BLOOMREACH DATA TRANSFER IMPACT ASSESSMENT
Last updated: 8 February 2023
This document provides information to help Bloomreach customers conduct data transfer impact assessments in connection with their use of Bloomreach products, in light of the “Schrems II” ruling of the European Union Court of Justice on 16 July 2020, the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021 ("SCCs"), and the European Data Protection Board's recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, among other recent developments related to cross-border data transfers.
In particular, this document describes the safeguards Bloomreach puts in place in connection with transfers of customer personal data from the European Economic Area, United Kingdom or Switzerland ("Europe") to the United States, and Bloomreach's ability to comply with its obligations as "data importer.”
This document also notes new developments in applicable privacy regulations, including the United States Executive Order titled "Enhancing Safeguards for United States Signals Intelligence Activities", which implements the EU-US Data Privacy Framework ("EU-U.S. DPF") and is anticipated to form the basis of a new partial adequacy decision for the US (Privacy Shield 2.0). The European Commission has confirmed the Executive Order addresses the concerns raised by the Court of Justice of the EU in Schrems II and provides a durable and reliable legal basis for transatlantic data flows.
We are excited to announce that Bloomreach is fully committed to complying with the Privacy Shield 2.0 framework and becoming Privacy Shield 2.0 certified as soon as the mechanism is in place.
For more details about Bloomreach’s GDPR compliance program please visit this page https://www.bloomreach.com/en/legal/privacy.
1. Know your transfer
For the purpose of providing customers the Bloomreach products, we transfer customer personal data wherever we (including Bloomreach's affiliates listed here https://www.bloomreach.com/en/legal/group-companies or our sub-processors operate. The locations will depend on the particular Bloomreach product(s) the customer uses:
2. Identify the transfer tool relied upon
Where Bloomreach processes personal data governed by European data protection laws as a data processor (on behalf of customers), Bloomreach complies with its obligations under the Data Processing Addendum entered into with the respective customer.
The Bloomreach customer DPA incorporates the SCCs and provides the following information:
- description of Bloomreach’s processing of customer personal data and data transfer details (Annex A of Bloomreach's standard DPA);
- list of Bloomreach’s sub-processors https://www.bloomreach.com/en/legal/subprocessors (Annex B of Bloomreach's standard DPA), and
- description of Bloomreach’s technical and organizational measures (Annex C of Bloomreach's standard DPA).
Please refer to Annex A of Bloomreach's standard DPA for specific information on the nature of Bloomreach's processing activities in connection with the provision of the product(s), the types of customer personal data we process and transfer, and the categories of data subjects, among other information required under the SCCs.
Where customer personal data originating from Europe is transferred between Bloomreach group companies or transferred by Bloomreach to its sub-processors, Bloomreach enters into SCCs with those parties and flows down its obligations.
3. Assess whether the transfer tool relied upon is effective in light of the circumstances of the transfer
3.1. U.S. Surveillance Laws
Bloomreach is aware of certain US national security and surveillance laws that could (at least theoretically) compel US-based service providers to disclose personal data in a manner that does not ensure an essentially equivalent level of protection for personal data under European law. In particular, the Schrems II ruling cited two legal regimes – Section 702 of the Foreign Intelligence Surveillance Act ("Section 702 FISA") and Executive Order 12333 ("EO 12333") that authorize US government surveillance programmes in a manner that may interfere with the protection of personal data transferred to the US.
Generally speaking, other US laws (like the Cloud Act) involve judicial oversight, safeguards and redress mechanisms that have been found to be consistent with the level of protection under European law.
3.1.1. Section 702 FISA
Section 702 FISA allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering. This information gathering must be approved by the Foreign Intelligence Surveillance Court in Washington, DC. In-scope providers subject to Section 702 FISA are electronic communication service providers ("ECSP") within the meaning of 50 U.S.C § 1881(b)(4), which can include remote computing service providers ("RCSP"), as defined under 18 U.S.C. § 2510 and 18 U.S.C. § 2711.
Further information regarding Section 702 FISA can be found in the U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S.Data Transfers after Schrems II whitepaper from September 2020. In particular, this whitepaper notes the following:
- For most companies, the concerns about national security access to company data highlighted by the Schrems II ruling are “unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” Companies handling “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.”
- There is individual redress, including for EU citizens, for violations of Section 702 FISA through measures not addressed by the court in the Schrems II ruling, including FISA provisions allowing private actions for compensatory and punitive damages.
3.1.2. Executive Order 12333
EO 12333 authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US. In particular, it provides authority for US intelligence agencies to collect foreign "signals intelligence" information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US. EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure.
Further information regarding EO 12333 can be found in the U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S.Data Transfers after Schrems II whitepaper from September 2020. In particular, this whitepaper notes the following:
- EO 12333 does not on its own “authorize the U.S. government to require any company or person to disclose data.” Instead, EO 12333 must rely on a statute, such as Section 702 FISA, to collect data.
- Bulk data collection, the type of data collection at issue in the Schrems II ruling, is expressly prohibited under EO 12333.
3.1.3. CLOUD Act
For information on the CLOUD Act, review What is the CLOUD Act? by BSA Software Alliance outlining the scope of the CLOUD Act. In particular, this whitepaper notes the following:
- The CLOUD Act only permits US government access to data in criminal investigations after obtaining a warrant approved by an independent court based on probable cause of a specific criminal act.
- The CLOUD Act does not allow US government access in national security investigations, and it does not permit bulk surveillance.
3.2. Is Bloomreach subject to Section 702 FISA or EO 12333?
Bloomreach, like most US-based SaaS companies, could technically be subject to Section 702 FISA where it is deemed to be a RCSP. However, Bloomreach is not likely to be subject to upstream surveillance orders under Section 702 FISA, the type of order principally addressed in, and deemed problematic by, the Schrems II ruling.
Section 702 FISA requires an independent court to authorize a specific type of foreign intelligence data acquisition which is generally unrelated to commercial information. Bloomreach does not provide internet backbone services, but instead only carries traffic involving its own customers. To date, the US Government has interpreted and applied Section 702 FISA upstream orders to only target market providers that have traffic flowing through their internet backbone and that carry traffic for third parties (i.e., telecommunications carriers).
In the event that US intelligence agencies were interested in the type of data that Bloomreach processes, safeguards such as the requirement for authorization by an independent court and the necessity and proportionality requirements would protect personal data from excessive surveillance.
EO 12333 contains no authorization to compel private companies (such as Bloomreach) to disclose personal data to US authorities.
3.3. What is Bloomreach's practical experience dealing with government access requests?
To date, Bloomreach has never received a US National Security Request (including requests for access under Section 702 FISA) in connection with customer personal data. We are also not aware of any direct access to customer personal data under EO 12333.
4. Identify the technical, contractual and organizational measures applied to protect the transferred data
The technical and organizational measures implemented by Bloomreach (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons are as follows:
Security Measures – Bloomreach
As of the Effective Date of the Agreement, Bloomreach maintains the technical and organisational security measures as described in this Annex 3 to the DPA. This Annex 3 is hereby incorporated into this DPA and shall form an inseparable part of hereof. Capitalized terms not otherwise defined shall have the meaning given to them in the DPA, MSA or the applicable Product Appendix.
For more details regarding our security measures, please refer to our SOC 2 (Type 1) Report (see sec. F below).
A) Access Control
Physical Access Control. Bloomreach takes measures to prevent unauthorized persons from entering the premises in which data processing systems are stored and with which personal data are processed.
Technical Access Control. Bloomreach takes technical measures to prevent data processing systems from being used by unauthorized persons. These include authentication when accessing computers / systems using a user ID and password, as well as setting up firewalls.
Personnel Access Control. Bloomreach ensures that only authorized personnel can access contents and that personal data cannot be copied, changed or deleted without authorization during processing and use and after saving. When granting access rights to Bloomreach personnel working on the Customer’s project, Bloomreach follows the principle of least privilege to ensure that Customer Data is accessed only by personnel that need the access in order to provide the Services as ordered by the Customer.
Penetration testing. In order to prevent any unauthorized attacks to our platform, Bloomreach maintains contractual relationships with penetration testing service providers. Through regular penetration testing Bloomreach can identify and resolve foreseeable attacks and possible abuse scenarios and thus prevent them.
B) Organizational Measures
DPO. Bloomreach has a designated Data Protection Officer (DPO), Chief Information Security Officer (CISO) and a team of Security Engineers, as well legal professionals, to monitor and ensure compliance with GDPR and local laws.
Personnel training. Bloomreach organizes regular and obligatory whole company Security and GDPR trainings, as well as OWASP trainings to prevent Web Application Security Risks. During the onboarding process, the personnel are required to execute non-disclosure agreements. During the course of engagement with Bloomreach, all personnel follow guidelines to ensure confidentiality, professional and ethical standards necessary to guarantee effective Customer Data protection.
Remote Working Policy. Bloomreach personnel must act in compliance with further measures such as the Remote working policy (Endpoint Security Management, mandatory VPN, etc.), device secure setup and security awareness, strong passwords policy, two factor authentication process, etc.
C) Technical Measures
Transfer Control. Bloomreach prevents personal data from being read, copied, changed or deleted in an unauthorized way during electronic transmission, transport or storage on data media. This includes secure electronic transmission, VPN, firewalls, encryption, logging measures.
Input control. Bloomreach ensures that it can be subsequently checked whether and by whom personal data have been entered, changed or deleted. This includes logging, user identification.
Availability control. Bloomreach ensures that personal data is protected against accidental destruction or loss. This includes the usual fire protection measures and overvoltage protection, backup concept, virus protection, clean coding.
Separation control. Bloomreach ensures that personal data collected for different purposes is processed separately. This includes separate customer accounts, separate databases, encryption methods.
Data Encryption. There are several layers of encryption of data. Data is encrypted in transit.
TLS. Transport Layer Security (TLS) security protocol is used for communication within the app and web tracking.
Additional Technical Measures. Firewalls, logging, malware protection, security scans and other control mechanisms are in place to provide further technical security.
D) Security Development practices
Bloomreach has the further following practices in place to ensure the security of the application:
- Clean coding and least privilege access granting for Bloomreach IT developers.
- Monitoring traffic – Internal network traffic is regularly checked for any suspicious behaviour.
- Vulnerability Management and penetration tests – Bloomreach conducts regular web scans and scans for potential threats.
- Incident Management - Bloomreach has a well-defined incident management process for security events, including reporting, prioritization based on urgency, escalation and mitigation.
- Business Continuity – Bloomreach regularly reviews all business-critical functions.
- Quality assurance – Bloomreach tests all new features before implementing them to the application.
E) Further measures to protect Customer Data
Infrastructure. Bloomreach relies upon acknowledged hosting providers in the field, that (i) enable a multi-tenant, geographically distributed environment and a high availability infrastructure, (ii) comply with all data protection obligations as stipulated in applicable Data Protection Legislation.
Control of Processors. Bloomreach ensures that personal data processed by Processors are processed in accordance with the instructions of Bloomreach and its customers. This includes control rights and data processing contracts according to the GDPR.
External Audit. Bloomreach is subject to external annual audit by an independent third-party licensed auditor to test, evaluate and confirm that the security measures are up-to-date, effective and functional.
5. Procedural steps necessary to implement effective supplementary measures
In light of the information provided in this document, including Bloomreach's practical experience dealing with government requests and the technical, contractual, and organizational measures Bloomreach has implemented to protect customer personal data, Bloomreach considers that the risks involved in transferring and processing European personal data in/to the US do not impinge on our ability to comply with our obligations under the SCCs (as "data importer") or to ensure that individuals' rights remain protected. Therefore, no additional supplementary measures have been identified at this time.
6. Re-evaluate at appropriate intervals
Bloomeach will review and, if necessary, reconsider the risks involved and the measures it has implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of Europe.
Legal Notice: Customers are responsible for making their own independent assessment of the information in this document. This document: (a) is for informational purposes only, (b) represents current Bloomreach product offerings and practices as of the date indicated above, which are subject to change without notice, and (c) does not create any commitments or assurances from Bloomreach and its affiliates, suppliers or licensors. The responsibilities and liabilities of Bloomreach to its customers are controlled by Bloomreach agreements, and this document is not part of, nor does it modify, any agreement between Bloomreach and its customers.