Startdeliver Compliance with
EU Data Transfer Requirements
Startdeliver AB is a Swedish Software-as-a-Service provider built for handling large amounts of customer data in a reliable, scalable and secure way. Ensuring the confidentiality, availability, and integrity of our customer’s data is of the utmost importance to us.
This whitepaper describes how customers can use Startdeliver in compliance with the quickly evolving data protection landscape in the EU following the Schrems II ruling and the subsequent recommendations released by the European Data Protection Board (EDPB). The steps laid out in this document outline how customers can conduct assessments of their use of Startdeliver in accordance with the Schrems II ruling and the EDPB’s recommendations, and as a result, enable them to comply with EU data protection regulations.
Transfer Tool, Physical Location and Sub-processors
Our application, database and data backups are located across multiple isolated availability zones in AWS EU-CENTRAL in Frankfurt, Germany (“AWS”), and we use AWS Key Management Service for encryption keys, which are also stored within EU/EEA. More on AWS for GDPR and SchremsII here and for Governments here.
Where is the physical location of the Customer Data being stored and processed?
AWS EU-CENTRAL in Frankfurt, Germany
Can Customer Data be transferred outside the European Economic Area (EEA)?
Startdeliver controls the location and has limited all Customer Data to be stored and processed at this location only.
Does the transfer tool rely on Standard Contractual Clauses?
No transfer outside EU/EEA is made.
AWS updated DPA addendum have SCC but not relevant in this case.
Is there any other Subprocessor that processes the Customer Data?
AWS EU-CENTRAL in Frankfurt, Germany, is the sole processor to Startdeliver.
Does any Subprocesser transfer data outside of the EEA?
As per above.
Risk Assessment of Lawful Access by Foreign Authorities
Startdeliver has, based on the Recommendations 02/2020 on the European Essential Guarantees for surveillance measures, assessed the probability of third countries impinging on the Customer Data processed by Startdeliver or its sub-processors (providers).
Probability that a foreign authority has a legal claim in the data and wishes to enforce it against the provider?
Probability that a foreign authority will successfully enforce the claim through the provider?
Probability of foreign lawful access by mass surveillance?
Technical, Organizational and Contractual Measurements taken by Startdeliver
Startdeliver has implemented and will maintain the following technical and organisational measures:
All network communication between your users (web browser, mobile applications etc) and Startdeliver
All your Customer Data except files (see below) is stored in our databases.
*In transit communication with the database is only done from clients (e.g. API server) within virtual local network
You can upload files e.g. documents, images etc to your account.
Logs are kept to get status and alerts, and troubleshoot the application.
Additional Encryption Solution
Startdeliver offers customers the option of an external encryption key solution to AWS. The consequence of this configuration is that the encryption key for the customer's Personal Data is protected by a European company with operations in Europe and not AWS. With this solution, no Personal Data can be accessed by AWS personnel, whether or not forced by US Authorities, as the encryption key is outside of their reach.
As for the storage of the external encryption key, Startdeliver is using a Swedish provider Bahnhof AB with physical location in Sweden and operates under EU jurisdiction.
Ensuring the confidentiality, availability, and integrity of our customer’s data is of the utmost importance to Startdeliver. Security Policies that cover the following topics are maintained and updated annually:
Employee Security Awareness Training
Data access by Startdeliver employees
Startdeliver employees do not have login access to your data by default. For support and customer success reasons, a Startdeliver employee may ask for your permission to get login access to your account. This can be revoked by the customer at any time and all such access is logged.
For technical reasons, a limited number of the Startdeliver engineering management can access the database cluster and theoretically your database. However, everything that's encrypted Startdeliver client side will still be in the encrypted state (such as credentials, app configurations and files). This access is strictly limited to the CTO and the DevOps Manager, who has been assigned by the CEO.
For troubleshooting purposes, a selected number of Startdeliver engineers have access to logs written by the application. These logs may contain customer data.
Good to know: credentials, such as passwords, your account API keys, any credentials to 3rd parties et.c., are never written to any logs, not even in encrypted format.
Startdeliver imposes the following organizational measures on sub-processors (providers)
Encryption key access
(Not without out Startdelivers permission.)
Provider employees are not allowed to access the key in the key store without the Startdeliver permission AWS KMS is designed so that neither
AWS (including AWS employees) nor third-party providers to AWS have the ability to retrieve, view, or disclose customers' primary keys in an unencrypted format. This can also be monitored in AWS CloudTrail. Event data logged to AWS CloudTrail cannot be altered.
In the Startdeliver General Terms and Data Processor Agreement, Startdeliver makes contractual commitments about the measures it takes to protect customer data. For example, Startdeliver contractually commits to:
Implement technical and organizational measures to protect the Personal Data Startdeliver Processes
Assist customers in complying with their security obligations under GDPR
Provide summary reports and audit reports so customers can verify Startdeliver compliance with the DPA
Startdeliver has also contractual commitments with our subprocessor AWS with regards to requests for Customer Data. For example, AWS contractually commits to, in case AWS receives a valid and binding order by a governmental body to disclose Customer Data:
Use every reasonable effort to redirect requests regarding Customer Data to Customer
Challenge any overboard or inappropriate request, including requests that conflicts with the law of the European Union
If, after exhausting all steps, AWS will only disclose the minimum amount of Customer Data necessary
Continuous evaluation and monitoring
Startdeliver will continue to update this document to better describe how Startdeliver meet the evolving needs and expectations of customers and regulators, and help them fully comply with all applicable law for EU data transfers.
Additional information and contact
Our strategy is, and has always been, to help companies become data driven. A major part of that strategy is to also help our customers comply with data protection rules. We are here for you and available for any further questions.
+46 709 70 76 30
+46 709 98 98 89