Data Transfer Impact Assessment
Effective starting: December 1, 2023
Introduction
This Data Transfer Impact Assessment (“DTIA”) serves the purpose of assisting Crossbill customers in conducting a risk assessment for the transfer of personal data in connection with Crossbill’s provision of its Cloud Products, Support, and Services (together, “Services”), and subsequent processing of such personal data by Crossbill, its Affiliates and sub-processors in light of the “Schrems II” ruling of the Court of Justice for the European Union and the subsequent recommendations from the European Data Protection Board. The DTIA supplements the information necessary for compliance with data transfer provisions under the European Data Protection Law.
As a provider of global services, Crossbill runs its services with common operational practices and features across multiple jurisdictions. Therefore, we store personal data in data centers located in the United Kingdom, the United States, EMEA, and APAC, and process it in other locations worldwide for the provision of products, features, as well as customer and technical support purposes.
Under the European Data Protection Laws, personal data may not be transferred outside of Europe unless (i) the importing country has been deemed adequate by the relevant governmental body; or (ii) the data exporter has appropriate safeguards in place to ensure that personal data transferred is subject to an adequate level of protection. Those safeguards are referred to as “transfer mechanisms.”
The Crossbill follows the Standard Contractual Clauses between Crossbill and its customers as such transfer mechanism as follows:
- Where personal data protected by the GDPR is transferred to Crossbill outside of Europe, Crossbill relies upon the EU Standard Contractual Clauses (SCCs) to provide an appropriate safeguard for the transfer. Under the SCCs, our Customers are acting as the "Data Exporter" and Crossbill is the "Data Importer".
- Where personal data protected by the UK Data Protection Law, Crossbill relies on the UK Addendum in accordance with the ICO guidance from 2022. “UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner's Office under S119(A) of the UK Data Protection Act 2018, as may be amended, superseded, or replaced from time to time.
-
Where personal data is protected by the Swiss Federal Act on Data Protection is transferred to Crossbill outside of Europe, Crossbill relies upon the EU SCCs plus certain interpretative provisions to make the SCCs work for Switzerland's legal regime.
Scope of the Data Transfer Impact Assessment
Please note, that the processing locations depend on which Cloud Products you as a customer may have purchased, e.g. if you have purchased Crossbill Cone Cloud, the relevant sub-processors and processing locations may be different (as listed under our sub-processor page) from the sub-processors and locations applicable for Crossbill Bone Cloud, or Crossbill Nest Cloud. Additionally, you may also configure data residency for certain data in those Cloud Products which could further reduce the scope of transfers indicated on this page. Therefore, please review the sub-processor page in connection with the Cloud Products you have purchased in order to draw relevant information from this document.
The Crossbill DTIA is scoped to cover direct and onward data transfers in connection with Crossbill’s provision of Services.
Crossbill processes personal data in a number of jurisdictions, which includes transferring the data out of Europe/EEA, the UK, and Switzerland (together, “Europe”) to both, countries holding adequacy status under the European Data Protection Laws (as defined in Crossbill’s Data Processing Addendums), and third countries, as outlined below:
Europe/EEA and Adequate Countries | United Kingdon |
Third Countries | Australia |
Our analysis of transfers to third countries is described below. Please note that the transfers apply to all Crossbill Services:
Australia
Purpose for transfer and any further processing |
Direct transfers: Crossbill has offices in Australia where our employees may access personal data for the purposes of the provision of Services. Onward transfers: Crossbill transfers Customer Personal Data to its sub-processors for the purposes of assisting in the provision of Services as further outlined in our sub-processor page. |
The frequency of the transfer |
Direct transfers: Continuous. Onward transfers: Continuous. |
Categories of personal data transferred |
Direct transfers: User Account Information, for example:
Personal Identification, for example:
Employment Information, for example:
Payment and billing information, to the extent it includes personal data. Personal data included in user generated content. Device and connection information, for example:
Personal data provided through various Crossbill support channels, including for example Crossbill ID, username, contact information and any personal data contained within a summary of the problem experienced or information needed to resolve the support case. Onward transfers: Please refer to Crossbill's sub-processor page for more information. |
Sensitive data transferred (if applicable) |
Direct transfers: Determined at the sole discretion of the data exporter. Onward transfers: Determined at the sole discretion of the data exporter. |
Length of processing chain |
Onward transfers: Please refer to Crossbill's sub-processor page. |
Applicable transfer mechanism
|
Direct transfers: Standard Contractual Clauses between Crossbill and its customers. Onward transfers: Standard Contractual Clauses between Crossbill and its sub-processors. Crossbill imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws. |
Identifying laws and practices relevant in light of all circumstances of the transfer |
Australia has various laws, legislation and executive powers that could be used to compel companies to disclose personal data, or that provides for investigation and enforcement agencies to obtain data where there is a suspected contravention. A high-level summary of several of the key laws is provided below:
For aspects of each of the above laws, there are potential extra-territorial powers that could theoretically compel those outside of Australia to assist in the investigative process. However, in practice, it is highly unlikely that law enforcement and surveillance authorities will be able to do so without operating through existing bilateral processes, such as mutual legal assistance treaties. In practice, it can be difficult to determine how governmental authorities use all of their powers to conduct surveillance and collect data (and therefore whether it involves unnecessary or disproportionate data access in any circumstances) because in several cases, government authorities are not required to publicly report on when and how they use these powers (although independent oversight and review, including reporting to independent statutory authorities, is embedded throughout the surveillance legislation framework). In addition, not all requests for access to data and surveillance are currently subject to prior independent judicial authorization, although a process for review and reform of Australia’s surveillance laws has commenced and this may change in the future. |
Supplemental Measures
In order to protect personal data in accordance with Applicable Data Protection Laws, Crossbill implements the following supplemental technical, contractual, and organizational measures:
Technical Measures |
Crossbill provides the following technical measures to provide additional security for personal data:
|
Contractual Measures |
Crossbill’s contractual measures are set out in accordance to the SCCs, as well as UK Addendum and Swiss modifications for SCCs. In particular, we are subject to the following requirements:
|
Organizational Measures |
Crossbill’s organizational measures to secure data include:
|
Re-evaluating at appropriate intervals
Crossbill will review and, if necessary, reconsider the risks involved and the measures it has implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of Europe.
Legal Notice: Customers are responsible for making their own independent assessment of the information in this document. This document: (a) is for informational purposes only, (b) represents current Crossbill product offerings, services, and practices, which are subject to change without notice, and (c) does not create any commitments or assurances from Crossbill and its affiliates, suppliers, or licensors. The responsibilities and liabilities of Crossbill to its customers are controlled by Crossbill agreements, and this document is not part of, nor does it modify, any agreement between Crossbill and its customers, or Crossbill developers.