No, Surveypal uses EU standard contractual clauses as part of the data processing agreements with it's subprocessors.
As ”Schrems II” judgement on the 16 of July 2020, the Court of Justice of the European Union (”CJEU”) assessed the lawfulness of the transfer of personal data to the United States and stated that the Privacy Shield mechanism applied to the transfer of personal data to the United States as invalid. The European Commission’s model contractual clauses remain a valid data transfer mechanism, but the transfer of personal data on that basis requires supplementary safeguards for data protection.
Supplementary safeguards used by Surveypal for data protection:
- Sub-processors EU-area data centers
- Data encryption on the move and at rest
- Contractual safeguards whereupon agreed among other things following:
- Third party security audits to protect the data collected by our customers
- Impact assessments with our sub-processors in relation to the specific personal data they handle
- Additional assessments with our sub-processors in relation to their local authorities’ policies
- Transparency obligations, such as a “best efforts” obligation to provide information to the exporter if accessed by public authorities in a third country
Based on data processing agreements with EU standard contractual clauses with our sub-processors and the supplementary safeguards in place, we have deemed the processing to have adequate safety mechanisms in place to protect personal data in case it would be transferred to United States.