Transfer Impact Assessment
Introduction
Zingtree is committed to ensuring that its clients can utilize all Zingtree products in adherence to data protection regulations, including the General Data Protection Regulation (GDPR). Following the Schrems II ruling by the Court of Justice of the European Union (CJEU), which invalidated the EU-US Privacy Shield as a legitimate mechanism for transferring personal data from the European Economic Area (EEA) to the US, the European Data Protection Board (EDPB) has offered guidelines for evaluating whether there exists an "essentially equivalent" level of protection as guaranteed within the EEA for data transfers outside the EEA.
The information contained in this document can assist Zingtree customers in conducting data transfer impact assessments related to their usage of Zingtree products that involve the transfer of personal data outside of the EEA to the US, in line with the EDPB's recommendations. Specifically, this document illustrates how Zingtree complies with its obligations under relevant data protection laws and Zingtree's customer agreements when entering into standard contractual clauses (SCCs), the validity of which the CJEU maintained in its Schrems II decision.
EDPB Recommendations
The EDPB recommendations provide guidance for assessing whether there is an essentially equivalent level of protection for data transfers outside the EEA. Specifically, the EDPB recommends that data exporters perform the following six-step data transfer assessment:
- Step 1: Map international data transfers, and assess whether the data transferred is adequate, relevant, and limited to what is strictly necessary.
- Step 2: Verify the transfer tool on which the transfer relies (the SCCs).
- Step 3: Assess the laws or practices of the third countries that may impinge on the effectiveness of the appropriate safeguards of the transfer tool.
- Step 4: If the data exporter’s assessment is that the use of the transfer tool alone would not provide “essentially equivalent” protection, identify the supplemental contractual, technical, or organizational measures necessary to bring the level of protection up to the EEA standard of essential equivalence.
- Step 5: Take any formal procedural steps that the adoption of supplementary measure(s) may require.
- Step 6: Reevaluate, at appropriate intervals, the level of protection afforded to the data that the data exporter transfers to third countries, and monitor if there have been or will be any developments that may affect it.
For further details, please see the full text of EDPB’s recommendations.
Step 1: Mapping Data Transfers
Zingtree is committed to the responsible and lawful transfer of personal data while delivering services from the United States. Zingtree offers subscriptions to its decision tree platform, helping users create, manage, and deploy workflows for customer self-help, internal process optimization, and agent scripting (together, the "Zingtree Services"). When providing Zingtree Services to Customers located within the European Economic Area/European Union ("EU") or the United Kingdom ("UK") (collectively referred to as "Europe"), Zingtree acts as the importer of data and takes on the role of a data processor. Our European Customers assume the positions of data controllers and data exporters.
Zingtree ensures compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), by adhering to its Data Processing Agreement ("DPA") while processing personal data. The Zingtree DPA incorporates the Standard Contractual Clauses (“SCCs”) to facilitate legally compliant data transfers between Europe and the US.
Sub-Processors
Zingtree engages sub-processors to deliver its products and services. To ensure compliance with data protection and privacy requirements, Zingtree has entered into agreements with all of its sub-processors, obtaining explicit commitments regarding their security and data protection controls. As the primary data processor, Zingtree maintains liability for the acts and omissions of these sub-processors in relation to the processing of personal data.
As part of our due diligence process, we continually evaluate the security and privacy practices of our sub-processors to confirm that they maintain a level of security and privacy commensurate with their access to customer data, which may include personal data. Moreover, we assess the scope of services they provide to ensure they are operating within the bounds of our data protection requirements. Our sub-processors sign Zingtree’s DPA and SCCs where required, and the terms are no less restrictive than those agreed to between Zingtree and Zingtree’s customers whose data is transferred from Europe to the US.
To obtain a list of our sub-processors, please visit our Trust and Security Portal
Step 2: Identifying Transfer Tools
Zingtree uses SCCs, incorporated into its DPA, to provide appropriate safeguards for the transfer of personal data originating from the EEA, Switzerland, and the United Kingdom. Both the Schrems II ruling and the EDPB recommendations confirm that SCCs are a valid mechanism for transferring personal data subject to the GDPR outside the EEA and Switzerland. The SCCs adopted by the decision (EU) 2021/915 of the European Commission are incorporated in Annex 2 of the Zingtree DPA (STANDARD CONTRACTUAL CLAUSES).
Details can be found in Zingtree DPA.
Step 3: Assessing Laws and Practices of Recipient Countries
In line with the EDPB's recommendations, Zingtree has evaluated whether laws and practices in countries where it processes customer data might affect the effectiveness of appropriate SCC safeguards. This overview assesses jurisdictions where Zingtree sub-processors might process customer data through our products and services:
United States:
The CJEU's Schrems II decision identified US laws, such as FISA Section 702 and Executive Order 12333, as potential barriers to ensuring equivalent personal data protection when transferring data from the EEA to the US. The US government has clarified the application of these laws in the "US White Paper."
Concerning FISA 702, the US White Paper states that concerns raised by Schrems II about national security access to personal data processed by US companies are unlikely to occur as the data is not relevant to the US intelligence community. Companies dealing with regular commercial information will have no reason to believe US intelligence agencies would want to access that data. Also, individuals of any nationality can seek redress for FISA 702 violations, including through private actions for compensatory and punitive damages.
Regarding EO 12333, the US White Paper clarifies that it does not authorize the government to demand any company or person disclose data. Instead, data disclosure requirements for intelligence purposes under EO 12333 must be authorized by statute, such as FISA 702, and targeted at specific individuals or identifiers. Bulk data collection, as in Schrems II, is explicitly forbidden under EO 12333.
Zingtree is not aware of any US government collection of signals intelligence from its communications or data. Additionally, Zingtree's Services are not believed to process personal data of interest to US authorities. Zingtree does not voluntarily disclose customers' personal data to US authorities without the customer's consent.
Therefore, the likelihood of Zingtree being required to disclose personal data to any US government agency is extremely low. Personal data managed by Zingtree is unlikely to interest US government agencies. Zingtree continuously monitors legislative developments and enforcement practices in the United States relating to personal data disclosure.
Steps 4 & 5: Implementing Supplementary Measures
Technical Measures
Zingtree undertakes technical and organizational measures to secure Customer data as described in Annex 2 of the Zingtree DPA (PROCESSOR’S SECURITY MEASURES FOR DATA PROTECTION).
- Safeguards for data storage and transfers: Zingtree encrypts all data in-transit using TLS 1.2 and all data at-rest using AES-256.
- Access control: Zingtree utilizes logical access control measures to guarantee that customer personal data is accessible only to those who require it for their specific job responsibilities. Access adheres to the least privilege model, and routine access reviews are conducted to ensure only legitimate users have access to applications and infrastructure. Access to infrastructure such as servers and databases is restricted to authorized operations personnel which is securely accessed via a VPN with MFA authentication.
- Audit logs: Zingtree maintains application and infrastructure audit logs to monitor data access.
- Security certifications: Zingtree has been awarded its SOC 2/Type II and HIPAA third-party compliance attestation. To supplement its security compliance program, Zingtree has adopted the National Institute of Technology and Standards' (NIST) risk management framework (RMF) and the associated security policies and controls, as presented in its SP 800-53, r5.
Contractual Measures
- Zingtree's contractual responsibilities are delineated in the DPA, including the SCCs. Moreover, Zingtree mandates that all sub-processors, who handle personal data on its behalf, adhere to strict privacy and security standards through contractual requirements.
Organizational Measures
Zingtree organizational measures to secure customer data include:.
- Employee training: Zingtree conducts onboarding and annual security and privacy awareness training. This training covers items such as general security best practices, password security, 2FA, phishing, data privacy and compliance requirements (GDPR, CCPA, HIPAA).
- Internal audits: Zingtree performs regular internal audits to ensure that our information security policy and safeguards are being implemented.
To explore our security posture and additional measures, please visit our Trust and Security Portal
Step 6: Reevaluating When Necessary
Zingtree will periodically assess and, if required, reevaluate the risks involved and the measures it has applied to address evolving data privacy regulations and risk environments related to personal data transfers outside Europe.
Contact Us
For any further questions, please contact us at privacy@zingtree.com