Data Transfer Impact Assessment & Transparency Statement
Last updated on: 14 December 2022
This document is for information purposes only and Customers are responsible for making their own independent assessment of the information in this document. This document represents current Abstract services and practices, which are subject to change without notice, and does not create any commitments or assurances from Abstract and its suppliers or Customers. The responsibilities and liabilities of Abstract to its Customers are controlled by Abstract Order Forms and Terms of Use, and this document is not part of, nor does it modify, any agreement between Abstract and its Customers.
Overview
We take safeguarding our Customers’ information seriously. That is why we have taken steps to comply with applicable law regarding international data transfers.
This document provides information to help Abstract customers who are data exporters from the European Economic Area/European Union ("EU") or the United Kingdom ("UK" and collectively, “Europe”) conduct data transfer impact assessments in connection with their use of Abstract.
In particular, this document describes the legal regimes applicable to Abstract in the US, the safeguards Abstract puts in place in connection with transfers of customer personal data from Europe, and Abstract's ability to comply with its obligations as "data importer" under the Standard Contractual Clauses ("SCCs").
Step 1: Know your transfer
Abstract provides subscriptions to our “software as a service” (SaaS) platform to designers and design teams to manage projects and enable version control in Sketch (“Abstract Services”). Where Abstract processes personal data governed by European data protection laws as a data processor (on behalf of our Customers),we act in accordance with our obligations under the Abstract Data Processing Addendum ("DPA"), which incorporates the SCCs.
What personal data does Abstract process?
The Abstract DPA provides the following information:
● description of Abstract’s processing of customer personal data
● description of Abstract’s technical, contractual, organizational, and security measures
Please refer to Annex 1 of Schedule 1 to Abstract’s DPA for further information on the nature of Abstract's processing activities in connection with the provision of Abstract Services, the types of customer personal data we process and transfer, and the categories of data subjects.
Where does Abstract store/process my data?
Data processed by Abstract in connection with our customers’ use of Abstract Services is both transferred to and stored in the US.
Abstract utilizes the AWS infrastructure to store and process data. Your data is transferred to the US and is stored in either AWS East or AWS West regions. We may transfer customer personal data wherever our third-party service providers operate for the purpose of providing you Abstract Services. To see a detailed list of our sub-processors and the data they process on our behalf visit our sub-processors page.
How long does Abstract retain data?
Abstract retains data for as long as the Customer is using Abstract Services. For details on data retention schedule please refer to section 9.7 and 9.8 of our Terms of Use, and section 1.14 of exhibit 1 to the Abstract DPA.
Step 2: Identify the transfer tool relied upon
How does Abstract protect my data
Where personal data originating from Europe is transferred to Abstract, Abstract relies upon the European Commission's SCCs to provide an appropriate safeguard for the transfer. To review Abstract’s Data Processing Addendum (which incorporates the SCCs) please visit https://www.Abstract.com/legal/data-processing-addendum.
Where customer personal data originating from Europe is transferred by Abstract to third-party subprocessors, Abstract takes steps to adhere to appropriate transfer safeguards, such as relevant standard contractual clauses, with each subprocessor.
Where applicable data protection requirements change, we may update these transfer mechanisms to comply with applicable laws.
Step 3: Assess whether the transfer tool relied upon is effective in light of the circumstances of the transfer
U.S. Surveillance Laws
Abstract’s customers are data exporters. The Customer should assess whether anything in the law or practices of the third country (i.e. - the US) may impact the effectiveness of relying on the standard contractual clauses as a transfer tool. Exporters should assess whether the level of protection in the recipient country (i.e. - the US) is essentially equivalent to what is guaranteed under the UK and/or EU GDPR, as applicable – or, if not, what supplementary measures will be required.
FISA 702 and Executive Order 12333
The following US laws were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US:
● FISA Section 702 (“FISA702”) – allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering. This information gathering must be approved by the Foreign Intelligence Surveillance Court in Washington, DC. In-scope providers subject FISA 702 are electronic communication service providers ("ECSP") within the meaning of 50 U.S.C § 1881(b)(4), which can include remote computing service providers ("RCSP"), as defined under 18 U.S.C. § 2510 and 18U.S.C. § 2711.
● Executive Order 12333 ("EO 12333") - authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US. In particular, it provides authority for US intelligence agencies to collect foreign "signals intelligence" information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US. EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure.
Further information about these US surveillance laws can be found in the U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II whitepaper from September 2020. This whitepaper details the limits and safeguards pertaining to US public authority access to data and was issued in response to the Schrems II ruling.
Regarding FISA 702 the whitepaper notes:
● For most companies, the concerns about national security access to company data highlighted by Schrems II are “unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” Companies handling “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.”
● There is individual redress, including for EU citizens, for violations of FISA section 702 through measures not addressed by the court in the Schrems II ruling, including FISA provisions allowing private actions for compensatory and punitive damages.
Regarding Executive Order 12333 the whitepaper notes:
● EO12333 does not on its own “authorize the U.S. government to require any company or person to disclose data.” Instead, EO 12333 must rely on a statute, such as FISA 702 to collect data.
● Bulk data collection, the type of data collection at issue in Schrems II, is expressly prohibited under EO 12333.
CLOUD Act
For more information on the CLOUD Act, review What is the CLOUD Act? by the Business Software Alliance (BSA) outlining the scope of the CLOUD Act.
The whitepaper notes:
● The CLOUD Act only permits U.S. government access to data in criminal investigations after obtaining a warrant approved by an independent court based on probable cause of a specific criminal act.
● The CLOUD Act does not allow U.S. government access to national security investigations, and it does not permit bulk surveillance.
Is Abstract subject to FISA 702 or EO 12333?
Though Abstract, like most US-based SaaS companies, could technically be subject to FISA 702 where it is deemed to be a RCSP, we do not believe that Abstract processes any personal data that is likely to be of interest to US intelligence agencies.
As Abstract does not provide internet backbone services, but instead only processes information involving its own customers, it is not likely to be subject to upstream surveillance orders under FISA 702, the type of order deemed problematic by the Schrems II decision.
EO 12333 contains no authorization to compel private companies (such as Abstract) to disclose personal data to US authorities and FISA 702 requires an independent court to authorize a specific type of foreign intelligence data acquisition which is generally unrelated to commercial information. In the event that US intelligence agencies were interested in the type of data that Abstract processes, safeguards such as the requirement for authorization by an independent court and the necessity and proportionality requirements would protect data from excessive surveillance.
What is Abstract's practical experience dealing with government access requests?
While Abstract may technically be subject to the surveillance laws identified in Schrems II we have not been subject to these types of requests in our day-to-day business operations. As of the “updated” date at the top of this page, Abstract has never received a FISA Section 702 or EO 12333 data access request from the US government in connection with Abstract Services.
If we were to receive a request from a governmental authority for personal data that we process on behalf of a customer, Abstract would notify the customer of such a request for that customer’s data, unless prohibited to do so by law. If we receive a government request for customer data and we are prohibited by law from notifying the affected customer, we use best efforts to request that the confidentiality requirement be waived.
Abstract undertakes technical and organizational measures to secure customer data as described above.
Abstract’s contractual measures are set out in our Data Processing Addendum which incorporates the SCCs. These include:
Technical measures: Abstract is contractually obligated to have in place appropriate technical and organizational measures to safeguard personal data.
Transparency: Abstract is obligated under our SCCs to notify our customers in the event we are made subject to a request for government access to customer personal data from a government authority. In the event Abstract is legally prohibited from making such a disclosure, we will use reasonable efforts to obtain the right to waive the prohibition to communicate as much information to you as possible.
Actions to challenge access: Under our SCCs, Abstract is obligated to review the legality of government authority access requests and challenge such requests where they are considered to be unlawful.
To date, Abstract has never received a US National Security Request (including requests for access under FISA 702 or direct access under EO 12333) in connection with customer personal data.
Step 4: Identify the technical, contractual and organizational measures applied to protect the transferred data
Abstract provides technical and organizational measures to secure customer data as outlined in Exhibit 1 to Abstract’s DPA as well as security measures, including AES 56, TLS 1.2 encryption for data in transit and at rest.
Abstract’s contractual measures are set out in our DPA which incorporates the SCCs.
Step 5: Procedural steps necessary to implement effective supplementary measures
In light of the information provided in this document, including Abstract's practical experience dealing with government requests and the technical, contractual, and organizational measures Abstract has implemented to protect customer personal data, Abstract considers that the risks involved in transferring and processing European personal data in/to the US do not impinge on our ability to comply with our obligations under the SCCs(as "data importer") or to ensure that individuals' rights remain protected. Therefore, no additional supplementary measures are necessary at this time.
Step 6: Re-evaluate
Abstract will review and, if necessary, reconsider the risks involved and the measures it has implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of Europe.
This document is for information purposes only and Customers are responsible for making their own independent assessment of the information in this document. This document represents current Abstract services and practices, which are subject to change without notice, and does not create any commitments or assurances from Abstract and its suppliers or Customers. The responsibilities and liabilities of Abstract to its Customers are controlled by Abstract Order Forms and Terms of Use, and this document is not part of, nor does it modify, any agreement between Abstract and its Customers.
Overview
We take safeguarding our Customers’ information seriously. That is why we have taken steps to comply with applicable law regarding international data transfers.
This document provides information to help Abstract customers who are data exporters from the European Economic Area/European Union ("EU") or the United Kingdom ("UK" and collectively, “Europe”) conduct data transfer impact assessments in connection with their use of Abstract.
In particular, this document describes the legal regimes applicable to Abstract in the US, the safeguards Abstract puts in place in connection with transfers of customer personal data from Europe, and Abstract's ability to comply with its obligations as "data importer" under the Standard Contractual Clauses ("SCCs").
Step 1: Know your transfer
Abstract provides subscriptions to our “software as a service” (SaaS) platform to designers and design teams to manage projects and enable version control in Sketch (“Abstract Services”). Where Abstract processes personal data governed by European data protection laws as a data processor (on behalf of our Customers),we act in accordance with our obligations under the Abstract Data Processing Addendum ("DPA"), which incorporates the SCCs.
What personal data does Abstract process?
The Abstract DPA provides the following information:
● description of Abstract’s processing of customer personal data
● description of Abstract’s technical, contractual, organizational, and security measures
Please refer to Annex 1 of Schedule 1 to Abstract’s DPA for further information on the nature of Abstract's processing activities in connection with the provision of Abstract Services, the types of customer personal data we process and transfer, and the categories of data subjects.
Where does Abstract store/process my data?
Data processed by Abstract in connection with our customers’ use of Abstract Services is both transferred to and stored in the US.
Abstract utilizes the AWS infrastructure to store and process data. Your data is transferred to the US and is stored in either AWS East or AWS West regions. We may transfer customer personal data wherever our third-party service providers operate for the purpose of providing you Abstract Services. To see a detailed list of our sub-processors and the data they process on our behalf visit our sub-processors page.
How long does Abstract retain data?
Abstract retains data for as long as the Customer is using Abstract Services. For details on data retention schedule please refer to section 9.7 and 9.8 of our Terms of Use, and section 1.14 of exhibit 1 to the Abstract DPA.
Step 2: Identify the transfer tool relied upon
How does Abstract protect my data
Where personal data originating from Europe is transferred to Abstract, Abstract relies upon the European Commission's SCCs to provide an appropriate safeguard for the transfer. To review Abstract’s Data Processing Addendum (which incorporates the SCCs) please visit https://www.Abstract.com/legal/data-processing-addendum.
Where customer personal data originating from Europe is transferred by Abstract to third-party subprocessors, Abstract takes steps to adhere to appropriate transfer safeguards, such as relevant standard contractual clauses, with each subprocessor.
Where applicable data protection requirements change, we may update these transfer mechanisms to comply with applicable laws.
Step 3: Assess whether the transfer tool relied upon is effective in light of the circumstances of the transfer
U.S. Surveillance Laws
Abstract’s customers are data exporters. The Customer should assess whether anything in the law or practices of the third country (i.e. - the US) may impact the effectiveness of relying on the standard contractual clauses as a transfer tool. Exporters should assess whether the level of protection in the recipient country (i.e. - the US) is essentially equivalent to what is guaranteed under the UK and/or EU GDPR, as applicable – or, if not, what supplementary measures will be required.
FISA 702 and Executive Order 12333
The following US laws were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US:
● FISA Section 702 (“FISA702”) – allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering. This information gathering must be approved by the Foreign Intelligence Surveillance Court in Washington, DC. In-scope providers subject FISA 702 are electronic communication service providers ("ECSP") within the meaning of 50 U.S.C § 1881(b)(4), which can include remote computing service providers ("RCSP"), as defined under 18 U.S.C. § 2510 and 18U.S.C. § 2711.
● Executive Order 12333 ("EO 12333") - authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US. In particular, it provides authority for US intelligence agencies to collect foreign "signals intelligence" information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US. EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure.
Further information about these US surveillance laws can be found in the U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II whitepaper from September 2020. This whitepaper details the limits and safeguards pertaining to US public authority access to data and was issued in response to the Schrems II ruling.
Regarding FISA 702 the whitepaper notes:
● For most companies, the concerns about national security access to company data highlighted by Schrems II are “unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” Companies handling “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.”
● There is individual redress, including for EU citizens, for violations of FISA section 702 through measures not addressed by the court in the Schrems II ruling, including FISA provisions allowing private actions for compensatory and punitive damages.
Regarding Executive Order 12333 the whitepaper notes:
● EO12333 does not on its own “authorize the U.S. government to require any company or person to disclose data.” Instead, EO 12333 must rely on a statute, such as FISA 702 to collect data.
● Bulk data collection, the type of data collection at issue in Schrems II, is expressly prohibited under EO 12333.
CLOUD Act
For more information on the CLOUD Act, review What is the CLOUD Act? by the Business Software Alliance (BSA) outlining the scope of the CLOUD Act.
The whitepaper notes:
● The CLOUD Act only permits U.S. government access to data in criminal investigations after obtaining a warrant approved by an independent court based on probable cause of a specific criminal act.
● The CLOUD Act does not allow U.S. government access to national security investigations, and it does not permit bulk surveillance.
Is Abstract subject to FISA 702 or EO 12333?
Though Abstract, like most US-based SaaS companies, could technically be subject to FISA 702 where it is deemed to be a RCSP, we do not believe that Abstract processes any personal data that is likely to be of interest to US intelligence agencies.
As Abstract does not provide internet backbone services, but instead only processes information involving its own customers, it is not likely to be subject to upstream surveillance orders under FISA 702, the type of order deemed problematic by the Schrems II decision.
EO 12333 contains no authorization to compel private companies (such as Abstract) to disclose personal data to US authorities and FISA 702 requires an independent court to authorize a specific type of foreign intelligence data acquisition which is generally unrelated to commercial information. In the event that US intelligence agencies were interested in the type of data that Abstract processes, safeguards such as the requirement for authorization by an independent court and the necessity and proportionality requirements would protect data from excessive surveillance.
What is Abstract's practical experience dealing with government access requests?
While Abstract may technically be subject to the surveillance laws identified in Schrems II we have not been subject to these types of requests in our day-to-day business operations. As of the “updated” date at the top of this page, Abstract has never received a FISA Section 702 or EO 12333 data access request from the US government in connection with Abstract Services.
If we were to receive a request from a governmental authority for personal data that we process on behalf of a customer, Abstract would notify the customer of such a request for that customer’s data, unless prohibited to do so by law. If we receive a government request for customer data and we are prohibited by law from notifying the affected customer, we use best efforts to request that the confidentiality requirement be waived.
Abstract undertakes technical and organizational measures to secure customer data as described above.
Abstract’s contractual measures are set out in our Data Processing Addendum which incorporates the SCCs. These include:
Technical measures: Abstract is contractually obligated to have in place appropriate technical and organizational measures to safeguard personal data.
Transparency: Abstract is obligated under our SCCs to notify our customers in the event we are made subject to a request for government access to customer personal data from a government authority. In the event Abstract is legally prohibited from making such a disclosure, we will use reasonable efforts to obtain the right to waive the prohibition to communicate as much information to you as possible.
Actions to challenge access: Under our SCCs, Abstract is obligated to review the legality of government authority access requests and challenge such requests where they are considered to be unlawful.
To date, Abstract has never received a US National Security Request (including requests for access under FISA 702 or direct access under EO 12333) in connection with customer personal data.
Step 4: Identify the technical, contractual and organizational measures applied to protect the transferred data
Abstract provides technical and organizational measures to secure customer data as outlined in Exhibit 1 to Abstract’s DPA as well as security measures, including AES 56, TLS 1.2 encryption for data in transit and at rest.
Abstract’s contractual measures are set out in our DPA which incorporates the SCCs.
Step 5: Procedural steps necessary to implement effective supplementary measures
In light of the information provided in this document, including Abstract's practical experience dealing with government requests and the technical, contractual, and organizational measures Abstract has implemented to protect customer personal data, Abstract considers that the risks involved in transferring and processing European personal data in/to the US do not impinge on our ability to comply with our obligations under the SCCs(as "data importer") or to ensure that individuals' rights remain protected. Therefore, no additional supplementary measures are necessary at this time.
Step 6: Re-evaluate
Abstract will review and, if necessary, reconsider the risks involved and the measures it has implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of Europe.