Yes, all transfers are subject to written agreements compliant with the GDPR and, where applicable, to the 2021 EU SCCs.
Compliance for transfers between Remote and clients: Remote’s MSA / ToS incorporate by reference the 2021 Standard Contractual Clauses (SCCs) (controller-controller).
Compliance for transfers between entities in the Remote corporate group: Remote has executed a global intra-group data transfer agreement between all companies within our corporate group (which includes all relevant 2021 SCC modules) for, among others, Chapter V GDPR compliance.
Compliance for transfers between Remote and third parties (processors): Remote ensures all transfers to processors are subject to 2021 SCCs (controller-processor) in our robust vendor due diligence process. Please note the only personal data about employees and contractors which is available and accessible to Remote customers in their capacity as independent controllers is the personal data customers access via our platform. All other personal data we process in connection with onboarding, contractual performance and compliance reasons is personal data we process independently from clients as a separate controller. Considering the foregoing, the only third party relevant for customer compliance with Chapter V GDPR is Amazon Inc since we use Amazon Web Services (AWS) for cloud storage of everything on our platform. We store our platform on AWS servers located in the USA. Yet, AWS is a world-class vendor who we trust with providing sufficient security and privacy of the information we store with them and share with clients for their own use. We have conducted a transfer impact assessment in line with s.2.3. of EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. Our assessment concludes that the risk of the law and/or practices in force in the USA impinging on the effectiveness of the appropriate safeguards of the transfer tool we are relying on (that is: 2021 SCCs), in the context of our specific transfers to AWS USA, is LOW, on the basis that:
- AWS has adopted supplementary measures applicable to the relevant transfer(s): https://d1.awsstatic.com/Supplementary_Addendum_to_the_AWS_GDPR_DPA.pdf;
- https://d1.awsstatic.com/whitepapers/Security/navigating-compliance-with-eu-data-transfer-requirements.pdf (pp.8-11).
- Data stored on AWS is encrypted, hence intelligible.
- The encryption we use includes separate key management (Amazon’s KMS)
- AWS is a world-class supplier of cloud storage solutions offering best in class security.
- To date, we have never received a US law enforcement request for information.