As you may well be aware the European Court of Justice (CJEU) recently declared that the US Safe Harbor program is not sufficient to assure legal protection for European data transported to the US. However, this ruling does not affect the way in which Confirmit is providing services to its clients.
How is Confirmit compliant?
Confirmit (and its hosting provider Rackspace) have Binding Corporate Rules/Data Processing Charters/Model Clauses in place, compliant with the requirements of the EU Data Protection Directive.
Our compliance model meets the mandated requirements independently of the recent decision about Safe Harbor, and is not affected by the CJEU ruling.
Who handles my data when I use Confirmit Horizons SaaS environments?
Unless we have specifically agreed otherwise with you, only Confirmit and its affiliates, and Rackspace (our third party hosting provider) manage your data. Unlike many vendors in our industry who only offer one SaaS site, either in the EU or in the US, we offer three different Confirmit Horizons SaaS sites, one in Europe (London, UK), one in Asia (Sydney, Australia) and one in the Americas (Dallas, US).
In addition, our SaaS hosting environments are not on cloud or in a co-located data center (as is the case for many other vendors). Our SaaS environments store your data in a specific data center, and the management of the data center draws on the vast resources of the industry-leading hosting provider, Rackspace. Rackspace is recognized as world-leading in managed hosting, and it holds a number of security certifications, such as ISO 27001/SSAE16. See here for EU certifications, and here for US.
What does the CJEU Ruling mean for my use of the Confirmit Horizons SaaS environment hosted in the UK?
If you are operating within the European Economic Area (EEA), and are hosted on our UK based SaaS, this ruling changes nothing for you in respect of your use of the Confirmit Horizons SaaS. If you operate outside of the EEA, but not within the US, and are hosted on our UK based SaaS, again, this ruling changes nothing, but you are responsible for ensuring that you are properly covered internally at your company for your own data transfers out of the EEA.
What does the CJEU Ruling mean for my use of the Confirmit Horizons SaaS environment hosted in the United States?
If your use of the US Confirmit Horizons SaaS does not entail collection of data from the EEA, the CJEU ruling changes nothing for you in respect of your use of the Confirmit Horizons SaaS.
Furthermore, even if you collect data from the EEA for storage and processing on the US SaaS, you are still on the safe side when using the Confirmit Horizons SaaS, due to Confirmit’s own compliance model. But you should look into whether you are properly covered internally at your company for your own data transfers out of the EEA.
How can I find out a bit more?
We have a document available which spells out more of the details about the impact of the decision. To get hold of a copy of the document, contact your Account Manager or send an e-mail to support.