Startdeliver Compliance with EU Data Transfer Requirements

Startdeliver Compliance with

EU Data Transfer Requirements

Introduction

Startdeliver AB is a Swedish Software-as-a-Service provider built for handling large amounts of customer data in a reliable, scalable and secure way. Ensuring the confidentiality, availability, and integrity of our customer’s data is of the utmost importance to us.

This whitepaper describes how customers can use Startdeliver in compliance with the quickly evolving data protection landscape in the EU following the Schrems II ruling and the subsequent recommendations released by the European Data Protection Board (EDPB). The steps laid out in this document outline how customers can conduct assessments of their use of Startdeliver in accordance with the Schrems II ruling and the EDPB’s recommendations, and as a result, enable them to comply with EU data protection regulations.

Transfer Tool, Physical Location and Sub-processors

Our application, database and data backups are located across multiple isolated availability zones in AWS EU-CENTRAL in Frankfurt, Germany (“AWS”), and we use AWS Key Management Service for encryption keys, which are also stored within EU/EEA. More on AWS for GDPR and SchremsII here and for Governments here.

Question	Answer	Comment
Where is the physical location of the Customer Data being stored and processed?	Frankfurt, Germany	AWS EU-CENTRAL in Frankfurt, Germany
Can Customer Data be transferred outside the European Economic Area (EEA)?	No.	Startdeliver controls the location and has limited all Customer Data to be stored and processed at this location only.
Does the transfer tool rely on Standard Contractual Clauses?	No transfer outside EU/EEA is made.	AWS updated DPA addendum have SCC but not relevant in this case.
Is there any other Subprocessor that processes the Customer Data?	No.	AWS EU-CENTRAL in Frankfurt, Germany, is the sole processor to Startdeliver.
Does any Subprocesser transfer data outside of the EEA?	No.	As per above.

Risk Assessment of Lawful Access by Foreign Authorities

Startdeliver has, based on the Recommendations 02/2020 on the European Essential Guarantees for surveillance measures, assessed the probability of third countries impinging on the Customer Data processed by Startdeliver or its sub-processors (providers).

Question	Probability	Rationale
Probability that a foreign authority has a legal claim in the data and wishes to enforce it against the provider?	Extremely low	According to AWS public records they have approximately 1000 cases per year out of approx. 30 cases are content cases vs 970 are non-content. This from more than 1 million customers. The probability is at an average of 0,1%. We assume that the vast majority of cases do not concern serious crimes, but regulatory and civil disputes that under the US CLOUD Act or Stored Communications Act do not permit lawful access via our provider. Enforcing lawful access via the provider to access data of one of its corporate customers (where it is a processor) is much more difficult than in the case of data of private individuals (where it is a controller). It also takes time. Therefore, we believe that the authorities will want to undergo such trouble only in particularly important cases, thus significantly reducing the number of relevant cases.
Probability that a foreign authority will successfully enforce the claim through the provider?	Very low	If the provider gets access in a support case, it gets access to the data necessary to resolve the support cases and not more. The provider cannot simply search for other data. However, requests from authorities always refer to specific data. The probability that the data that the provider gets access to is exactly the same as the data that the authorities have requested from the provider is very low. Our data is encrypted and the private keys cannot be accessed by the provider's employees with their access unless approved by us. These entries are transparently visible to us at all times (CloudWatch), and we control them (the master copy is with us). However, it is technically conceivable in principle that the provider could build a backdoor into his software that would provide it with access, since it controls the software used and it originates from the provider. However, it is not certain whether it would actually succeed in doing so, and whether it would be able to do so unnoticed during the observation period. We assume that no such backdoors exist today, and that would be illegal and a breach of contract that would be highly unlikely considering the size of this company.
Probability of foreign lawful access by mass surveillance?	Very low	No data is transmitted over the Internet in unencrypted form, either by us or by the provider. Therefore, our data cannot fall into the hands of the US intelligence agencies in plain text as part of their monitoring of the Internet backbones. The provider, including its U.S. subcontractor, has signed the European Commission's standard contractual clauses, thereby warranting that it believes that it is not required to grant access to our data to the US intelligence authorities under Section 702 FISA (or EO 12.333). Also, no such cases are known to date in scenarios comparable to our situation. In an official whitepaper that the US Department of Commerce, Department of Justice, and the Office of the Director of National Intelligence jointly issued in September 2020 states that for many companies, the issue of national security access to their personal data is unlikely to arise because this data would not be of interest to national security agencies. The paper notes that: Companies handling “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.” “The theoretical possibility that a US intelligence agency could unilaterally access data being transferred from the EU without the company’s knowledge is no different than the theoretical possibility that other governments’ intelligence agencies, including those of EU Member States, or a private entity acting illicitly, might access the data.” The “White Paper” also notes that such access to data could occur anywhere in the world, not just in the US.

Technical, Organizational and Contractual Measurements taken by Startdeliver

Startdeliver has implemented and will maintain the following technical and organisational measures:

Technical Measures

Application Communication

All network communication between your users (web browser, mobile applications etc) and Startdeliver

Application Communication	Encrypted
In transit	Yes

Databases

All your Customer Data except files (see below) is stored in our databases.

Databases	Encrypted
At rest	Yes
In transit*	Yes

*In transit communication with the database is only done from clients (e.g. API server) within virtual local network

Files

You can upload files e.g. documents, images etc to your account.

Files	Encrypted
At rest	Yes
In transit	Yes

Logs

Logs are kept to get status and alerts, and troubleshoot the application.

Logs	Encrypted
At rest	Yes
In transit	Yes

Additional Encryption Solution

Startdeliver offers customers the option of an external encryption key solution to AWS. The consequence of this configuration is that the encryption key for the customer's Personal Data is protected by a European company with operations in Europe and not AWS. With this solution, no Personal Data can be accessed by AWS personnel, whether or not forced by US Authorities, as the encryption key is outside of their reach.

As for the storage of the external encryption key, Startdeliver is using a Swedish provider Bahnhof AB with physical location in Sweden and operates under EU jurisdiction.

Organizational Measures

Ensuring the confidentiality, availability, and integrity of our customer’s data is of the utmost importance to Startdeliver. Security Policies that cover the following topics are maintained and updated annually:

Employee Security Awareness Training
Access Controls
Technical Security
Encryption
Security Monitoring
Secure Workspace

Data access by Startdeliver employees

Login access

Startdeliver employees do not have login access to your data by default. For support and customer success reasons, a Startdeliver employee may ask for your permission to get login access to your account. This can be revoked by the customer at any time and all such access is logged.

Database access

For technical reasons, a limited number of the Startdeliver engineering management can access the database cluster and theoretically your database. However, everything that's encrypted Startdeliver client side will still be in the encrypted state (such as credentials, app configurations and files). This access is strictly limited to the CTO and the DevOps Manager, who has been assigned by the CEO.

Log access

For troubleshooting purposes, a selected number of Startdeliver engineers have access to logs written by the application. These logs may contain customer data.

Good to know: credentials, such as passwords, your account API keys, any credentials to 3rd parties et.c., are never written to any logs, not even in encrypted format.

Startdeliver imposes the following organizational measures on sub-processors (providers)

Organizational control	Provider Access	Comment
Encryption key access	No. (Not without out Startdelivers permission.)	Provider employees are not allowed to access the key in the key store without the Startdeliver permission AWS KMS is designed so that neither AWS (including AWS employees) nor third-party providers to AWS have the ability to retrieve, view, or disclose customers' primary keys in an unencrypted format. This can also be monitored in AWS CloudTrail. Event data logged to AWS CloudTrail cannot be altered.

Contractual Measures

In the Startdeliver General Terms and Data Processor Agreement, Startdeliver makes contractual commitments about the measures it takes to protect customer data. For example, Startdeliver contractually commits to:

Implement technical and organizational measures to protect the Personal Data Startdeliver Processes
Assist customers in complying with their security obligations under GDPR
Provide summary reports and audit reports so customers can verify Startdeliver compliance with the DPA

Startdeliver has also contractual commitments with our subprocessor AWS with regards to requests for Customer Data. For example, AWS contractually commits to, in case AWS receives a valid and binding order by a governmental body to disclose Customer Data:

Use every reasonable effort to redirect requests regarding Customer Data to Customer
Challenge any overboard or inappropriate request, including requests that conflicts with the law of the European Union
If, after exhausting all steps, AWS will only disclose the minimum amount of Customer Data necessary

Continuous evaluation and monitoring

Startdeliver will continue to update this document to better describe how Startdeliver meet the evolving needs and expectations of customers and regulators, and help them fully comply with all applicable law for EU data transfers.

Additional information and contact

Our strategy is, and has always been, to help companies become data driven. A major part of that strategy is to also help our customers comply with data protection rules. We are here for you and available for any further questions.


Olof Nilsson	Johan Nilsson
CTO	CEO
+46 709 70 76 30 onilsson@startdeliver.com	+46 709 98 98 89 jnilsson@startdeliver.com