Legal

Data Geofencing Compliance Process

Policy to Restrict Transfer of EU Data to US

As of September 25, 2025

Link to Previous Version

Purpose

Following the implementation of the EU-US Data Privacy Framework in 2023, European data protection authorities continue to scrutinize cross-border data transfers, emphasizing the need for robust technical and organizational measures beyond standard adequacy mechanisms.

While adequacy protections exist for certain transfers, Airship maintains an optional offering for enhanced data geofencing protections to ensure the highest level of privacy safeguards for EU customer data. To that end, Airship has developed a Policy to restrict the cross-border transfer of EU customer data from the EU to the US. Airship’s commitment to global data privacy protections remains at the forefront of our business and this Policy is just one aspect of our approach. 

Scope

  • This Policy applies only to Airship customers with data hosted in the EU data center who elect to participate and enter appropriate contractual language to govern application of this Policy to the customer’s data. 
  • For purposes of this Policy, the following categories of information are considered “Personal Information”:
    • Channel ID
    • Customer ID (or Named ID)
    • Push Tokens
    • Email Address
    • SMS Number
    • First / Last Name
  • This Policy governs the ability of US-based Airship personnel to access customer data hosted in the EU data center.
  • This Policy applies to Customer Success personnel including: Technical Support Engineers; Account Managers; Technical Account Managers; Technical Consultants; Strategic Consultants; and Campaign Specialists.
  • This Policy applies to Engineering personnel including all members of the Engineering, Infrastructure, QA, Product, Program, Documentation, and Design organizations.
  • This Policy is applied in connection with the new Standard Contractual Clauses (New SCCs) required by GDPR and with Airship’s Policy on Response to Public Authority Requests for Personal Data that is compliant with GDPR standards.
  • This Policy is compatible with GDPR-compliant transfer impact assessments provided for every customer requesting an assessment in connection with their GDPR compliance program.

Organizational Measures

  • When a customer support ticket is initiated by a customer hosted in the EU data center who has elected to have this Policy applied, the ticket will be managed from an EU instance of the ticket management software and only accessed by non-US employees.
  • These customers should be aware that there may be support and service implications and support tickets submitted outside of local business hours may have an extended response time as provided in the agreement entered into by the customer with Airship.
  • When a customer support ticket from a customer hosted in the EU data center must be escalated to the Engineering or Product teams, it will be routed via internal project rules and workflows only to employees based outside the US. 
  • If a customer support incident requires escalation for assistance by US-based personnel, the transfer of any Personal Information will not be undertaken without express customer consent (with email consent to suffice).

Technical Measures

  • A customer support ticket initiated by a customer hosted in the EU data center must be created through the EU ticketing portal.
  • Tickets that require escalation beyond Technical Support (e.g., to the Engineering or Product teams) will be routed in a manner that only allows non-US employees to view and access the tickets.
  • Non-US Engineers and Product Managers will triage and attempt to resolve tickets in this queue. Should they need assistance from US-based employees, they will discuss and troubleshoot without transferring any data.
  • If a customer support incident requires escalation for assistance by US-based personnel, the transfer of any Personal Information will not be undertaken without express customer consent (with email consent to suffice).
  • Data access may include limited data transfers to US-based systems or personnel without prior customer consent when (a) necessary to prevent or respond to an urgent security incident that poses imminent risk to customer data integrity or system availability or (b) required for data loss prevention monitoring that cannot be effectively performed solely from EU locations. Data minimization standards will be applied and only the minimum amount of information necessary to achieve the objective will be transferred.

Training

Airship personnel involved in the provision of services to customers under this Policy will be trained and tested while the Policy remains in effect.

Policy Revisions

This Policy is subject to revisions to comply with changing legal and regulatory standards.