On 16 July 2020, the European Court of Justice invalidated the Privacy Shield. As a result, there no longer is a legal basis for exchanging data with American parties. Each organisation using (sub)processors in the United States will have to conclude a Standard Contractual Clause (SCC) with each of these parties. GoodHabitz is no exception. The next step is to prove that the level of protection offered by these SCCs meets the requirements of the GDPR.
What does this mean for students?
Your privacy is our biggest priority, which is why we want to show you the steps we’re taking in order to comply with the GDPR, with regard to our subprocessors. Our goal, of course, is to demonstrably safeguard the protection of your personal data.
- We've listed all subprocessors that might process your personal data outside the EEA.
- We've contacted those subprocessors to ask them about any measures taken after the invalidation of the Privacy Shield.
- We've called together an Emergency Response Team to decide what to do with the US-based subprocessors.
- We've decided to find European alternatives for our two US-based subprocessors.
- We've implemented the services of the new European subprocessors.
What does this mean for our clients?
The data processing agreement concluded will remain in force. That said, the list of subprocessors mentioned in the agreement must be updated. It’s our duty as a processor to inform clients of any subprocessor changes.
New subprocessor for email address verification.
GoodHabitz could no longer guarantee GDPR compliance for Kickbox, our former US-based subprocessor for email address verification. That’s why we've decided to switch to a provider within the EEA, named Bouncer. We have thoroughly screened and tested the services of this Polish supplier. The security screening showed that all necessary technical and organisational measures have been taken by Bouncer to fully comply with the GDRP. Only email addresses are shared with this provider. Bouncer safely stores and processes those email addresses in a European Union based cloud infrastructure, a hybrid solution of AWS cloud (Frankfurt region) and OVH cloud (France). No data is being transferred outside the EEA and Bouncer will erase all personal data from the system after 60 days. We are no longer using the services of Kickbox.
New subprocessor for sending transactional emails
Despite the many mitigated measures taken by our former US-based supplier Mailchimp/Mandrill after the Privacy Shield invalidation, we've decided to switch to a provider within the EEA. We have been screening and testing the tool SMTPeter, which offers a cloud-based SMTP server for fast and secure email delivery. SMTPeter is provided by Copernica. Copernica is a Dutch supplier of marketing automation software, located in Amsterdam. All data is stored in Dutch data centres. Both the security screening and the technical demo-test have been successfully completed. At the beginning of December, the GoodHabitz Security team informed all customers about our planned switch. Since 10 December, we have fully switched to the services of SMTPeter.
Subprocessor for providing a Sales CRM and a ticket system for customer support purposes
GoodHabitz has concluded Standard Contractual Clauses (SCC) with Salesforce. In addition, Salesforce has Binding Corporate Rules (BCR) in place, which are in accordance with the GDPR. Despite these appropriate measures, we have contracted Privacy Company as an external party to perform a Data Protection Impact Assessment (DPIA) on our implementation of Salesforce, in order to guarantee demonstrable GDPR compliance.
This has resulted in the following findings and mitigated measures:
1 - Salesforce is used as a CRM by GoodHabitz. According to the GDPR GoodHabitz does not act as processor but as a controller regarding the use of Salesforce.
- As Salesforce is not part of the contract between GoodHabitz and its clients, it will no longer be listed as a sub-processor within the Data Processing Agreement and related subprocessor overviews.
2 - Pardot is part of our Salesforce contract and therefore it was assumed that the data was stored on the Salesforce EU18 servers (location France and Germany), just like all our Salesforce data. However, the indepth DPIA revealed that all Pardot data is stored in the United States.
- It is verified that the Binding Corporate Rules of Salesforce also apply on the Pardot services.
- GoodHabitz closed an Additional Safeguards Addendum with Salesforce in order to protect the personal data against any interference that goes beyond what is necessary in a democratic society to safeguard national security, defence and public security.
- We’ve made sure that no personal data of students is shared with Pardot, so only Salesforce accounts that are created for commercial purposes are shared with Pardot. A student reaching out to our helpdesk will get registered in Salesforce, but not in Pardot.
If you have any questions, please don’t hesitate to contact firstname.lastname@example.org, and our security team will answer them accordingly.
We’ll keep you posted on these developments, so watch this space!