AI & Automation
AI for every conversation, campaign, and customer
Last Update: September 29, 2021
COMPLIANCE WITH EUROPEAN UNION DATA TRANSFER REQUIREMENTS & THE NEW STANDARD CONTRACTUAL CLAUSES
Khoros is committed to protecting the data that you entrust to us and safeguarding the transfer of personal data transferred from the European Union (EU), European Economic Area (EEA) and United Kingdom (UK) to our facilities and subprocessors in the United States (US) and other countries.
The Legal Landscape for Personal Data Transfer
On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its judgment in Case C-311/18, Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (Schrems II). The CJEU held that US laws do not ensure an essentially equivalent level of protection for personal data compared to the EU, citing the breadth of US surveillance programs (particularly Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333). Consequently, the court invalidated Privacy Shield (a certification program through the US government for data transfers from the EU to the US). Although the CJEU noted some concerns with the Standard Contractual Clauses (SCCs) as a means to transfer European personal data, the CJEU maintained the SCCs’ validity so long as there were effective mechanisms in place to ensure an “essentially equivalent level of protection.”
Nearly a year later, on June 4, 2021, the European Commission finalized and adopted a new set of standard contractual clauses (“New SCCs”). The New SCCs replace prior versions of the SCCs (the “Old SCCs”). The New SCCs contain additional requirements aimed at addressing the concerns raised in Schrems II.
Although the New SCCs address concerns announced in Schrems II, on June 18, 2021, the European Data Protection Board (EDPB) adopted final recommendations on supplemental technical and organization measures to supplement transfer tools and ensure compliance with EU data protection requirements (the “EDPB Recommendations”).
Finally, due to the ruling in Schrems II and Brexit, on August 11, 2021, the UK Commissioner’s Office (ICO) launched a consultation on its draft international data transfer agreement (IDTA) and guidance for organizations on international transfers (Guidance). Once finalized, the IDTA will replace the Old SCCs in the UK. The New SCCs do not apply in the UK. As such, Khoros will continue to rely on the Old SCCs for UK Customers until the UK publishes its IDTA. Khoros will update its agreements and documentation once the UK finalizes its IDTA and Guidance.
Khoros Agrees to Be Bound By The New SCCs
If applicable to a particular Customer, Khoros agrees to be bound by the New SCCs. For new Customers, it will enter into the New SCCs as of September 27, 2021, and for existing Customers, it will transition from the Old SCCs to the New SCCs within the transition period, but no later than December 27, 2022.
Neither Section 702 Nor EO 12333 Apply To Khoros’s Data Transfers
Khoros, in consultation with its Legal Department, Data Protection Officer, and outside counsel, has determined that Section 702 and EO 12333 do not practically apply to its data transfers. First, Khoros does not provide internet backbone services. Second, the personal data Khoros processes is highly unlikely to be relevant to the foreign intelligence or surveillance activities governed by Section 702 and EO 12333 given that Khoros processes public data and data relating to consumer interactions with consumer brands. To underscore these points, Khoros has never received a FISA or EO 12333 request. That said, even though Khoros deems Section 702 and EO 12333 almost irrelevant to our business, we have, nonetheless, chosen to provide supplementary measures technical and organization measures to protect our data transfers.
Supplementary Measures Khoros Uses Alongside SCCs To Protect EU Personal Information
Supplemental Measure | Description of What Khoros Does |
Measures of pseudonymisation and encryption of personal data | We use a variety of masking and redaction technologies in our platforms Where appropriate, sensitive data is masked from unauthorized users or redacted from our data set We also use encryption to protect the data sets and data transfers |
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | We use firewalls, access control lists, and Identity Access Management systems to limit access to processing systems and services We use Web Application Firewalls and Intrusion Detection Systems to protect processing systems and services We have denial of service protections to assure availability We have multiple availability zones to improve resilience We make regular backups to assure the integrity of the data We conduct annual Disaster Recovery tests We employ application level monitoring to detect if systems operate outside of normal parameters |
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | We backup data at least once per day |
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing | We conduct regular Static Security Scans of all source code We complete an annual SOC 2 audit |
Measures for user identification and authorization | We support the integration of any SAML 2.0 compliance Single Sign On system |
Measures for the protection of data during transmission | All data is encrypted in transit using TLS 1.2 |
Measures for the protection of data during storage | All data is encrypted at rest using AES 256 |
Measures for ensuring events logging | All application and infrastructure related security events are captured in our log aggregation system and are reviewed daily |
Measures for ensuring system configuration, including default configuration | We use automation to assure that all systems are configured to standard |
Measures for internal IT and IT security governance and management | We have a dedicated team that manages Security Risk, Compliance and Audit |
Measures for ensuring data minimization | We strive to collect and maintain data necessary for our software and services, and for other reasons (e.g., security) that are aligned with industry custom and practice |
Measures for ensuring limited data retention Measures for ensuring accountability | When customer data is no longer required, it is purged from our systems We delete backups after 90 days When the underlying infrastructure is decommissioned, it is done following the NIST 800-88 standard |
Measures for allowing data portability and ensuring erasure | We provide a Data Access Request Form on our website (https://khoros.com/legal/data-...) |
Other protection measures | We maintain a law enforcement policy that describes how we will handle requests for personal information transferred from the EU |