Transfer Impact Assessment

Introduction

Zingtree is committed to ensuring that its clients can utilize all Zingtree products in adherence to data protection regulations, including the General Data Protection Regulation (GDPR). Following the Schrems II ruling by the Court of Justice of the European Union (CJEU), which invalidated the EU-US Privacy Shield as a legitimate mechanism for transferring personal data from the European Economic Area (EEA) to the US, the European Data Protection Board (EDPB) has offered guidelines for evaluating whether there exists an "essentially equivalent" level of protection as guaranteed within the EEA for data transfers outside the EEA.

The information contained in this document can assist Zingtree customers in conducting data transfer impact assessments related to their usage of Zingtree products that involve the transfer of personal data outside of the EEA to the US, in line with the EDPB's recommendations. Specifically, this document illustrates how Zingtree complies with its obligations under relevant data protection laws and Zingtree's customer agreements when entering into standard contractual clauses (SCCs), the validity of which the CJEU maintained in its Schrems II decision.

 

EDPB Recommendations

The EDPB recommendations provide guidance for assessing whether there is an essentially equivalent level of protection for data transfers outside the EEA. Specifically, the EDPB recommends that data exporters perform the following six-step data transfer assessment:

  • Step 1: Map international data transfers, and assess whether the data transferred is adequate, relevant, and limited to what is strictly necessary.
  • Step 2: Verify the transfer tool on which the transfer relies (the SCCs).
  • Step 3: Assess the laws or practices of the third countries that may impinge on the effectiveness of the appropriate safeguards of the transfer tool.
  • Step 4: If the data exporter’s assessment is that the use of the transfer tool alone would not provide “essentially equivalent” protection, identify the supplemental contractual, technical, or organizational measures necessary to bring the level of protection up to the EEA standard of essential equivalence.
  • Step 5: Take any formal procedural steps that the adoption of supplementary measure(s) may require.
  • Step 6: Reevaluate, at appropriate intervals, the level of protection afforded to the data that the data exporter transfers to third countries, and monitor if there have been or will be any developments that may affect it.

For further details, please see the full text of EDPB’s recommendations.

 

Step 1: Mapping Data Transfers

Zingtree is committed to the responsible and lawful transfer of personal data while delivering services from the United States. Zingtree offers subscriptions to its AI platform, helping users create, manage, and deploy workflows for customer self-service, internal process optimization, and agent scripting (together, the "Zingtree Services"). When providing Zingtree Services to Customers located within the European Economic Area/European Union ("EU") or the United Kingdom ("UK") (collectively referred to as "Europe"), Zingtree acts as the importer of data and takes on the role of a data processor. Our European Customers assume the positions of data controllers and data exporters.

Zingtree ensures compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), by adhering to its Data Processing Agreement ("DPA") while processing personal data. The Zingtree DPA incorporates the Standard Contractual Clauses (“SCCs”) to facilitate legally compliant data transfers between Europe and the US.

 

Sub-Processors

Zingtree engages sub-processors to deliver its products and services. To ensure compliance with data protection and privacy requirements, Zingtree has entered into agreements with all of its sub-processors, obtaining explicit commitments regarding their security and data protection controls. As the primary data processor, Zingtree maintains liability for the acts and omissions of these sub-processors in relation to the processing of personal data.

As part of our due diligence process, we continually evaluate the security and privacy practices of our sub-processors to confirm that they maintain a level of security and privacy commensurate with their access to customer data, which may include personal data. Moreover, we assess the scope of services they provide to ensure they are operating within the bounds of our data protection requirements. Our sub-processors sign Zingtree’s DPA and SCCs where required, and the terms are no less restrictive than those agreed to between Zingtree and Zingtree’s customers whose data is transferred from Europe to the US.

To obtain a list of our sub-processors, please visit our Trust and Security Portal

 

Step 2: Identifying Transfer Tools

Zingtree uses SCCs, incorporated into its Data Processing Agreement (DPA), to provide appropriate safeguards for the transfer of personal data originating from the EEA, Switzerland, and the United Kingdom. Both the Schrems II ruling and the EDPB recommendations confirm that SCCs are a valid mechanism for transferring personal data subject to the GDPR outside the EEA and Switzerland. The SCCs adopted by the decision (EU) 2021/915 of the European Commission are incorporated in Annex 2 of the Zingtree DPA (STANDARD CONTRACTUAL CLAUSES).

Details can be found in Zingtree DPA.

Zingtree is also certified under the EU-U.S. Data Privacy Framework (DPF). While Zingtree currently relies on the Standard Contractual Clauses (SCCs) incorporated into its DPA as its primary data transfer mechanism, it maintains DPF certification and remains committed to complying with the DPF Principles applicable to the processing of personal data transferred from the European Union.

 

Step 3: Assessing Laws and Practices of Recipient Countries

In line with the EDPB's recommendations, Zingtree has evaluated whether laws and practices in countries where it processes customer data might affect the effectiveness of appropriate SCC safeguards. This overview assesses jurisdictions where Zingtree sub-processors might process customer data through our products and services:

United States:

Zingtree has assessed the laws and practices applicable to transfers of personal data to the United States, including the considerations identified in the Schrems II decision and subsequent guidance issued by European data protection authorities.

Zingtree relies on the Standard Contractual Clauses (SCCs) incorporated into its Data Processing Agreement (DPA) as an appropriate safeguard for transfers of personal data. In addition, Zingtree maintains certification under the EU-U.S. Data Privacy Framework (DPF) and remains committed to complying with the applicable DPF Principles.

As part of its Transfer Impact Assessment, Zingtree has considered the potential applicability of U.S. surveillance laws, including Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, together with available legal, technical, and organizational safeguards. Zingtree is not aware of any instance in which customer personal data has been subject to disproportionate access requests by U.S. intelligence authorities.

Based on the nature of the services provided, the categories of personal data processed, and the safeguards implemented by Zingtree and its sub-processors, Zingtree believes that the risk of access to customer personal data by U.S. public authorities in a manner inconsistent with applicable data protection laws is low.

Zingtree continues to monitor legal and regulatory developments relating to international data transfers and will review and update its transfer mechanisms and safeguards as appropriate.

Steps 4 & 5: Implementing Supplementary Measures 
Technical Measures

Zingtree undertakes technical and organizational measures to secure Customer data as described in Annex 2 of the Zingtree DPA (PROCESSOR’S SECURITY MEASURES FOR DATA PROTECTION).

  • Safeguards for data storage and transfers: Zingtree encrypts all data in-transit using TLS 1.3 and all data at-rest using AES-256.
  • Access control: Zingtree utilizes logical access control measures to guarantee that customer personal data is accessible only to those who require it for their specific job responsibilities. Access adheres to the least privilege model, and routine access reviews are conducted to ensure only legitimate users have access to applications and infrastructure. Access to infrastructure such as servers and databases is restricted to authorized operations personnel which is securely accessed via a VPN with MFA authentication.
  • Audit logs: Zingtree maintains application and infrastructure audit logs to monitor data access.
  • Security certifications: Zingtree has been awarded its SOC 2/Type II and HIPAA third-party compliance attestation. To supplement its security compliance program, Zingtree has adopted the National Institute of Technology and Standards' (NIST) risk management framework (RMF) and the associated security policies and controls, as presented in its SP 800-53, r5.

 

Contractual Measures
  • Employee training: Zingtree's contractual responsibilities are delineated in the DPA, including the SCCs. Moreover, Zingtree mandates that all sub-processors, who handle personal data on its behalf, adhere to strict privacy and security standards through contractual requirements.
  • Internal audits: Zingtree performs regular internal audits to ensure that our information security policy and safeguards are being implemented.

To explore our security posture and additional measures, please visit our Trust and Security Portal.

 Organizational Measures

Zingtree organizational measures to secure customer data include:

  • Employee training: Zingtree conducts onboarding and annual security and privacy awareness training. This training covers items such as general security best practices, password security, 2FA, phishing, data privacy and compliance requirements (GDPR, CCPA, HIPAA).
  • Internal audits: Zingtree performs regular internal audits to ensure that our information security policy and safeguards are being implemented.

To explore our security posture and additional measures, please visit our Trust and Security Portal

Step 6: Reevaluating When Necessary

Zingtree will periodically assess and, if required, reevaluate the risks involved and the measures it has applied to address evolving data privacy regulations and risk environments related to personal data transfers outside Europe.

Contact Us

For any further questions, please contact us at privacy@zingtree.com