Skip to Main Content
Main Menu
Legal Center

TrustArc Safeguards

 
 
Last Updated: 17 April 2023

The Court of Justice of the European Union (“CJEU”) in case C-311/18 (Data Protection Commission v. Facebook Ireland Ltd. and Maximilian Schrems) determined that transfers of data to third countries require companies to conduct an assessment of whether “supplementary measures” are needed to be adopted to provide for an essentially equivalent level of data protection. In response to the judgment, TrustArc Inc, including its subsidiaries (altogether “TrustArc”), has implemented additional safeguards for our contracts that include cross-border data transfers out of the European Economic Area, the United Kingdom, and other locales that have similar cross- border transfer requirements. Where appropriate and possible, these safeguards are extended to TrustArc customers worldwide.

TrustArc opposes the disclosure of any Company Data, Customer Data, and/or Personal Information to government authorities unless it is required by law or required to prevent serious injury or death.

Our approach to privacy is available at https://trustarc.com/privacy-policy/, which answers most questions about how we collect, use, share, and protect personal information. Given TrustArc’s standards for processing customer data, many of the safeguards listed below have long been in place. This should provide customers the information necessary to assess data transfer risk. A SOC2, Type2 report is also available upon request.

TrustArc is headquartered in California, United States with subsidiaries in Canada, the Philippines, and the United Kingdom.

Government Access Requests

TrustArc considers it is not an Electronic Communication Service Provider as referred to in 50 U.S. Code §1881a, and therefore not subject to subpoenas under the U.S. Foreign Intelligence Surveillance Act (“FISA”). TrustArc is typically not subject to government access requests, and historically has not received requests from intelligence agencies nor law enforcement officials, but there is a remote possibility of TrustArc receiving such a request. We host our production data in Amazon Web Services, but it is encrypted at rest using AES 256 and we hold the keys. AWS would not be able to provide information under a government request.

We carefully review any government request for access. We will verify the legitimacy of the request, the need to comply, and where possible, limit the data provided to precisely what is required, remove information that is not specifically requested and/or remove identifiers. Where not prohibited, we will alert customers with as much advance notice as possible if their data is subject to the request to allow customers to have the opportunity to object. If not permitted to alert customers in advance, we will make notice available afterwards unless prohibited. We will also update this statement to reflect if we are no longer able to state that we have not received such a request. At this time, we have not received any government access requests such as those contemplated in the Schrems decision.

Legal

The European Commission issued new Standard Contractual Clauses on 4 June 4 2021. TrustArc has evaluated its transfers and relationships and will transition to the new SCCs as appropriate. At this time, TrustArc will enter into approved data transfer agreements as appropriate. In addition, there has been new guidance issued by the European Data Protection Board on international transfers of personal data. We are monitoring subsequent requirements and will act accordingly.

In addition to the safeguards listed below, TrustArc maintains its self-certification to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability. Whereas the Shield is no longer available as a data transfer mechanism, it remains a legally binding commitment to additional safeguards that is enforceable by the U.S. Federal Trade Commission.

Hosting and Processing Locations

All data processed in the TrustArc privacy management platform is by default hosted in the Amazon Web Services data center in Virginia, United States, with the exception of Cookie Consent Manager, which is hosted in Ireland. Customers also now have the option to choose to have all of their data hosted in the Amazon Web Services data center in Frankfurt, Germany. If so selected, TrustArc will still access customer data as necessary for support and provision of services from TrustArc locations, but the main processing and storage would be in the European Union.

Technical Safeguards

  1. Hosting Facilities. TrustArc uses Amazon Web Services, as mentioned above, for hosting our platform. You can learn more about their security safeguards here https://aws.amazon.com/security/ and specifically in response to Schrems II https://aws.amazon.com/blogs/security/aws-and-eu-data-transfers-strengthened-commitments-to-pr otect-customer-data/.
  2. Physical Access Controls. Where applicable, TrustArc will take reasonable measures to prevent physical access, such as using on-site security personnel and secured buildings, to prevent unauthorized persons from gaining access to customer data. Where we outsource hosting to datacenters, physical security is a requirement. Where our workforce is deployed remotely, we require certain physical protections to be in place.
  3. System Access Controls. TrustArc will take reasonable measures to prevent personal data from being accessed and/or used without authorization. These controls shall vary based on the nature of the processing and will include at minimum authentication via password protection, documented authorization processes, documented change management processes, logging access to the data, and secure remote access procedures, such as VPN.
  4. Data Access Controls. TrustArc will take reasonable measures to ensure that personal data is only accessible and manageable by properly authorized staff. Access rights to and within data processing systems are established and enforced to ensure that only authorized persons can access the information systems and the data within that they have the authorization and need to access.
  5. Transmission Controls. TrustArc will take reasonable measures to ensure that personal data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport. This specifically includes encrypting data in motion with TLS 1.2.
  6. Data Storage. TrustArc will ensure that data at rest is encrypted. Production data will be backed up on a regular basis. Further, customer data is logically segregated on servers.
  7. Customer Control. TrustArc’s platform is designed with self-service functionality. Customers are able to delete data, view activity logs, and reach out to our support teams for assistance. TrustArc, as the data processor, will process data according to the data controller’s instructions and applicable law.

Assessing Transfer Risk

The assessment of data transfer risks belongs primarily to the responsibility of the customer. TrustArc commits to support its customers where needed and possible. Customers must take into account that TrustArc has its headquarters in a non-EEA country, specifically the U.S., and is subject to the local legislation in all jurisdictions it operates in. These include Canada, the Philippines, and the United Kingdom. When using the TrustArc platform, or any other TrustArc products and/or services where TrustArc is the data processor, customers must take into account the data center locations, the customer locations for the customer users who will log into the platform, and the amount and type of data to be processed.

As mentioned at the beginning, TrustArc is not subject to the government access requests that caused concern to the CJEU and have not received any such requests. Given all data processed on behalf of our customers in the platform or via our products and/or services is encrypted both in transit and at rest, AWS would not be able to gain access themselves, or provide third parties with targeted access to such data.

Other factors to consider are the data processed by TrustArc, which may depend on the customer’s implementation of the platform or services. Our platform is a privacy management and compliance offering intended to capture a company’s privacy management and compliance activities, such as mapping data flows (no access into customers’ systems), providing controls for laws to which customers may be subject for customers to evaluate if the controls have been met, running data protection impact assessments, and facilitating data subject rights and consent management. Certainly, our platform is robust in regards to privacy management, but it typically processes limited amounts of personal data, e.g., user credentials for customers’ employees designated to work within the platform or the contact information of vendors or other third parties to manage processors.

Services that are public-facing, such as Cookie Consent Manager or Individual Rights Manager, require taking into account the data subjects who will enter the data directly and may therefore rely on derogations as the data transfer mechanism, as provided under Article 49 (one cannot enter into Standard Contractual Clauses with a data subject). Particularly for Individual Rights Manager, customers know what type of data they have on data subjects and need to evaluate the type of data that might be processed through the communications – and would likely be the only activity that might contain sensitive data where TrustArc is the processor.

We hope this information assists you in your assessment of the data transfer risk. Please feel free to reach out to us directly if you have any questions. You may reach our Privacy Team directly at [email protected].

Important Contacts:

DataRep, Appointed EU Representative [email protected]

TRUSTe Europe Ltd, Appointed UK Representative [email protected]

 

 
Back to Top