Skip to content

PERSONAL DATA TRANSFER IMPACT ASSESSMENT

Last Reviewed on: July 17, 2023

This Personal Data Transfer Impact Assessment (“TIA”) provides information to help Akeyless customers, acting as data exports, conduct data transfer impact assessments in connection with their use of Akeyless products and services, in light of the “Schrems II” ruling of the Court of Justice for the European Union and the recommendations and guidelines provided by applicable EU authorities, including the European Data Protection Board (“EDPB”) as detailed below.

Akeyless Security Ltd., together with its affiliate, Akeyless Security USA, Inc. (collectively, “Akeyless”) provides secrets management as a service (“Services”). The Akeyless Vaultless Platform is a unified secrets management solution that enables users to store, protect, rotate, and dynamically create credentials, certificates, and encryption keys. It also supports use cases from managing static or dynamic credentials, PKI certificate automation, encryption key management and digital signing, data protection, and zero-trust application access that secure remote access to users’ internal resources.

GENERAL OVERVIEW

In its recent judgment C-311/18 (“Schrems II”) the Court of Justice of the European Union (“CJEU”) ruled that the protection granted to personal data in the European Economic Area must travel with the data wherever it goes. Transferring personal data to third countries cannot be a means to undermine the protection it is afforded in the EEA. The CJEU also asserts this by clarifying that the level of protection in third countries does not need to be identical to that guaranteed within the EEA but essentially equivalent. At the same time, the CJEU confirmed that the European Commission’s standard contractual clauses (“SCCs”) continue to be a valid legal mechanism for the transfer of personal data from Europe to countries not covered by the European Commission adequacy decision (“Third Countries”), while stipulating stricter requirements for those transfers.

The CJEU stated that controllers or processors, acting as exporters, are responsible for verifying, in collaboration with the importer in the third country, if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR transfer tools.

The Schrems II ruling has focused European attention on the breadth of law enforcement powers, particularly with respect to national security programs, that permit U.S. government agencies to engage in proactive surveillance.

Therefore, this TIA explains the measures taken by Akeyless to ensure that an equivalent level of protection exists for customer data that is transferred out of the EEA, Switzerland and the U.K. (collectively “Europe”) in connection with use of Akeyless Services. This document also provides an overview of the assurances made by Akeyless to protect its customers’ data from inappropriate disclosure to law enforcement and intelligence agencies.

For the avoidance of doubt, as transfer impact assessments and the specific supplementary measures to be taken, shall be conducted and reviewed by data exporters on a case-by-case, this TIA should not be used to assess customer specific use cases, as the impact of processing customer data depends on the context of data usage by the Customer and the Customer’s particular deployment of the Akeyless Services. Only our customers are in a position to know and independently assess such specific use cases. Customers are responsible for ensuring that their use of the Akeyless Services complies with their legal and contractual obligations.

FIRST STEP: KNOW YOUR TRANSFERS

Akeyless has a unique and patented technology known as “DFC” (which stands for Distributed Fragments Cryptography). The DFC technology allows for the complete encryption of customer data by using encryption key fragments, without ever combining them, thereby eliminating the existence of a complete encryption key anywhere or at any time. In addition, any encryption/decryption operation is done solely within the customer’s environment, as such, only encrypted data leaves the customer environment. Any data stored or transferred by Akeyless is completely encrypted where only the customer can decrypt it.

Where Akeyless processes customer encrypted data governed by European data protection laws as a data processor on behalf of our customers, Akeyless complies with its obligations under its Data Processing Agreement (“DPA”) available here, which incorporate the SCCs and provide the required information under the applicable data protection laws, including a detailed description of Akeyless’ processing of customer data (Annex I); a description of the technical and organisational measures taken by Akeyless (Annex II); and a list of all of our data sub-processors (Annex III) (such list is also available here where you can stay up-to-date on changes to such list).

STEP 2: IDENTIFY THE TRANSFER TOOL RELIED UPON

Where customer encrypted data originating from Europe is transferred between Akeyless group companies or transferred by Akeyless to third-party sub-processors located in Third Countries, Akeyless enters into DPA which incorporate the SCCs with those parties. Moreover, each sub-processor goes through a thorough cross-functional diligence process conducted by Akeyless, as detailed below under STEP 4 “onward transfers”.

STEP 3: ASSESS WHETHER THE TRANSFER TOOL RELIED UPON IS EFFECTIVE IN LIGHT OF THE CIRCUMSTANCES OF THE TRANSFER

US Surveillance Laws:

The following US laws were identified by the CJEU in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US:

  1. FISA Section 702 (“FISA 702”) – allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering. This information gathering must be approved by the Foreign Intelligence Surveillance Court in Washington, DC.  In-scope providers subject to FISA 702 are electronic communication service providers (“ECSP”) within the meaning of 50 U.S.C § 1881(b)(4). FISA 702 authorizes “upstream” and “downstream” collection.

Upstream collection authorizes U.S. authorities to collect communications as they travel over the internet backbone. Akeyless does not provide such backbone services, but instead only carries traffic involving its own customers, and therefore is not eligible to receive the type of orders principally addressed in, and deemed problematic by, the Schrems II ruling. Downstream collection authorizes U.S. authorities to collect targeted data directly from ECSPs based in the U.S. FISA 702 requires an independent court to authorize a specific type of foreign intelligence data acquisition which is generally unrelated to commercial information. To the extent that Akeyless may be compelled to respond to such a targeted request for customer encrypted data, we will carefully review the request to verify it is lawful and challenge the request in accordance with Akeyless’ principles and contractual commitments on government access requests.

  1. Executive Order 12333 (“EO 12333”) – authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US. In particular, it provides authority for US intelligence agencies to collect foreign “signals intelligence” information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US. The EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure.

Customer data can effectively be protected from this type of signals intelligence interception through security measures such as encryption. It is important to note that EO 12333 does not grant the U.S. government the ability to compel companies to provide assistance with the above activities, moreover it contains no authorization to compel private companies, such as Akeyless, to disclose personal data to US authorities and.

Additional information about these US surveillance laws can be found in the U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II whitepaper from September 2020. This whitepaper details the limits and safeguards pertaining to US public authority access data and was issued in response to the Schrems II ruling.

To date, Akeyless has never received a US National Security Request (including requests for access under FISA 702 or direct access under EO 12333) in connection with customer encrypted data.

  1. The CLOUD Act – only permits U.S. government access to data in criminal investigations after obtaining a warrant approved by an independent court based on probable cause of a specific criminal act. It does not allow U.S. government access in national security investigations, and it does not permit bulk surveillance. For more information on the CLOUD Act, review “What is the CLOUD Act?” by BSA Software Alliance outlining the scope of the CLOUD Act. To the extent that Akeyless may be compelled to respond to such a law enforcement request for customer data, we will carefully review the request to verify that it is lawful and appropriate, including with respect to the data sought and relevant jurisdiction, and, when necessary, challenge the request in accordance with Akeyless’ principles and contractual commitments on government access requests.

STEP 4: IDENTIFY THE TECHNICAL, CONTRACTUAL AND ORGANIZATIONAL MEASURES APPLIED TO PROTECT THE TRANSFERRED DATA

Akeyless provides the following technical measures to secure data:

  • Akeyless DFC technology – as explained above, Akeyless DFC technology allows for the complete encryption of customer data by using encryption key fragments, without ever combining them. The key fragments are stored in different locations on Akeyless’ cloud servers; however, one key fragment is stored in the customer’s internal environment. The decryption can only be done by the customer in the customers’ environment, thus, even if an order would require a hosting provider to provide Akeyless’ hosted data, the customer data would be encrypted without the ability to decrypt it.

As recognized by the EDPB on June 18, 2021 (“Recommendations 01/2020 on measures that supplement transfer tools to endure compliance with the EU level of protection of personal data”, available here), where encryption keys are retained solely under the control of the data exporter, or by an entity trusted by the exporter in the EEA or under a jurisdiction offering an essentially equivalent level of protection to that guaranteed within the EEA, the encryption performed is an effective supplementary measure.

Moreover, as recognized by the French National Commission on Informatics and Liberty (“CNIL“) in its decision on February 10, 2022 (available here) again Google Analytic, encryption is a technical measure providing  sufficient level of protection to personal data at transfer as long as the encrypted keys are not in the US as there is no actual potential access to the data by the US authorities.

  • Compliance with international standards – Akeyless is proud to maintain world-class compliance and security standards, including SOC 2 Type II and ISO 27001 compliance. In addition, Akeyless is the first secrets management solution to achieve National Institute of Standards and Technology (NIST) FIPS 140-2 validation, going above and beyond to keep your secrets safe.

Additional information regarding the security measures implemented by Akeyless in order to secure the customer data are detailed in Akeyless Trust Center available here and Akeyless Data Protection Measures page available here.

Akeyless’ contractual measures are set out in our DPA which incorporates the SCCs available here.

Akeyless’ organizational measures to secure data include:

  • Compliance programs – Akeyless’ operations, policies and procedures are audited regularly to ensure that it meets all standards expected of it as a cloud system provider. Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance. Akeyless’ systems and Services were audited and verified under the ISO 27001 and ISO 27701 certifications and the System and Organization Controls (SOC). If you wish to be provided with such certifications and reports please contact us at: [email protected]  
  • Onward transfers – whenever Akeyless shares customer encrypted data with its sub-processors, Akeyless remains accountable to customer for how it is used. Akeyless requires all service providers to undergo a thorough cross-functional diligence process to ensure our customers data receives adequate protection. This process includes a review of the data Akeyless plans to share with the sub-processors and the associated level of risk, the sub-processors’ security policies, measures, and third party audits, and whether the sub-processor has a mature privacy program that respects the rights of data subjects. We provide a list of our sub-processors on our sub-processors page available here.
  • Job control – All our employees are required to execute an employment agreement which includes confidentiality provisions as well as applicable provisions binding them to comply with applicable data security practices. Further, Akeyless provides periodic data protection training to all its employees.

STEP 5: PROCEDURAL STEPS NECESSARY TO IMPLEMENT EFFECTIVE SUPPLEMENTARY MEASURES

In light of the information provided in this TIA, including Akeyless’ practical experience dealing with government requests and the technical, contractual, and organizational measures Akeyless has implemented to protect customer data; Akeyless considers that the risks involved in transferring and processing European personal data in/to the US do not impinge on our ability to comply with our obligations under the SCCs (“data importer”) or to ensure that individuals’ rights remain protected. Therefore, no additional supplementary measures are necessary at this time.

STEP 6: RE-EVALUATE AT APPROPRIATE INTERVALS

Akeyless will review and, if necessary, reconsider the risks involved and the measures it has implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of Europe.

ADEQUACY DECISION:

Notwithstanding the above, on July 10, 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework (“DPF”), entered into force on that day. The adequacy decision concludes that the US ensures an adequate level of protection – compared to that of the EU – for personal data transferred from the EU to US companies participating in the EU-U.S. Data Privacy Framework – without having to put in place additional data protection safeguards. As such, US companies can certify their participation in the DPF by committing to comply with a detailed set of privacy obligations. This could include, for example, privacy principles such as purpose limitation, data minimization and data retention, as well as specific obligations concerning data security and the sharing of data with third parties. The DPF will be administered by the US Department of Commerce, which will process applications for certification and monitor whether participating companies continue to meet the certification requirements.

Once a company has voluntarily decided to certify under the DPF, its effective compliance with the DPF principles is compulsory and enforceable by the US Federal Trade Commission (“FTC). Akeyless Security USA Inc. is in the process of publicly declaring its commitment to comply with the DPF principles, as part of its DPF certification application. Once completing the process and becoming part of the DPF list, Akeyless will certify and will publish such certification herein and on the website.

Akeyless Security Ltd. a private company incorporated under the laws of the State of Israel. Therefore, transfer of customer data to Akeyless are deemed adequate by the European Commission (Israel’s adequacy decision is available here.