- Now that the Privacy Shield is invalid, how can we still safely use Postmark?
- Technical and organizational security measures
- Can you assure us that the personal data of data subjects won't leave the EU? Since you don't have servers in the EU, do we need to change providers / how can we still legally work with you?
- How do U.S.C. § 1881a (“FISA Section 702”) and Executive Order 12333 (“EO 12333”) apply to Postmark, and how do you intend to deal with that?
- Do you use any sub-processors? In which countries are those companies placed?
- Legal basis of processing in third countries
- Supplementary measures
We started our GDPR journey in 2017 when we also obtained our Privacy Shield certification. And although it's been invalidated, we’re still going to continue to honor the principles of the framework, as it will still provide privacy protection to all our users, globally.
The Privacy Shield was, however, only one possible safeguard for the international transfer of personal data from the EU/EEA. We have also incorporated another safeguard, the EU Standard Contractual Clauses (SCCs), in our Data Processing Addendum (DPA). When you sign our DPA ( which you can do here), you sign the SCCs at the same time.
In the Schrems II ruling, the Court of Justice of the European Union (CJEU) didn't only invalidate the Privacy Shield. They also validated the use of SCCs. However, as per the ruling, one must take "additional measures" to mitigate certain risks. At the time of writing, in October 2020, it's still not clear what is meant by "additional measures". The latest FAQ from European regulators is from 24 July. There are indications, though, that such measures will be suggested by the end of the year.
Until then, and regardless, we have several technical and organizational security measures in place to safeguard the data we process (in addition to the contractual measures provided by the DPA and SCC), as described here. Please also refer to the section detailing how we are affected by FISA 702 and EO 12333.
Postmark technical and organizational security measures:
- Data center security: The data centers we use demonstrate ongoing compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2, and SOC 3, PCI DSS Level 1, and more.
- Confidentiality agreements: Employees, contractors, and agents are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution if they fail to meet these obligations.
- App security: All access to the Postmark interface is secured over SSL (HTTPS), ensuring the information is encrypted. Our SSL configurations are regularly and automatically scanned to ensure we can quickly remediate any vulnerabilities discovered, such as Heartbleed. Additionally, we provide both TLS and HTTPS connections to the Postmark SMTP and API services, ensuring emails sent to the service are encrypted. Account passwords are encrypted in the Postmark database, preventing even our own staff from viewing them. We offer a method to recycle API keys at any time in the Postmark interface.
- Fully redundant servers for the API, SMTP, Inbound and Web interface.
- Secure protocols (SSL / TLS) across the web, API, and SMTP endpoints.
- Separately hosted Help system and Public site
- 256-bit SSL encryption on the web app and payment processing.
- All passwords are stored using one-way cryptographic hashing functions.
- We run a dedicated environment behind redundant firewalls and switches.
- Hardened, patched OS with frequent security updates.
- External monitoring and audits by highly respected security firms.
Can you assure us that the personal data of data subjects won't leave the EU? Since you don't have servers in the EU, do we need to change providers / how can we still legally work with you?
Postmark is a US-based company and we also store our data in the US, including personal data of our customers, and the data we process on behalf of our customers. We only use world-class servers for our data storage, from vendors who demonstrate ongoing compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2, and SOC 3, PCI DSS Level 1 and more.
To legally continue to work with providers from outside the EU/EEA, we recommend that you read the current guidelines and recommendations from European regulators, summarized for you on this page.
The European Data Protection Board (EDPB) advises in their FAQ that you conduct an assessment of whether or not you can transfer personal data on the basis of the Standard Contractual Clauses (SCCs). We have described some of the items you can include in your risk assessment for Postmark, on this page.
To continue to use Postmark as your provider, we recommend you take the following steps:
- Consider our technical and organizational security measures and determine whether these are sufficient for your use
- Read and sign our Data Processing Addendum (which you can do here), where the SCCs are already incorporated
- Conduct a risk assessment for the transfer of personal data to a third country (the USA)
- Document your assessment and conclusion
PS: You still need to make sure you comply with all the other requirements as per the GDPR. We also recommend that you conduct a thorough risk assessment on all the data processors you use in your business, not only those in third countries.
How do U.S.C. § 1881a (“FISA Section 702”) and Executive Order 12333 (“EO 12333”) apply to Postmark, and how do you intend to deal with that?
Like most countries in the world, the USA also has surveillance and foreign intelligence laws, which means that the US government ("USG") could request access to personal data from US-based companies.
Examples of such laws are Section 702 of the Foreign Intelligence Surveillance Act ("FISA 702") and/or Executive Order 12333 ("EO 12333"), which relate to investigations where there is a high concern for the country's national security.
Numerous US-based companies providing online services of some sort will have to comply with these laws, including major corporations like Microsoft, Google, and Amazon (including Amazon Web Services), used by thousands of companies from all over the world, from both the public and the private sector.
Postmark may also be subject to access requests from the USG, but we'd like to stress that we have never received any FISA 702 or EO 12333 requests for the disclosure of personal data.
Unfortunately, there's no conclusive answer to whether or not a US company is subject to section 2510 of title 18 U.S.C. In other words; we won’t know if the government considers us as, for example, an ”electronic communication service“, until we potentially receive such a request.
Again, we’d like to emphasize that we have never received a US government request under FISA 702 or EO12333. In the unlikely event that we receive such a request, we can promise that we will challenge it.
Regardless, EO 12333 isn't a mechanism the USG can leverage to require data from us. Therefore, we can contractually commit to not voluntarily hand over any data to the USG. Postmark will, as such, refuse any USG requests for access to personal data, on the grounds of EO 12333. To prevent the USG from gaining access to data through intercepting it in transit, data transferred from our customers to our servers is encrypted via SSL that is configured to meet or exceed all industry standards.
Further, if you have signed a DPA with us, which includes the SCCs, we are, as per Clause 5(a), obliged to process personal data only on behalf of you and in compliance with your instructions. If we cannot provide such compliance for whatever reasons, we will promptly inform you of our inability to comply, in which case you're entitled to suspend the transfer of data and/or to terminate your contract with us. This includes that we will, in line with the SCCs Clause 5(d)(i), promptly notify you of any legally binding request for disclosure of the personal data by a law enforcement authority, unless we're prohibited under criminal law from doing so. In such cases, we will only disclose what's legally required and necessary to comply with the request. We can assure you that we'll fight any requests from the USG for access to personal data, as far as we can without breaking the law ourselves.
Yes, as a data processor, we use the sub-processors as listed on this page: https://postmarkapp.com/eu-privacy#sub-processors
All sub-processors we use (as per 2020), are based in the US.
The legal basis for the transfer or processing of personal data in the USA in accordance with Articles 45 to 49 GDPR is Standard Contractual Clauses (SCCs). Our data processing addendum includes the SCCs for cross border transfers. To receive and sign a copy of our DPA, please visit the Data Processing Addendum tab on this page. You can also view a copy of the SCCs via this link.
PS: We are aware that new/updated SCCs are underway and we will review these as soon as the final versions are released to the public.
In addition to the data processing addendum, the Standard Contractual Clauses and rigorous security measures, we have other supplementary measures to further protect the personal data we process:
- Obligation to check whether government measures are necessary
- Obligation to defend against state access to data of EU citizens until the legal process is exhausted.
- Obligation to pay a contractual penalty in case of culpable breach of obligations under the standard contractual clauses.