Updated November 29, 2022
Pursuant to Clause 14 of the EU Standard Contractual Clauses (SCCs) and the United Kingdom’s (UK) International Data Transfer Agreement (IDTA), this document memorializes that ProductBoard’s contractual obligations, combined with its internal procedures and security controls, are sufficient to protect European Economic Area (EEA) and United Kingdom (UK) Personal Data from the U.S. government’s mass surveillance and ensure that SCCs and will provide an acceptable legal transfer mechanism under the GDPR, and the UK IDTA will provide an acceptable legal transfer mechanism under the UK GDPR. This memorialization may be modified, updated, or changed at any time.
| Description of Relevant U.S. Laws & History of Governmental Access | ||
|---|---|---|
| Law | Description | Data importers experience from prior five years. |
| The Foreign Intelligence Surveillance Act of 1978 (FISA) 50 U.S.C. § 1801, et seq. (2021) | Pursuant to FISA, an independent court may authorize certain US government agencies (e.g., FBI) to issue orders for national security related purposes that require “electronic communications service providers” to disclose communications-related information of specific data subjects who are located outside of the US. The term “electronic communications service providers” is defined to include “any service which provides to users thereof the ability to send or receive wire or electronic communications.” The term is widely understood in practice to apply to companies that are in the business of providing communications services to third parties (e.g., telecommunications carriers), as opposed to providing communications services for internal corporate use such as employee email, although there is relatively little judicial interpretation of FISA’s scope. FISA, the ECPA (discussed below), and the Administrative Procedure Act authorize individuals of any nationality to seek redress in U.S. courts through civil lawsuits for violations of FISA 702. | No requests. |
| Executive Order (EO) 12333 | EO 12333 refers to an executive order issued by the President of the United States organizing US intelligence activities. EO 12333 does not apply to the data importer as the order does not compel private companies, such as the data importer, to disclose personal data. EO 12333 does not directly authorize the government to require any company or person to disclose data, and on its own, does not permit bulk data collection. | No requests. |
| Electronic Communications Privacy Act (ECPA) 50 U.S.C. § 1881(b)(4) (2021) (incorporating definition found in 18 U.S.C. § 2510 | Pursuant to ECPA, the Federal Bureau of Investigation (FBI) may seek certain information relating to subscribers of “wire or electronic communication service providers.” The term “electronic communications service providers” is defined to include “any service which provides to users thereof the ability to send or receive wire or electronic communications.” As discussed in the context of FISA, while the data importer believes that it is not an electronic communication service provider, note that ECPA might be indirectly relevant to the extent that data sent to the data importer through the internet or telephone may transit through a third party entity that is subject to a ECPA-based government request. | No requests. |
| Executive Order on Enhancing Standard for United States Signals Intelligence Activities (https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities/) | This executive order establishes principles for U.S. national security signals intelligence activities to address the concerns raised by the Court of Justice of the European Union in the Schrems II decision of July 2020. The order requires that signals intelligence activities be necessary to advance a validated intelligence priority and shall be conducted only to the extent and in a manner that is proportionated to the validated intelligence priority for which they have been authorized. The executive order also establishes a redress mechanism for complaints (submitted by an individual to their local data protection authority, which will then bring an action on their behalf). The initial investigation of complaints is performed by the Civil Liberties Protection Officer of the Office of the Director of National Intelligence (“ODNI CLPO”). The ODNI CLPO is authorized to investigate, review, and, as necessary, order appropriate remediation to ensure that signals intelligence activities comport with this executive order. To do this, the ODNI CLPO will have access to all information necessary to make such a determination. In addition, the ODNI CLPO’s determination shall not be overseen or interfered with by the Director of National Intelligence. The ODNI CLPO’s orders are binding on each element of the Intelligence community, and they may only be reviewed by the Data Protection Review Court (established by the Attorney General’s regulation discussed below). This executive order and the AG’s regulation discussed below may potentially underpin a new adequacy decision for international data transfers to the U.S. from the EU. | No requests. |
| Attorney General Regulation Establishing the Data Protection Review Court (https://www.justice.gov/opcl/page/file/1541321/download) (28 CFR 201 et seq.) | Pursuant to the executive order on signals intelligence, the Attorney General issued this rule to establish the Data Protection Review Court (“DPRC”) that will review the determinations concerning U.S. signals intelligence activities made by the ODNI CLPO. To ensure independence and impartiality, the DPRC judges will not be subject to day-to-day AG supervision and can only be removed for instances of misconduct, malfeasance, breach of security, neglect of duty, or incapacity. DPRC judgements, including remedial measures that the U.S. intelligence agencies must undertake, will be final and binding. To file for review, a data subject must file through their data protection authority within their country. Each complainant’s interests will be represented by a Special Advocate Once DPRC review has been completed, data subjects will be informed if they did not uncover any violations or if they issued a determination requiring remedial measures. This regulation and the executive order discussed above may potentially underpin a new adequacy decision for international data transfers to the U.S. from the EU. | No requests. |
| Industry-level Knowledge See U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II (https://www.commerce.gov/sites/default/files/2020-09/SCCsWhitePaperFORMATTEDFINAL508COMPLIANT.PDF), dated September 2020, issued by U.S. Department of Commerce, U.S. Department of Justice and the Office of the Director of National Intelligence noting that: U.S. government commitments and public policies restrict intelligence collection to what is required for foreign intelligence purposes and expressly prohibit the collection of information for the purpose of obtaining a commercial advantage. Companies whose EU operations involve ordinary commercial products or services, and whose EU-U.S. transfers of personal data involve ordinary commercial information like employee, customer, or sales records, would have no basis to believe U.S. intelligence agencies would seek to collect that data. |
||
| Administratively issued subpoenas or demands | Approximately 335 federal agencies have the ability to issue administrative subpoenas or civil investigative demands compelling the production of documents or information. This includes, for example, the Securities Exchange Commission (SEC) and the Federal Trade Commission (FTC). In addition, agencies of the fifty states may have similar investigatory powers. Agencies cannot prohibit a company that receives an administrative subpoena or civil investigative demand from disclosing that fact to a third party. | No requests. |
| Search warrants | A search warrant is a court order that a judge issues to authorize a law enforcement officer to conduct a search of a person, office, or other location to identify, and confiscate, evidence of a crime. Agencies cannot prohibit a company that receives a search warrant from disclosing that fact to a third party. | No requests. |
| Judicially issued subpoenas | A judicially issued subpoena is a formal written order issued by a judge that commands a person, or a company, to appear before a court, or to provide information to an officer of a court under penalty for failure to comply. Judges generally cannot prohibit a company that receives a judicial subpoena from disclosing that fact to a third party. | No requests. |
| Grand jury subpoenas | A grand jury is a judicially convened group of citizens that make a determination as to whether to charge an individual with a crime. A grand jury subpoena is a subpoena issued as part of a grand jury’s inquiry. A grand jury subpoena, or the letter accompanying a grand jury subpoena, may request (but not legally obligate) that a company not disclose the subpoena, the investigation, or the documents or information requested, as a disclosure, if made, may impede a criminal investigation. | No requests. |
| Factors Impacting Disclosure to Public Authorities | |
|---|---|
| Circumstances | Description |
| 1. Services Offered | See Master Subscription Agreement (“MSA” or “Agreement”) (https://productboard.com/msa) |
| 2. Personal Data Transferred | Personal data submitted, stored, sent or received by the Customer, Users or End-User (as defined in the MSA) via the Services (as defined in the MSA) may include the following categories of data: user IDs, email, documents, presentations, images, calendar entries, tasks and other data. No special categories of personal data transferred. |
| 3. Length of Processing Chain | The personal data submitted by the Customer goes directly into ProductBoard’s systems. |
| 4. Onward Transfers | The subprocessors used by ProductBoard as part of its normal and ordinary course of business are identified at https://www.productboard.com/blog/productboard-subprocessors/. As part of the data importer’s vendor risk management program, vendors stipulate the jurisdictions to which personal data is transferred and have agreed not to transfer personal data across international borders unless: (i) the transfer is necessary for the vendor to perform the Agreement; (ii) the vendor transfers only that personal data for which transfer is necessary to perform the Agreement; and (iii) and the vendor takes the measures necessary to ensure that the transfer of personal data complies with applicable data protection laws. For more information about ProductBoard’s sub processors, see https://www.productboard.com/subprocessors/ |
| 5. Transmission Channel of Data | Personal data may be transmitted through a variety of industry standard channels including: internet (via encrypted tunnel), and email (using encrypted email messages) |
| 6. Format of Transferred Data | No back doors. ProductBoard has not and will not purposefully create or change its business processes in a manner that facilitates government access to personal data or systems. The data importer requires the following data formats when personal data is transmitted over the internet or by email: All data sent to or from ProductBoard is encrypted in transit using AES 256-bit encryption. ProductBoard’s API and application endpoints are TLS/SSL only and score an “A+” rating on Qualys SSL Labs‘ tests. ProductBoard only uses strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. For more information about ProductBoard’s security measures, see https://productboard.com/security-standards/ |
| 7. Purpose of Processing | See DPA (https://productboard.com/DPA), Schedule 1. |
| 8. Economic Sector Involved | Tertiary – service provider |
| 9. Storage Location | AWS (US) |
| Additional Relevant Factors | |
|---|---|
| Circumstances | Description |
| 10. Comprehensive Data Protection Law | While the US does not have a comprehensive national data protection law, it has more than 300 federal and state laws governing the use, collection, sharing, and disclosure of personal data. In addition, data importer is subject to several state laws that do purport to provide for comprehensive data protection including the California Consumer Privacy Act, the California Privacy Rights Act, the Virginia Consumer Data Protection Act, and the Colorado Privacy Act. |
| 11. Independent Data Protection Authority | The US has several federal and state agencies with authority to enforce and monitor data privacy and data security practices including the Federal Trade Commission. |
| 12. International Instruments / Treaties | Data importer is not aware of any international instruments or treaties to which the US is subject in connection with data privacy or data security. |
| 13. Availability of Judicial Redress to Data Subjects | Data subjects whose information is sought by a US government agency are generally permitted to seek redress in US courts. Note, however, that some US statutes identified above (e.g., FISA, ECPA, RFPA, National Security Act, FCRA) may prohibit a company that receives an information request from disclosing that fact. FISA, the ECPA (discussed below), and the Administrative Procedure Act authorize individuals of any nationality to seek redress in U.S. courts through civil lawsuits for violations of FISA 702. |
| 14. Documentation of Requests | ProductBoard will document and record all requests for access to Customer Data received by government authorities, including a description of: (i) the data requested, (ii) the requesting body, (iii) the legal basis for disclosure, and (iv) to what extent the ProductBoard has disclosed the data requested. ProductBoard will make available such records to the data exporter upon request. To the extent ProductBoard is prohibited by law from disclosing certain details regarding requests from government authorities, those details will be omitted and the legal basis for such omission will be provided instead |
| 15. Transparency Reports | Upon request, ProductBoard will regularly provide the data exporter with a transparency report which summarizes all law enforcement requests received and the kind of reply provided. To the extent the Data Importer is prohibited by law from disclosing certain details, the transparency report will indicate that certain information has been omitted. |
| 16. Law Enforcement Policy | Data importer has a policy and procedure in place for analyzing requests from law enforcement agencies. Among other things the data importer does not release client personal data to law enforcement unless it assesses that the demand is valid, and the release of client personal data is authorized or required by law |
| 17. Recognition of the Rule of Law | The U.S. recognizes the rule of law and has an established and respected legal and court system that is largely derived from the UK legal system. |
| 18. Enforcement of Foreign Judgments | Courts in the U.S. will recognize and enforce foreign judgments. The standard procedure is for the individual seeking to enforce the judgment to institute a new lawsuit before a competent U.S. court, which will then determine whether to recognize and enforce the foreign judgment and issue an appropriate order. |
| 19. Judicial Independence | Judicial process in the U.S. has a high level of integrity and the judicial system is respected as a separate and independent branch of the government. |
Based upon a review of the laws identified above as applicable to ProductBoard, as well as the additional factors applicable to the processing activity, the data exporter and data importer have not identified a significant reason to believe that the laws and practices applicable to the data importer, including any requirements to disclose personal data or measures authorizing access to public authorities, are likely to prevent the data importer from fulfilling its contractual duties in relation to the processing. The following summarizes the basis of this conclusion:
Legal Notice:
The data exporter is responsible for making their own independent assessment of the information in this Transfer Impact Assessment. This Assessment (a) is for informational purposes only, and (b) does not create any commitments or assurances from ProductBoard. The responsibilities and liabilities of the data exporter are controlled by the parties agreements, and this Assessment, is provided for informational purposes only and is not part of, nor does it modify, any agreement between the data exporter and ProductBoard.
