Data Transfer Impact Assessment
Purpose of this Document
This document provides information to help Accredible’s customers conduct Data Transfer Impact Assessments (“DTIA”) in connection with their use of our platform in light of the “Schrems II” ruling of the Court of Justice for the European Union and the recommendations from the European Data Protection Board.
In particular, this document describes the safeguards Accredible puts in place in connection with transfers of customer data from the European Economic Area or United Kingdom (“Europe”), Accredible's ability to comply with its obligations as "data importer" under the Standard Contractual Clauses ("SCCs"), and the legal regimes applicable to Accredible in the US.
Accredible is an industry-leading full service digital credentialing solution for creating, issuing, and managing secure digital certificates and badges. Our digital credentials allow you to track recipient engagement to see shares, generate additional traffic to your webpage, and still allow students to save and print a PDF for their wall at home. We help you validate and grow skills and capabilities across the organization, while simultaneously inspiring your learners to showcase and celebrate their accomplishments.
We take data privacy and security very seriously which is why we incorporate privacy principles by design and default. As a data processor to our customers, Accredible does not determine or control the type of data transmitted to our system or how it is used. With Accredible, Customers have ownership and control over their customer data enabling them to determine where their data will be stored and what data is shared. Our platform allows customers to manage, modify, delete, and retrieve their data at any time– ensuring they have complete visibility and control. Our technical and organizational privacy measures ensure our customer’s data is only being used in the manner they intended.
1. Description of the Transfer
- Purpose of transfer: Data is transferred to Accredible by our customers in order to provide our cloud-based services for the design, issuance, administration and monitoring of digital certificates and badges using Accredible’s online platform.
- Frequency of transfer: Data is transferred continuously as a result of our customer’s use of the Service or as directed by the customer.
- Categories of data subjects: Customer’s end users such as employees, students, or others who the customer wishes to create, issue, and manage certificates/accreditations and the customer itself.
- Categories of personal data transferred, including sensitive data (if applicable): Customer’s data subjects: Personal data processed in connection with providing the Service may include, name, email, location, information on individual performance for the certificate/accreditation to be granted. Accredible is unaware of any sensitive data transferred in relation to the Service.
Customer: Account and business contact information of our customers in order to provide and manage the customer’s account, such as name, contact number and email address. Accredible is unaware of any sensitive data transferred in relation to the Service.
- Duration of processing: The data is retained and processed during the customer’s right to use the service and until the data is retrieved or deleted in accordance with the Data Protection Addendum entered into between Accredible and customer.
- Location and applicable transfer mechanism: Our customers have the ability to isolate their data within specified geographical regional servers at account creation for greater security and transfer control. Accredible’s production services are hosted on Amazon Web Services (“AWS”) platform while our physical EU and US regional servers are located in AWS’s data centers. More information regarding our EU region and US region data centers can be found here.
For transfers from Europe, we rely on Data Processing Agreements (“DPA”) incorporating the new European Commission-approved SCCs for enabling international transfers to the United States, which we enter into with all customers. The details of our DPA can be found in the Accredible DPA, which is incorporated in our Terms of Service.
- Onward transfers: Accredible shares data with third party service providers acting as our subprocessors to support Service functions such as customer and technical support, Service maintenance, and other operations. Any subcontractors Accredible transfers data to will have entered into written agreements with Accredible that are no less protective than the Accredible DPA. A complete list of our subprocessors is included in the Accredible DPA.
2. Safeguards in Place to Protect Customer Data
- Encryption In-Transit: Accredible uses industry-standard Transport Layer Security (“TLS”) to create a secure connection using 128-bit Advanced Encryption Standard (“AES”) encryption. This includes all data sent between the web properties apps and the Accredible servers. There is no non-TLS option for connecting to Accredible. All connections are made securely over HTTPS
- Encryption At-Rest: Data drives on servers holding customer data use full disk, industry-standard AES encryption with a unique encryption key for each server. The encryption, key management, and decryption process are inspected and verified internally by AWS regularly aspart of their existing audit process. All Accredible backups are encrypted with AES encryption.
- Certifications and Audits: We have attained System and Organization Controls (SOC) 2 Type II certification through a third-party auditor. The SOC2 report validates that Accredible meets the requirements of customers in highly controlled industries who need expert evaluation about how vendors handle the principles of security. In addition, we receive and review our data hosting providers’ SOC2 reports every 12 months under NDA. Our data center provider maintains certification and compliance (as of this date), with ISO27001, SOC2 Type II, and many other certifications.
- Vulnerability Detection and Penetration Testing: Automated scans of Accredible's production websites are performed at least every 7 days. All changes are peer-reviewed, and vulnerability and security lists are actively monitored for CVE and other vulnerability disclosures with appropriate actions. Annual black-box penetration tests are carried out upon Accredible web properties and APIs by a reputable third party.
- Production Environment: We maintain separate and distinct production, staging, and development environments. To access Accredible's production environment, authorized and trained members of our support team and select Engineering team members (“Authorized Personnel”) authenticate to the VPN using unique, strong passwords and 2FA and then only access the production environment via ssh terminal connections using RSA certificates. For Authorized Personnel, any workstations running Windows or macOS must be running current and active anti-virus software.
- Corporate Environment and Removable Media: Strict firewall rules prohibit access to necessary ports for the usage of Accredible (e.g., 443) to help ensure limited access to the production environment to our VPN network and authorized systems. Our corporate network has no additional access to the production environment, with Authorized Personnel required to connect to the VPN to access any special systems or environments.
- Multi-tenancy: We have adopted a multi-tenancy model to ensure that one customer’s data is never available to another customer. Customer data separation is logical. Each customer is assigned a unique ID and customer data is separated by this ID.
- Personnel Security and Access Control: All Accredible employees and contractors go through background screening, including criminal, credential and identity checks and are bound by privacy and confidentiality obligations as part of their employment contract. Further, all employees are required to go through security and privacy training. Only Authorized Personnel have access to Accredible's production systems and customer data is only accessible on a need-to-know basis.
Accredible maintains a list of all Authorized Personnel with access to the production environment and must first undergo a criminal background check and be approved by Accredible's Engineering management team. Accredible also maintains a list of employees who are permitted to access Accredible code and the development and staging environments. These lists are reviewed at least annually and upon role change.
Trained members of the Accredible customer support teams also have case-specific, limited access to user data stored in Accredible through restricted access customer support tools. Upon role change or leaving the company, all access credentials of the employee are deactivated and/or removed, and their sessions are forcibly logged out.
- Event Logging: Certain customer actions which manipulate customer data are stored within Accredible and are available for the customer via the dashboard in an audit log. All Accredible API calls and application logs are kept for our internal purposes for at least 30 days. They are available only for authorized employees as required by their role for monitoring Accredible to ensure service availability and performance and prevent abuse.
Application logs for Accredible are centrally collected in LogDNA for a minimum of 30 days for monitoring and analysis, after which they are retained in S3 buckets. Security, authentication, and Intrusion Detection System (IDS) logs for Accredible are additionally retained in S3 CloudWatch buckets with a 12-month lifecycle to ensure retention.
- Contractual Measures: Our contractual measures are set out in the DPA we enter into with each of our customers. We are obligated under the SCCs (incorporated within the DPA) to notify our customers in the event we are made subject to a request for government access to customer personal data from a government authority.
- Anti-Virus: Accredible only uses OS X, macOS, and UNIX-based computers. Accredible makes use of several approaches to reduce the risk of incidents on individual computers:
Anti-malware: All Apple computers use XProtect and Gatekeeper to monitor and prevent unauthorized application usage and vulnerabilities. More information: https://support.apple.com/en-gb/guide/security/welcome/web
Access control: Admin privileges for particular computers are only provided on a needs basis and are assigned, monitored, and managed via our access control policy.
Updates: We require that all security patches must be installed within one month of becoming available, as a minimum.
- Security Awareness and Confidentiality: Security awareness and customer data access policies are covered during our employee onboarding as appropriate to the role, and employees are updated on relevant policies or practice changes. Our employees are also required to sign a confidentiality agreement upon employment.
3. Data Subject Rights and Access Requests
- Data Subject Access Request: When operating as a processor, Accredible ensures full available to customers (the data controllers) the personal data of its data subjects and the ability to fulfill data subject requests when they exercise their rights under the GDPR.We do so in a manner consistent with the functionality of the product and our role as a processor. If we receive a request from the customer's data subjects to exercise one or more of its rights under the GDPR, we redirect the data subject to make its request directly to the customer.
- Data Subject Rights re US Government Access Requests: Several US statutes authorize individuals of any nationality (including citizens within the EEA, UK, orSwitzerland) to seek redress in US courts for unlawful violations of US surveillance laws (addressed more fully below) including the right to seek compensation for violations. Individuals may also challenge unlawful US government access requests and Accredible will provide assistance and cooperation to enable any affected data subject to exercise individual rights where appropriate to do so.
4. U.S. Surveillance Laws and Response Protocols
The following US laws were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US:
- FISA Section 702 (“FISA702”): FISA702 allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering.In-scope providers subject to FISA702 are electronic communication service providers ("ECSP") within the meaning of 50 U.S.C § 1881(b)(4), which can include remote computing service providers ("RCSP") as defined under 18 U.S.C. § 2510 and 18 U.S.C. § 2711.
- Executive Order 12333("EO12333"): EO12333 authorizes intelligence agencies (like the US National Security Agency)to conduct surveillance outside of the US. In particular, it provides authority for US intelligence agencies to collect foreign "signals intelligence" information, being information collected from communications and other data passed or accessible by radio, wire, and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US. EO12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure.
What does this mean for Europe/US data transfers?
The U.S. government, in response to Schrems II, prepared a White Paper providing information about privacy protections in current U.S. law and practices relating to government access to data for national security purposes in order to provide clarity for companies transferring personal data from the EU to the United States. To summarize some of the key points, the White Paper notes:
- For most companies, concerns about national security access to company data highlighted by Schrems II are “unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” Companies handling“ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.”
- There is individual redress, including for EU citizens, for violations of FISA section 702 through measures not addressed by the court in the Schrems II ruling, including FISA provisions allowing private actions for compensatory and punitive damages.
- EO12333 does not on its own “authorize the U.S. government to require any company or person to disclose data.” Instead, EO12333 must rely on a statute, such as FISA702 to collect data.
- Bulk data collection, the type of data collection at issue in Schrems II, is expressly prohibited under EO12333.
Is Accredible likely impacted by FISA702 or EO12333?
Likemost US-based SaaS companies, Accredible could technically be subject to FISA702 or EO12333. However, we have not been subject to any FISA 702 or EO12333requests in the past and believe the risk of access to customer data is low.Here is why:
- FISA702: The term "electronic communications service provider" is defined broadly to include telecommunications carriers, providers of electronic communications services and remote computing services, as well as any other communications service providers that have access to wire or electronic communications (either in transit or in storage). Accredible neither provides internet backbone services nor is a telecommunication carrier. However, the definition of a RCSP is broad enough that it could potentially capture any company that sends and receives electronic communications, regardless of the company's primary business or function.
While AWS (our subcontractor) is considered to be a RCSP and is technically subject to FISA702, our DPA with AWS requires them to notify us in case of access by public authorities. Even so, we do not process personal data that is likely to be of interest to US intelligence agencies.
The Accredible platform was designed with security and compliance in mind to reduce the risk of access to your data. On top of this, we are committed to assist our customers in preventing, limiting, and handling such requests through additional contractual steps as outlined in our DPA.
- EO 1233: EO 12333 contains no authorization to compel private companies like (such as Accredible) to disclose personal data to US authorities and FISA702 requires an independent court to authorize a specific type of foreign intelligence data acquisition, which is generally unrelated to commercial information.
How have we dealt with such requests?
Accredible has not been subject to these types of requests in our business operations. However, we are committed to protecting our customer’s data and have outlined a response policy in the event we do receive such a request.
Our position and response policy re government access requests
At Accredible, we believe that transfers of personal data by data exporters to Accredible (as the data importer) do not undermine the protections afforded data subjects by the SCCs, the GDPR, and the agreement between Accredible and its customers.This is because Accredible is committed to protecting our customers and end users’ privacy and will only produce customer data to governments in response to valid and lawful requests, in accordance with relevant legal policies. Our protocol for all geographic areas:
- Government requests must be issued under applicable laws and regulations and through official channels, including requiring a signed official document or an email request sent from a government entity’s official email address.
- Each request must be explicit, not overly broad, and have a valid legal basis. We will reject or challenge requests that do not meet these requirements.
- We will apply additional scrutiny to certain government requests for user information based on our principles and interest in promoting successful collaboration worldwide.
- If a request is too vague, we will challenge the validity of the request to minimize the spectrum of information submitted.
We will work to notify the customer of any governmental requests for information, including a copy of the request received unless legally prohibited. Requests for exceptions to customer notification must include a description of the exigent circumstances or notification’s potential adverse result.
5. Conclusion: No Supplementary Measures Necessary
In consideration of the information provided in this document, it is Accredible’s view that the risks involved in transferring and processing European personal data in/to theUS do not impinge on our ability to comply with our obligations under the SCCs or to ensure that rights and freedom of individuals remain protected. Therefore, to our opinion, no additional supplementary measures are necessary at this time.
6. Re-Evaluation: As Appropriate
Accredible will review, and if necessary, reconsider the risks involved and the measures implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of Europe.
Last Updated: August 12, 2022
Legal Notice: Customers are responsible for making their own independent assessment of theinformation in this document. This document: (a) is for informational purposesonly, (b) represents current Accredible product offerings and practices, whichare subject to change without notice, and (c) does not create any commitmentsor assurances from Accredible and its affiliates, suppliers, or licensors. Theresponsibilities and liabilities of Accredible to its customers are controlledby Accredible service agreements, and this document is not part of, nor does itmodify, any agreement between Accredible and its customers.