Personal Data Transfer Impact Assessment (“TIA”)

Akeyless Security Ltd, together with its affiliate, Akeyless Security USA, Inc. (collectively, “Akeyless”) provides secrets management as a service (“Services”). The Akeyless Vault Platform is a unified secrets management solution that enables users to store, protect, rotate, and dynamically create credentials, certificates, and encryption keys. It also supports use cases from managing static or dynamic credentials, PKI certificate automation, encryption key management and digital signing, data protection, and zero-trust application access that secures remote access to users’ internal resources.

As part of the Services, Akeyless processes personal data for purposes that include, without limitations, providing and maintaining the Services, analytics, billing, and support. All data, including personal data, transferred via telecom lines is encrypted under HTTPS-TLS 1.2. Akeyless offers technical and organizational security measures as further discussed above.

The solution Akeyless provides enables our customers to choose the location in which the encrypted data is stored and even where the key is stored. Hence, the customer can choose to keep the key and the encrypted data stored in the EEA which will strength the security and the compliance with the GDPR requirements with respect to international personal data transfer. 

Akeyless’ unique and patented technology allows for the ability to encrypt data with encryption key fragments, without ever combining them, which thereby eliminates the existence of a complete encryption key. The Company itself does not have access to every encryption key fragment all of which are necessary to combine in order to decrypt the data and therefore only the data owner itself (i.e., the customer) is able to decrypt the data and the personal data will therefore be transferred in an encrypted state to the data importer. 

Where does Akeyless process personal data?

The customer is able to choose where the encrypted data is stored (EEA and US) and where the key is kept.  When Akeyless provides support services or where it holds the key on behalf of the customer, the encrypted data can be accessed from the US or Israel remotely. Israel has the adequacy certification

Has Akeyless performed a risk assessment of the data transfers and access?

Akeyless has performed a data transfer risk assessment for all the countries to which we transfer or from which Akeyless may access personal data. 

Data importers and where are they located?

Akeyless’ data importers are Google LLC (Google Cloud), Microsoft Corporation (Azure) and Amazon Web Services Inc (“Data Importers”). All Data Importers are located in the United States and the EEA. All data importers provide cloud storage services. 

Is Akeyless or the Data Importers subject to US Government Data Requests under FISA 702 or the CLOUD Act?

While Akeyless may be subject to legally valid requests from the US government pursuant to the CLOUD Act, FISA 702 or EO 12.333, we process regular, encrypted commercial data. This is not the target of data gathering under Section 702 FISA or EO 12.333. Therefore, we believe that the probability that the company has or will receive a surveillance order with respect to the personal data is very low.

While the Data Importers are subject to such requests, we believe it is unlikely that the government would be able to obtain data directly from the Data Importers because our Data Importers have limited or no ability to associate any data with a specific customer or end-user. Specifically, the personal data is encrypted and therefore the Data Importers do not have access to it in clear text. 

The Data Importers are thus contractually required to defend the personal data at issue against lawful access attempts.

What security measures and safeguards are in place to protect customers’ data?

Akeyless has a unique and patented technology known as “DFC” (which stands for Distributed Fragments Cryptography). The DFC technology allows for the complete encryption of data by using encryption key fragments, without ever combining them, thereby eliminating the existence of a complete encryption key anywhere or at any time. 

The key fragments are stored in different locations on Akeyless’ cloud service from one another and they never leave each of their specific locations. In addition, one key fragment is stored in the customer’s internal environment. Any encryption/decryption operation is done inside the customer’s environment, as such, only encrypted data leaves the customer to be stored and managed by Akeyless. Further, as detailed above, the customer may choose to store the keys in EEA. 

In order to perform any encryption/decryption process, one would need to have access to ALL key fragments (i.e., those that are stored on the data exporter’s cloud service as well as the customer’s fragment that is stored by the customer). The customer alone has access to all key fragments, which allows for what the Akeyless calls “Zero Trust”.

In summary, any data stored or transferred by Akeyless is completely encrypted where only the customer (i.e., neither the data exporter or any third party (including the data importer or any governmental authority) can decrypt it (due to the fragment that the customer alone will have access to).

Recently the Belgian Council ruled that encryption is a valid safeguard to transfer personal data from the EEA to the US, specifically where the encryption keys are kept under the full control of the data controller in the EEA. 

Furthermore, Akeyless has DPAs in place that include the new EU SCCs as well as those of our Data Importers, and we have no reason to believe that our Data Importers will not comply with their DPA.

Does Akeyless adopt any international standards and best practices?

Akeyless is certified to be compliant with SOC 2,   ISO 27001  and ISO 27701 security standards, and conducts audits against these standards. 

How does Akeyless handle data subject access requests?

Akeyless has established a data subject request policy to review and respond to all data subject requests. Please use our designated form available on our website

Please note that the information in this document on legal or technical subject matters is for general awareness only and does not constitute legal or professional advice, or warranty of compliance with applicable laws. The content of this document may be subject to change.