Contentstack Logo    Contentstack Icon Logo
Request demo
  • Platform
    Your platform, your stack, all the way
    • launch
      Front-end hosting
      Contentstack Launch - Launch experiences faster with fully integrated and automated front-end hosting
    • automation hub
      Full-stack automation
      Contentstack Automation Hub - Simplify the complex and automate the routine in your stack with clicks not code
    • marketplace
      Apps and integrations
      Contentstack Marketplace - 1-click integrations, recipes, App SDK, and more to build faster than ever
    • cms
      Headless CMS
      Contentstack Content Management System - The industry-best headless CMS hands down
    • system
      System and security stats
      Check out our systems stats, service availability, and security posture
    • pricing
      Plans and pricing
      View our plans and pricing
    • ROI calculator
      ROI Calculator
      See how your revenue stacks up with Contentstack
    • news
      Platform updates
      The latest on platform enhancements, roadmap and FAQs
    Designed for:
    The creative professional

    Finally a system that can move at the speed of your imagination.

    Read more
    The modern developer

    Build the tech stack that you've always dreamed of, on your terms.

    Read more
  • Solutions
    Start your composable journey today
    • What is composable?
      Find out why the future for digital experiences is composable
    • Why Contentstack
      Learn why your composable journey should start with Contentstack
    • Start your journey
      Check out our library of how-to content to help you on your way
    • Success stories
      Learn how businesses like yours have gone composable with great success
    ...
    ...

    Icelandair leverages headless CMS powerful integrations and microservices

    Read Case Study

    ...
    ...

    From paper orders to e-commerce powerhouse Dawn Foods’ MACH journey

    Read Case Study

  • Resources
    CMS resources
    • Resources overview
      Content management resources
    • Documentation
      Your guide to our headless CMS platform
    • Blog
      Headless CMS technology, tips, best practices, and how-tos
    • Contentstack LIVE!
      Discover the latest composable tech strategies
    • Contentstack Academy
      Master composable digital architectures confidently
    • Podcasts
      Composable business strategies and innovation from industry leaders
    • CMS guides
      Comprehensive collection of articles on CMS
    • Go Composable
      Learn how you can drive business forward and build better customer experiences
    • Community
      Discover our online community resources
    Forrester: The Total Economic Impact™ of Contentstack Headless CMS Platform

    The results tell the story. See how Contentstack customers save costs and boost business value in this commissioned study conducted by Forrester

    Read more
    Composable vs. monolithic: Which is right for you?

    Businesses are trying to create better customer experiences, so composable digital experience platforms (DXPs) are becoming more popular. But what are they?

    Read more
  • Customers
    Why customers love working with us
    • Customers overview
      Trusted by the world's top brands
    • Customer care
      See why customers love working with us
    • Contentstack Experience Awards
      Recognizing industry leaders demonstrating composable excellence
    • Case studies
      See how our customers achieve measurable impact
    • Customer support
      Get expert guidance and answers — fast
    ...
    ...

    LADbible Group cut editorial time in half and scaled with ease

    Read Case Study

    ...
    ...

    Burberry chooses headless CMS to enable speed and agility

    Read Case Study

  • Partners
    • Partners overview
      Learn about our partner ecosystem
    • Find a partner
      Best-in-class partners
    • Become a partner
      Join our partner ecosystem
    • Partner login
      Contentstack Partner Hub

    Contentstack’s partner program

    Contentstack’s partner program
  • Docs
    Documentation and learning
    • Documentation
      Your guide to our headless CMS platform
    • Quickstart in 5 minutes
      Create a basic webpage in Contentstack
    • For developers
      Developer's guide
    • For business teams
      Content manager's guide
    Understanding and Resolving CORS Error

    Cross-Origin Resource Sharing (CORS) is a mechanism or a protocol that allows devices on one domain to access resources residing on other domains.

    Read more
    Webhook

    A webhook is a user-defined HTTP callback. It's a mechanism that sends real-time info to any third-party app. Learn how to set up Contentstack Webhooks here!

    Read more
  • Company
    About Contentstack
    • Company overview
      Our vision, mission, and values
    • Awards
      Industry awards and recognition
    • News
      Contentstack in the News
    • Press releases
      Contentstack News
    • Events
      Check out our global industry events
    • Careers
      Join the Contentstack team
    • Contact us
      Let us know how we can help you
    ASICS chooses Contentstack to modernize and accelerate global online experience ...

    Contentstack, the Content Experience Platform (CXP) category leader, today announced the addition ...

    Read more
    Contentstack Expands Product Suite, Enters Front-End Hosting Market With New Fully-Integrated...

    Contentstack, the leading Composable Digital Experience provider, today announces its new Contentstack Launch ...

    Read more
LoginRequest demo
Login

Top results

Documentation

Your guide to our headless CMS platform

Quickstart in 5 mins

Here’s a quick guide that explains how to create a basic ...

Contentstack Basics

Contentstack is a CMS backend for your digital properties ...

Gartner: drive seamless digital customer experiences ...

Disjointed customer experiences are a widespread marketing ...

What is Composable Architecture

Today’s consumers expect to interact with your business on...

Content Management API

Contentstack is a headless, API-first content management ...

Forrester report: make omnichannel real in B2B commerce

B2B commerce has been reshaped by B2C’s quick and ...

Popular resources

Blog

How to Get Your Technical Debt Under Control

Blog

5 First Priorities for Business Change

Blog

Why a composable CMS is right for you

Blog

How to choose an omnichannel marketing platform

Guides

What is a Headless CMS?

Blog

Creating a culture of empowerment

Top results

CLI

The Contentstack command-line interface (CLI) offers

Live preview

Live Preview allows content managers to preview content

JSON RTE

In the JSON Rich Text Editor, each paragraph is a block

Omnichannel content

Digital engagements usually happen across various platforms

Automation

Welcome to Contentstack Automation Hub, an automation

Workflows

Now that you have read through the workflow document

Popular resources

Contentstack
basics

See more

Quickstart
in 5 mins

See more

Starter
apps

See more

Content Delivery
APIs

See more

Content
Management APIs

See more

How-to
guides

See more
  1. Contentstack
  2. Legal
  3. Data Transfer Risk Assessment

Data Transfer Risk Assessment

Legal / Data Transfer Risk Assessment
  • Master Agreement
    • Contentstack Master Agreement (US)
    • Contentstack Master Agreement (UK)
    • Contentstack Master Agreement (AU)
    • Contentstack Master Agreement (EMEA)
  • Partner Agreements
    • Technology Partner Agreement for US
    • Technology Partner Agreement for UK and EMEA
    • Solution Partner Agreement for US
    • Solution Partner Agreement for UK and EMEA
  • Privacy Policy
  • Standard Contractual Clauses
    • EU Standard Contractual Clauses - Processor to Processor
    • EU Standard Contractual Clauses - Controller to Processor
    • EU Standard Contractual Clauses - Controller to Controller
    • International Data Transfer Addendum
  • Services Description
  • Trust & Security
    • Cookie Policy
    • Data Processing Agreement US/CA
    • Data Processing Agreement EMEA/UK
    • Security Addendum
    • Data Transfer Risk Assessment
    • Privacy Notice for Employees and Contractors
    • Privacy Notice for Candidates and Potential Contractors
    • Sub-processors
  • Marketplace
    • Marketplace Terms of Service for Developers
    • Marketplace Terms of Service for Customers
    • EULA for Contentstack Proprietary Marketplace Apps
  • Community
    • Community Terms of Service
  • Terms of Service & DMCA Takedown Policy
  • External-Facing Services Policy
  • Supplementary Terms
  • Legacy Agreements
    • Data Processing Agreement (US) (August 2022 through December 20, 2022)
    • Data Processing Agreement (Prior to August 2022)
    • Use Policy (08/19/2022)
    • Fair Use Policy (12/18/21)
  • Master Agreement
    • Contentstack Master Agreement (US)
    • Contentstack Master Agreement (UK)
    • Contentstack Master Agreement (AU)
    • Contentstack Master Agreement (EMEA)
  • Partner Agreements
    • Technology Partner Agreement for US
    • Technology Partner Agreement for UK and EMEA
    • Solution Partner Agreement for US
    • Solution Partner Agreement for UK and EMEA
  • Privacy Policy
  • Standard Contractual Clauses
    • EU Standard Contractual Clauses - Processor to Processor
    • EU Standard Contractual Clauses - Controller to Processor
    • EU Standard Contractual Clauses - Controller to Controller
    • International Data Transfer Addendum
  • Services Description
  • Trust & Security
    • Cookie Policy
    • Data Processing Agreement US/CA
    • Data Processing Agreement EMEA/UK
    • Security Addendum
    • Data Transfer Risk Assessment
    • Privacy Notice for Employees and Contractors
    • Privacy Notice for Candidates and Potential Contractors
    • Sub-processors
  • Marketplace
    • Marketplace Terms of Service for Developers
    • Marketplace Terms of Service for Customers
    • EULA for Contentstack Proprietary Marketplace Apps
  • Community
    • Community Terms of Service
  • Terms of Service & DMCA Takedown Policy
  • External-Facing Services Policy
  • Supplementary Terms
  • Legacy Agreements
    • Data Processing Agreement (US) (August 2022 through December 20, 2022)
    • Data Processing Agreement (Prior to August 2022)
    • Use Policy (08/19/2022)
    • Fair Use Policy (12/18/21)

Last Updated: February 22, 2023

Overview

This transfer impact assessment (TIA) is intended to provide information to help our customers conduct their own transfer impact assessments in connection with their use of our services, in light of the “Schrems II” ruling of the Court of Justice for the European Union (CJEU) and recommendations from the European Data Protection Board and the UK’s Information Commissioner’s Office.

This TIA describes the relevant legal regimes applicable to Contentstack in the US, the safeguards we put in place in connection with transfers of customer personal data from the European Economic Area, the United Kingdom and Switzerland (Europe), and our ability to comply with our obligations as a "data importer" under (i) the EU Standard Contractual Clauses (2021) and (ii) the UK International Data Transfer Addendum to the EU Commission Contractual Clauses (B1.0) (collectively referred to in this TIA as theSCCs).

This TIA identifies and describes the risks associated with transfers of customer personal data to Contentstack in the US or our subsidiary in India, as well as any supplementary measures we have taken — or have required our vendors to take — to safeguard customer personal data.

Step 1: Know your transfer

Where we process customer personal data that is subject to European and/or UK data protection laws as a processor, we will comply with our obligations under our Data Processing Addendum or data processing terms in a similar agreement with our customers (DPA). Any DPA that we enter into with a customer will incorporate the appropriate SCCs.

The DPA will set out information on the nature of our processing activities in connection with the provision of services to our customers, the types of customer personal data we process and transfer, the categories of data subjects and our security measures. The type of personal data that we process, and categories of data subjects, is generally limited to personal data relating to individuals who have been authorized by a customer to use our services on behalf of that customer (e.g., first and last name, business contact information and IP address).

We transfer customer personal data to a number of sub-processors in connection with our services. A list of all of our sub-processors (including their processing location(s)) is available at www.contentstack.com/legal/sub-processors/ and we notify customers when this list changes.

Step 2: Identify the transfer tool relied upon

We rely on SCCs for customer personal data that is transferred from Europe to the US. These SCCs are included within DPAs that we enter into with customers.

Where customer personal data originating from Europe is transferred between Contentstack subsidiaries in India or transferred by us to third party sub-processors, we will enter into SCCs with those parties where there is no relevant adequacy decision, such as those in the US, Philippines and India.

Step 3: Assess whether the transfer tool relied upon is effective in light of the circumstances of the transfer

US Surveillance Laws

FISA 702 and Executive Order 12333

FISA 702 and EO 12333 were identified by the CJEU in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data transferred to the US.

The Foreign Intelligence Surveillance Act (FISA)regulates US governmental electronic and physical surveillance of communications for foreign intelligence purposes.FISA generally requires the US government to apply for a court order with respect to each target of surveillance. FISA requires the US government to include information in its applications that demonstrates that probable cause exists to believe that the target of surveillance is a foreign power or an agent of a foreign power. Such applications are made to, and evaluated by, the specializedForeign Intelligence Surveillance Court(FISC), which is comprised of sitting Article III judges who have been designated for that role by the Chief Justice of the US Supreme Court.

Section 702 of FISA contains less restrictive procedures for the US government to acquire foreign intelligence information targeting non-US persons who are not within the US. Surveillance under Section 702 is subject to supervision by theFISC, but the provision does not require the FISC to review individual targets of surveillance. Instead, under Section 702, the FISC reviews generally applicable targeting and minimization procedures and guidelines submitted by the US Attorney General and the Director of National Intelligence to determine whether they are “reasonably designed” to: (1) ensure that surveillance only targets persons who are reasonably believed to be outside the US; and (2) prevent the intentional acquisition of purely domestic communications. Once the FISC approves those procedures and guidelines, the US government may issue directives to “electronic communication service providers” requiring them to provide the US government with “all information, facilities, or assistance”needed to conduct the surveillance in a manner that does not undermine its secrecy.

Under Section 702, the term “electronic communication service provider” includes communications providers (such as telephone, email, or internet service providers) (ECSPs) as well as remote computing service providers that provide “computer storage or processing services” to the public (RSCPs). Although Section 702 requires the target of surveillance to be outside the US (e.g., an EEA or UK citizen in Europe), the information may be acquired from facilities within the US, such as data centers operated by US-based electronic communication service providers. If the US government targets a non-US person through an acquisition that occurs outside the US, that acquisition would not necessarily be governed by FISA, including Section 702, but would still need to comply with EO 12333 (see below).

For example, the government has used FISA 702 to implement downstream (previously referred to as “PRISM”) and upstream collection programs. In downstream collection, the US government typically directs consumer-facing communications service providers—such as ISPs, telephone providers, or email providers—to provide all communications “to or from” a “selector” (e.g., an email address).Upstream collection similarly involves the collection of all communications “to or from” a selector, but the requests are directed at telecommunications “backbone” providers (i.e., companies that operate the long-distance, high-capacity internet cables that interconnect with ISPs’ local networks) and it does not involve collection of telephone calls. Under the US government’s procedures, the National Security Agency (NSA) is the primary intelligence agency that collects data through the downstream and upstream programs, although the Federal Bureau of Investigation and Central Intelligence Agency also receive data from these programs in more limited circumstances.

Executive Order 12333

EO 12333 addresses the organization and allocation of foreign intelligence surveillance responsibilities among elements of the US Intelligence Community. EO 12333 addresses all US foreign intelligence surveillance activities, including those which may fall outside of FISA’s statutory scheme, such as activities conducted overseas targeting non-US persons. Under EO 12333, the NSA may “collect (including through clandestine means), process, analyze, produce, and disseminate signals intelligence information and data for foreign intelligence and counterintelligence purposes to support national and departmental missions.”

As described in a 2014 report by the Privacy and Civil Liberties Oversight Board, the US government also conducts foreign intelligence surveillance outside of the US against non-US persons under the authority of EO 12333. In some instances, this surveillance can capture the same communications that the US government obtains within the US through FISA 702. And because this collection takes place outside the US, it is not restricted by the detailed rules of FISA outlined above.

EO 12333 also includes some privacy protections generally applicable to US foreign intelligence surveillance, but these do not appear to extend to non-US persons. For example, with respect to surveillance conducted abroad, the order requires the Attorney General to determine that probable cause exists to believe that the target of surveillance is an agent of a foreign power, but only if the surveillance is against a US person under circumstances in which a warrant would have been required for law enforcement purposes. Furthermore, the order also expressly states that it does not create any legally enforceable right or benefit against the US. As a result, the CJEU found that EU data subjects did not have enforceable rights under EO 12333, and that the order did not include sufficient protections to limit surveillance to only what was strictly necessary.

Further information about these US surveillance laws can be found in theWhite Paper entitled “Information on US Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-US Data Transfers after Schrems II.”

Is Contentstack subject to FISA 702 or EO 12333?

Contentstack, like most US-based SaaS companies, could, on a theoretical and technical level be subject to FISA 702 where it is deemed to be an RCSP. However, Contentstack, as an enterprise-level content management SaaS service that primarily collects a very limited scope of customer personal data does not process personal data that is likely to be of interest to US intelligence agencies.

Furthermore, for the same reason, we are not likely to be subject to upstream surveillance orders under FISA 702, the type of order principally addressed in, and deemed problematic by, the Schrems II decision. We do not provide internet backbone services, but instead we only carry traffic involving our own customers. To date, the US government has interpreted and applied FISA 702 upstream orders to only target market providers that have traffic flowing through their internet backbone and that carry traffic for third parties (i.e., telecommunications carriers).

EO 12333 contains no authorization to compel private companies (such as Contentstack) to disclose personal data to US authorities and FISA 702 requires an independent court to authorize a specific type of foreign intelligence data acquisition which is generally unrelated to commercial information. In the event that US intelligence agencies were interested in the type of data that we process, safeguards such as the requirement for authorization by an independent court and the necessity and proportionality requirements would protect data from excessive surveillance.

What is Contentstack’s practical experience dealing with government access requests?

To date, we have not received any requests for access under FISA 702 or direct access under EO 12333 in connection with customer personal data. Once we receive such a request, we will commence providing a transparency report with respect to such requests. Therefore, while we may theoretically and technically be subject to the surveillance laws identified in Schrems II, to date we have not been subject to these types of requests in our day-to-day business operations.

Step 4: Identify the supplementary measures applied to protect the transferred customer personal data

We providetechnical measures to secure customer personal data as set out in our Security Addendum:

Appropriate contractual measures will be set out in DPAs that we enter into with customers, which also incorporates the SCCs. In particular, we are subject to the following requirements:

  • Technical measures: We are contractually obligated to have in place appropriate technical and organizational measures to safeguard customer personal data and regularly test technical measures.
  • Transparency: We are obligated under the SCCs to notify customers in the event we are made subject to a request for government access to customer personal data from a US government authority. In the event that we are legally prohibited from making such a disclosure, we are contractually obligated to challenge such prohibition and seek a waiver.
  • Actions to challenge access: Under the SCCs, we are obligated to review the legality of US government authority access requests and challenge such requests where they are considered to be unlawful.

Our organizational measures to secure customer personal data include:

  • Policy for government access:To obtain customer personal data from us, law enforcement officials must provide legal process appropriate for the type of information sought, such as a subpoena, court order, or a warrant.
  • Onward transfers: Whenever we share customer personal data with sub-processors, we remain accountable to customers for how it is used. We require all sub-processors to undergo a thorough cross-functional diligence process by subject matter experts in our Security, Privacy, and Risk & Compliance Teams to ensure our customers' personal data receives adequate protection. This process includes a review of the customer personal data we plan to share with sub-processors and the associated level of risk, sub-processors security policies, measures, and third-party audits, and whether the sub-processor has a mature privacy program that respects the rights of data subjects.
  • Employee training: All our staff undergo data protection training in relation to the handling of customer personal data in relation to their role.

Step 5: Procedural steps necessary to implement effective supplementary measures

In light of the information provided in this TIA, including our practical experience of dealing with US government requests and the technical, contractual, and organizational measures we have implemented to protect customer personal data, we consider that the risks involved in transferring and processing customer personal data from Europe in/to the US do not impinge on our ability to comply with our obligations as a data importer under the SCCs or to ensure that individuals' rights remain protected. Therefore, no additional supplementary measures are necessary at this time.

Step 6: Re-evaluate at appropriate intervals

We will constantly review and, if necessary, reconsider the risks involved and the measures we have implemented to face changing data privacy regulations and risk environments associated with transfers of customer personal data outside of Europe.

Contentstack
Platform
  • Front-end hosting
  • Full-stack automation
  • Apps and integrations
  • Headless CMS
  • System and security stats
  • Supported platforms
  • Plans and pricing
  • ROI Calculator
Solutions
  • What is composable?
  • Why Contentstack?
  • Start your journey
  • Success stories
  • FAQs
  • Legal
Resources
  • Resources overview
  • Docs
  • Blog
  • Contentstack LIVE!
  • Contentstack Academy
  • Podcasts
  • CMS guides
  • Go Composable
  • Community
Customers
  • Customers overview
  • Customer care
  • Experience Awards
  • Case studies
  • Customer support
Partners
  • Partners overview
  • Find a partner
  • Become a partner
  • Partner login
Company
  • About
  • Awards
  • News
  • Press
  • Events
  • Careers
  • Contact Us
  • icon-facebook2
  • icon-twitter
  • icon-youtube
  • icon-github
  • icon-community

Copyright © 2023 Contentstack Inc. All rights reserved.

  • Legal
  • Terms
  • Privacy