outline Crossbill’s approach to privacy.
  • Employee training: Crossbill provides data protection training to all Crossbill staff globally.

Re-evaluating at appropriate intervals

Crossbill will review and, if necessary, reconsider the risks involved and the measures it has implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of Europe.

Legal Notice: Customers are responsible for making their own independent assessment of the information in this document. This document: (a) is for informational purposes only, (b) represents current Crossbill product offerings, services, and practices, which are subject to change without notice, and (c) does not create any commitments or assurances from Crossbill and its affiliates, suppliers, or licensors. The responsibilities and liabilities of Crossbill to its customers are controlled by Crossbill agreements, and this document is not part of, nor does it modify, any agreement between Crossbill and its customers, or Crossbill developers.