On 16 July 2020, the European Court of Justice invalidated the Privacy Shield. As a result, there no longer is a legal basis for exchanging data with American parties. Each organisation using (sub)processors in the United States will have to conclude a Standard Contractual Clause (SCC) with each of these parties. GoodHabitz is no exception. The next step is to prove that the level of protection offered by these SCCs meets the requirements of the GDPR.
What does this mean for students?
Your privacy is our biggest priority, which is why we want to show you the steps we’re taking in order to comply with the GDPR, with regard to our subprocessors. Our goal, of course, is to demonstrably safeguard the protection of your personal data.
- We've listed all subprocessors that might process your personal data outside the EEA.
- We've contacted those subprocessors to ask them about any measures taken after the invalidation of the Privacy Shield.
- We've called together an Emergency Response Team to decide what to do with the US-based subprocessors.
- We've decided to find European alternatives for our two US-based subprocessors.
- We've implemented the services of the new European subprocessors.
What does this mean for our clients?
The data processing agreement concluded will remain in force. That said, the list of subprocessors mentioned in the agreement must be updated. It’s our duty as a processor to inform clients of any subprocessor changes.
New subprocessor for email address verification.
GoodHabitz could no longer guarantee GDPR compliance for Kickbox, our former US-based subprocessor for email address verification. That’s why we've decided to switch to a provider within the EEA, named Bouncer. We have thoroughly screened and tested the services of this Polish supplier. The security screening showed that all necessary technical and organisational measures have been taken by Bouncer to fully comply with the GDRP. Only email addresses are shared with this provider. Bouncer safely stores and processes those email addresses in a European Union based cloud infrastructure, a hybrid solution of AWS cloud (Frankfurt region) and OVH cloud (France). No data is being transferred outside the EEA and Bouncer will erase all personal data from the system after 60 days. We are no longer using the services of Kickbox.
New subprocessor for sending transactional emails
Despite the many mitigated measures taken by our former US-based supplier Mailchimp/Mandrill after the Privacy Shield invalidation, we've decided to switch to a provider within the EEA. We have been screening and testing the tool SMTPeter, which offers a cloud-based SMTP server for fast and secure email delivery. SMTPeter is provided by Copernica. Copernica is a Dutch supplier of marketing automation software, located in Amsterdam. All data is stored in Dutch data centres. Both the security screening and the technical demo-test have been successfully completed. At the beginning of December, the GoodHabitz Security team informed all customers about our planned switch. Since 10 December, we have fully switched to the services of SMTPeter.
Subprocessor for providing a Sales CRM and a ticket system for customer support purposes
GoodHabitz has concluded an SCC with Salesforce. In addition, Salesforce has Binding Corporate Rules (BCR) in place, which are in accordance with the GDPR. Despite these appropriate measures, an external party is currently carrying out a DPIA of Salesforce on behalf of GoodHabitz, in order to guarantee demonstrable GDPR compliance.
If you have any questions, please don’t hesitate to contact email@example.com, and our security team will answer them accordingly.
We’ll keep you posted on these developments, so watch this space!