Legal

Data Geofencing Compliance Process

Policy to Prohibit Transfer of EU Data to US

As of April 18, 2022

Purpose

While the underlying law governing the transfer of data between the EU and US remains the same as what was established by GDPR in 2018 and what is required by the Standard Contractual Clauses, the recent decisions of several European data protection authorities have called the practice of cross-border transfers from the EU to the US into question.

On March 25, 2022, the US and the European Commission jointly announced that a framework for a new trans-Atlantic data treaty had been reached. While the details of the new data agreement are forthcoming, and until a permanent mechanism for EU-US data transfers is adopted, Airship has developed a Policy to prohibit the cross-border transfer of EU customer data from the EU to the US. Airship’s commitment to global data privacy protections remains at the forefront of our business and this Policy is just one aspect of our approach.

Scope

  • This Policy applies only to Airship customers with data hosted in the EU data center who elect to participate.
  • For purposes of this Policy, the following categories of information are considered “Personal Information”:
    • Channel ID
    • Customer ID (or Named ID)
    • Push Tokens
    • Email Address
    • SMS Number
    • First / Last Name
  • This Policy governs the ability of US-based Airship personnel to access customer data hosted in the EU data center.
    • This Policy applies to Customer Success personnel including: Technical Support Engineers; Account Managers; Technical Account Managers; Technical Consultants; Strategic Consultants; and Campaign Specialists.
    • This Policy applies to Engineering personnel including all members of the Engineering, Infrastructure, QA, Product, Program, Documentation, and Design organizations.
    • This Policy is applied in connection with the new Standard Contractual Clauses (New SCCs) required by GDPR and with Airship’s Policy on Response to Public Authority Requests for Personal Data that is compliant with GDPR standards.
  • This Policy is compatible with GDPR-compliant transfer impact assessments provided for every customer requesting an assessment in connection with their GDPR compliance program.

Organizational Measures

  • When a customer support ticket is initiated by a customer hosted in the EU data center who has elected to have this Policy applied, the ticket will be managed from an EU instance of the ticket management software and only accessed by non-US employees.
    • These customers should be aware that there may be support and service implications and support tickets submitted outside of local business hours may have an extended response time.
  • When a customer support ticket from a customer hosted in the EU data center must be escalated to the Engineering or Product teams, it will be routed via internal project rules and workflows only to employees based outside the US. 
  • If a customer support incident requires escalation for assistance by US-based personnel, the transfer of any Personal Information will not be undertaken without express customer consent (with email consent to suffice).

Technical Measures

  • A customer support ticket initiated by a customer hosted in the EU data center must be created through the EU ticketing portal.
  • Tickets that require escalation beyond Technical Support (e.g., to the Engineering or Product teams) will be routed in a manner that only allows non-US employees to view and access the tickets.
  • Non-US Engineers and Product Managers will triage and attempt to resolve tickets in this queue. Should they need assistance from US-based employees, they will discuss and troubleshoot without transferring any data.
  • If a customer support incident requires escalation for assistance by US-based personnel, the transfer of any Personal Information will not be undertaken without express customer consent (with email consent to suffice).

Training

Airship personnel involved in the provision of services to customers under this Policy will be trained and tested while the Policy remains in effect.

Policy Revisions

This Policy is subject to revisions to comply with changing legal and regulatory standards.