Schrems II and US-based subprocessors

We have taken a number of measures in order to comply with the Schrems II ruling, which invalidated EU-US Privacy Shield as a legitimate way of transferring data between the EU and the US. The measures we have taken to ensure legality of US data transfers are the following:

Review of subprocessors - We have conducted a full audit of our current subprocessors Data Processing Agreements. This in order to determine the EU legality of data transfer down the subprocessing chain and confirm that we have agreements in place with subcontractors based on the EU SCC's. A list of all the subprocessor's that we us can be found below.
Changes in subprocessors - We have made efforts to cease using service providers that transferred or processed data in the US. This to minimize the risk or protection to sub-processed data further down the chain. For those companies that process data in the EU but are US companies, we've reached out and confirmed the specifics of data transfer security and the law upon which the transfer is based.
Updated DPAs with the EU's modernised Standard Contractual Clauses (SCCs) for all US-based subprocessors - We have previously used the Privacy Shield for the basis of transfers to the United States. We've now updated that section of the Data Processing Agreement with the EU Standard Contractual Clauses as the basis for transfers, based on the modernised requirements set forth by the European Commission on June 4th 2021. We've also added the SCC's with appropriate appendices, all of which subcontractors are required to sign as part of our Data Processing Agreement.

FAQ

What are the Standard Contractual Clauses?

The European Commission’s Standard Contractual Clauses are legal contracts entered into between parties that are transferring EU personal data outside of the EU. On 4 June 2021, the Commission issued modernised standard contractual clauses under the GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR).

Knowly has included the mutual acceptance of these modernised Standard Contractual Clauses as legal basis for the transfer of EU personal data to our services as part of our Data Processing Agreement.

Does Knowly have subprocessor agreements in place which cause personal information to be transferred to the United States or other third countries? If so, what types of personal information is affected?

We use Heroku (Salesforce) and Amazon, both of which are US companies. The personal data transferred may include name, email, and/or phone number, device data (computer model name and version, web browser name and version) and geolocation data (IP address). The risk of transferring this level of personal data is low, and we have conversations in place with both providers to understand their technical and organisational security measures in place against exposure for purposes outside of the service agreement.

Below are some of the resources provided by the subprocessors in regards to EU data transfer, and specifically in regards to US government requests for personal data.